Symantec 2004 Pulse of IT Security in Canada
Volume II
Survey shows Increases in Concern and Spending for IT Security
Andrew BissonDirector, Planning and Market Analysis
Branham Group
May 11, 2004
Survey Objective/Scope Survey Results
• Importance of IT Security• Risk of Attack• Disclosing a Security Breach• Resolving a Security Breach• IT Virus Infections• Managing IT Security• Monitoring for IT Security Breaches• Investment in IT Security
Summary
Agenda
Survey Objective/Scope
Objective: Gauge the awareness, priority and understanding of IT Security in Canada
Target Audience: Senior IT Executives from Canadian Financial Post 800 Companies and Leading Canadian Universities & Colleges
Timeframe: February - March 2004 Total Respondents: 150
• VP IT/IS: 99• CIO: 27• CTO: 3• CFO: 13• CSO: 8
Concern for IT Securityis on the Rise!
Survey Results
ALL respondents identified IT Security as an area of importance
65.5% ranked security amongst top 5 corporate priorities
55.4% of respondents from FP800 Companies are more concerned about IT Security then they were 12 months ago (3.57% Less, 41.1% Unchanged)
Importance of IT Security
Level of Concern
0%
10%
20%
30%
40%
50%
60%
More Less Unchanged%
of
Res
po
nd
ents
2003 2004 n= 74 (2003); n=112 (2004)
2004 Top 3 IT Security Concerns: • Unauthorized
Access by Insiders• Viruses• Identity Theft
Importance of IT Security
Survey Results
2003 Top 3 IT Security Concerns: • Hackers• Unauthorized
Access• Viruses
IT Security Threat Concerns (Based on Top 3 Concerns)
0 10 20 30 40 50 60 70 80
SPAM
Theft of Sensitive Information
Denial of Service Attacks
External Unauthorized Access
Identity Theft
Viruses (inclu. Worms)
Unauthorized Access by Insiders
# of Responses n=107
Survey Results
Risk of Attack
Risk of Attack was rated low
• Today: weighted average of 4.10 (10 being the highest risk and 1 being the lowest)
• Consistent with 2003 result of 4.12
• In 12 Months: weighted average of 4.18
Top 3 Drivers for attention to IT Security:
• Data/Information Protection
• Lost Revenue
• Negative Publicity
Survey Results
Disclosing a Security Breach
39.3% claimed they would admit to a security breach while 35.7% would not
• Consistent with 2003 results: 41.3% would admit to a breach vs. 37.3% who would not
79.5% of those that would admit to a breach have been a target (unauthorized access, viruses, etc.).
• Only 19.4% admitted to being a target in 2003!
Growth in Security Breaches
0%
20%
40%
60%
80%
100%
2003 2004
% o
f R
esp
on
den
tsn=31 (2003); n=44 (2004)
Survey Results
Disclosing a Security Breach Top 3 Security Breaches: SPAM, Unauthorized Access by Insiders,
Denial of Service Attacks
IT Security Breach Experiences
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
None
Other
External Unauthorized Access
Identity Theft
Theft of Sensitive Information
Financial Fraud
Eavesdropping / Spying / Probing
Virus / Worms
Denial of Service Attacks
Unauthorized Access by Insiders
SPAM
% of Respondents n=36
Survey Results
Resolving a Security Breach Top 3 Departments Involved in Resolving a Breach:
• Information Technology (IT); Human Resources; Legal
Top 3 Costs of Resolving a Security Breach:
• 67%: $0-$10K; 17%: $10K-$50K; 11%: $50K-$100KAnnual Cost Estimates of IT Security Breaches
0%
10%
20%
30%
40%
50%
60%
70%
$0–$10K $10K–$50K $50K–$100K $100K–$500K $500K–$1M $1M+
% o
f R
esp
on
den
ts
n=36
Survey Results
IT Virus Infections
Top 3 Categories for Frequency of Virus Infections:
• Quarterly: 24.5%
• Never: 23.5%
• Yearly: 19.6%
Perceived Threats
• Lost Revenue
• Lost Employee Productivity
Estimated Cost Attributed to Virus Outbreak
0%
10%
20%
30%
40%
$0-$5K $5K-$10K
10K-$50K
$50K-$100K
$100K-$500K
$500K+
Average Cost
% o
f R
esp
on
den
ts
n=86
Survey Results
Managing IT Security
86.5% of FP800 respondents have implemented an IT Security Policy
The majority of IT Security Issues are dealt with internally
31%
45%
13%
11%
Internal IT Generalist
Internal IT Security Expert
Security Partner/Vendor
No Designated Department/Person
IT Security Responsiblity
n=98
Survey Results
Monitoring for IT Security Breaches
64.5% of respondents claim that 100% of their network is being monitored for intrusions (11.8% don’t monitor at all)
62.8% of respondents claim to review their Firewall logs for inappropriate activity Daily (22.5% weekly)
89.8% of respondents claim to monitor their critical application servers for non-authorized access/use
27.3% of respondents claim to run vulnerability assessment scans of their networks and critical services annually (19.3% quarterly, 18.2% monthly, 15.9% weekly, 11.3% daily)
37.4% of respondents claim to run penetration testing on their infrastructure annually (23.1% quarterly, 13.2% never)
80.6% of respondents claim to have a formal procedure to manage vulnerabilities and implement patches
69.4% of respondents claim to have developed an incident response plan that would be initiated should a security breach occur.
Survey Results
Investment in IT Security
IT Security Spend rose in 2004 and is expected to continue to rise going into 2005
On average 7.6% of the IT Budget for FP800 Companies is dedicated to IT Security
IT Security as a % of IT Budget
0
10
20
30
40
50
60
Increased Decreased Unchanged
% o
f R
espo
nden
ts
Previous 12 Months Next 12 months n=106
Survey Results
Investment in IT Security
IT Security Deployment and Investment Trends
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Other
Data Forensic Tools
Real-time 24/7 Information Security Monitoring
Physical Access Management incl. Biometrics
Security Information Management
Early Warning Security Threat Notif ications
Incident Response Team
Intrusion Detection System
Anti-SPAM
Security Training
Security Standards / Policies
Anti-virus
Firew all
% of Respondents2004 Invest; n=101 2004 Deployed; n=107 2003; n=75
Summary
Canada’s leading IT executives are more concerned about IT Security then they were a year ago, however few see their organizations as being a significant risk of attack
IT attacks are on the rise, however IT executives continue to be reluctant in disclosing breaches
Concerns for Identity Theft are on the rise
Denial of Service Attacks are on the rise
Investment in IT Security Training is on the rise
A majority of FP800 respondents have implemented an IT Security Policy
IT Security Investments continue to rise, albeit at a slower pace…
Contact
Andrew BissonDirector, Planning and Market AnalysisTel: (613) 745-2282 ext 17E-mail: [email protected]
www.branhamgroup.com