security beyond the traditional perimeter -...

Security Beyond the Traditional Perimeter

Ponemon Institute© Research Report

Sponsored by BrandProtect™ Independently conducted by Ponemon Institute LLC Publication Date: July 2016

Ponemon Institute: Private & Confidential Report 1

Security Beyond the Traditional Perimeter Ponemon Institute: July 2016

Part 1. Introduction Ponemon Institute is pleased to present the findings of Security Beyond the Traditional Perimeter, sponsored by BrandProtectTM. The purpose of this study is to understand companies’ ability to analyze and mitigate online incidents and cyber attacks that are beyond the traditional security perimeter. In the context of this survey, external threats are those that arise outside the company’s traditional firewall/security perimeter, and use online channels – email, social media, mobile apps, or domains, as their primary attack technology. These threats may or may not cross the firewall as they are perpetrated. Examples of external threats include socially engineered attacks, executive impersonations, brand-based attacks with ransomware, malware, or other payloads, rogue social domain activity, hactivism/activism and activities which violate compliance or regulatory requirements. In this study, we surveyed 591 IT and IT security practitioners in the United States. Sixty-five percent of these respondents are either CISOs (20 percent) or IT security operations (45 percent). Participants in this study agree external threats put companies’ ability to continue their operations in peril. As shown in Figure 1, 62 percent of respondents say external threats are more difficult to detect than internal threats within the security perimeter and 52 percent of respondents say they are more difficult to contain than internal threats within the security perimeter. The following are four important takeaways from this study. 1. Security processes for Internet and

social media monitoring are non-existent, partially deployed or inconsistently deployed, according to 79 percent of respondents.

2. The protection of intellectual

property from external threats is essential or very important to the sustainability of their companies, 59 percent of respondents.

3. External attacks are frequent and the financial costs of external attacks are significant.

The 505 enterprises and financial institutions surveyed experienced an average of more than one cyber attack each month and spent an average of almost $3.5 million annually to deal with attacks. This is consistent with other Ponemon Institute research.1

1 2016 Cost of Data Breach: United States, sponsored by IBM, May 2016, revealed the average total cost paid to resolve a data breach involving lost or stolen records is $7.01 million. The State of Cybersecurity in Healthcare Organizations in 2016, sponsored by ESET February 2016, found that healthcare organizations experience an average of almost one cyber attack per month and spend $1.32 million on DDoS attacks per year.

Figure 1. Perceptions about the difficulty in detecting and containing external threats Strongly Agree and Agree responses combined


4. A lack of necessary tools and resources in most organizations diminishes the ability to respond to external threats. Only 42 percent of respondents believe their company has the tools to mitigate external threats. The lack of tools also affects the ability to monitor, analyze and understand external threats. Specifically, only 41 percent of respondents say they have the tools and resources necessary to analyze and understand external threats and only 39 percent of respondents believe their companies have tools to monitor external threats.


Part 2. Key findings In this section, we provide an analysis of the findings. The complete audited findings are presented in the Appendix of this report. We have organized this report according to the following topics. ! Understanding the threat ! Monitoring of external threats ! Impact of external threats ! Ability to deal with external threats ! Special analysis: Industry differences ! Special analysis: Position level differences Understanding the threat Companies in this study experience an average of more than one external attack each month. Respondents say their companies have experienced an average of 32 material attacks against employees, executives, physical assets, locations and IP or brand/reputation over the past 24 months. As shown in Figure 2, the 505 enterprises and financial institutions surveyed report that an average of 30 percent of these attacks were perpetrated via the Internet or social media. Figure 2. What percent of material attacks were perpetrated via the Internet or social media? Extrapolated value = 30 percent

8%

17%

29% 27%

12%

7%

0%

5%

10%

15%

20%

25%

30%

35%

None Less than 10% 10 to 25% 26 to 50% 51 to 75% 76 to 100%


Cyber exploits and data loss are most likely to occur. When asked to rank nine external threat vectors in terms of the likelihood of occurrence in their organizations, cyber threats and incidents and data loss or theft are the primary threats, as shown in Figure 3. Also likely to occur are branded exploits against customers and the public, compliance/regulatory incidents and phishing/social engineering attacks. Figure 3. The likelihood of nine external threat vectors occurring 9 = most likely to 1 = least likely

1.91

2.32

3.42

4.11

5.03

6.24

6.78

7.99

8.21

1.00 2.00 3.00 4.00 5.00 6.00 7.00 8.00 9.00

Executive threats / impersonations

Domain-based threats/cyber-attack infrastructure creation

Hacktivism/activism/event/physical threats

Denial of service

Phishing/social engineering attacks

Compliance/regulatory incidents

Branded exploits against customers and the public

Data loss or theft

Cyber threats and incidents


The number one worry about an external attack is reputational damage. As shown in Figure 4, 51 percent of respondents say they worry most about reputational damage following an external attack. Forty percent of respondents say they are concerned about branded exploits and 33 percent say compliance/regulatory incidents are a concern. Figure 4. What external threats worry your organization the most? Three choices permitted

16%

17%

19%

20%

20%

24%

29%

31%

33%

40%

51%

0% 10% 20% 30% 40% 50% 60%

Corporate Identity theft

Social data leaks

Social domains

Domain threats/cyber-infrastructure

Physical/event threats

Executive masquerades/employee or agent impersonations


Hacktivism/activism


Branded exploits

Reputational damage


Monitoring of external threats Monitoring the Internet and social media is critical to gaining intelligence about external threats, but few companies have a formal process in place. According to Figure 5, 38 percent of respondents say their companies do not monitor the Internet and social media to determine external threats their companies face. Only 17 percent of respondents say they have a formal process in place that is applied consistently across the entire enterprise. As mentioned above, an average of 30 percent of external attacks are carried out through the Internet or social media (see Figure 2). Figure 5. How do you monitor the Internet and social media in order to gain actionable intelligence about external threats?

4%

17%

18%

23%

38%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Cannot determine

We have a formal process in place that is applied consistently across the entire enterprise

We have a formal process in place, but is not applied consistently across the enterprise

Our process or approach is informal or “ad hoc”

We don’t have a process or approach


Monitoring for social engineering activity and cyber incidents is considered critical. While many companies represented in this study are not monitoring the Internet or social media, certain activities are considered essential or very important to detecting and containing external threats against a company. According to Figure 6, the most important activities are: monitoring mobile apps (62 percent of respondents), monitoring for social engineering activity or reconnaissance (61 percent of respondents), monitoring cyber incidents (60 percent of respondents), monitoring branded exploits (59 percent of respondents), monitoring for spear-phishing infrastructure (58 percent of respondents) and monitoring phishing scams (57 percent of respondents). Figure 6. The most important external monitoring activities to achieve a strong security posture Essential and Very Important responses combined

11%

20%

21%

23%

23%

24%

25%

25%

26%

30%

29%

27%

28%

30%

29%

31%

33%

33%

34%

34%

31%

33%

0% 10% 20% 30% 40% 50% 60% 70%

Monitoring physical incidents

Monitoring for others masquerading as employees or agents

Monitoring Internet domain names

Monitoring compliance

Monitoring high value targets (such as C-level executives)

Monitoring phishing scams

Monitoring for spear-phishing infrastructure

Monitoring branded exploits

Monitoring cyber incidents

Monitoring for social engineering activity or reconnaissance

Monitoring mobile apps

Essential Very important


To strengthen security posture, companies should collect phishing IP address data. According to Figure 7, 60 percent of respondents say phishing IP addresses are considered essential or very important to reducing external threats. Also important are malicious mobile app details (59 percent of respondents), rogue domain data (54 percent of respondents) and malicious twitter handles (52 percent of respondents). Figure 7. What threat intelligence is critical to a strong security posture? Essential and Very important responses combined

16%

19%

21%

25%

21%

26%

29%

29%

27%

30%

27%

33%

33%

31%

0% 10% 20% 30% 40% 50% 60% 70%

Phishing kit data

Social media accounts with the same owner(s)

Threat actor profiles and aliases

Malicious twitter handles

Rogue domain data

Malicious mobile app details

Phishing IP addresses



Cyber threat monitoring is forecasted to increase within the next 24 months. Respondents were asked what security services are implemented for the perimeter, infrastructure and outside the perimeter today and what services will be implemented in the next two years. These services included those in-house and outsourced. Figures 8a and 8b address the security services in the perimeter. As shown, 45 percent of respondents say they have firewall monitoring and 27 percent say they deploy internal network monitoring. The outsourcing of internal network monitoring will increase significantly. Today, 23 percent of respondents say they outsource internal network monitoring and this is expected to increase, according to 37 percent of respondents.

Figure 8a. Security implementation today Figure 8b. Security implementation in two years

23%

35%

27%

45%

0% 10% 20% 30% 40% 50%

Internal network monitoring

Firewall monitoring

Perimeter

In house Outsourced

37%

35%

31%

47%

0% 10% 20% 30% 40% 50%

Internal network monitoring

Firewall monitoring

Perimeter

In house Outsourced


Figures 8c and 8d address security implementation in the infrastructure. Today, the services most often deployed in house are internal cyber threat monitoring (34 percent of respondents) and compliance monitoring (32 percent of respondents). These are expected to increase according to 42 percent and 41 percent of respondents, respectively. With the exception of threat analyst teams, most of the respondents say the outsourcing of these services in the infrastructure will increase significantly. Specifically, 24 percent of respondents say their organizations outsource internal cyber threat awareness training and in two years 38 percent of respondents say it will be outsourced.

Figure 8c. Security implementation today Figure 8d. Security implementation in two years

20%

17%

20%

23%

19%

24%

24%

24%

25%

27%

30%

34%

0% 10% 20% 30% 40%

24/7 Security operations

Threat analyst team

Security operations center

Incorporation of external threat

feeds

Security incident and event

management

Internal cyber threat awareness training

Infrastructure

In house Outsourced

18%

30%

38%

30%

31%

31%

29%

30%

34%

41%

41%

42%

0% 20% 40% 60%

Threat analyst team

24/7 Security operations

Internal cyber threat awareness training

Security incident and event

management

Security operations center

Incorporation of external threat

feeds

Infrastructure

In house Outsourced


Figures 8e and 8f address security implementations outside the perimeter today and in two years. Services outside the perimeter are expected to increase both in house and outsourced. The most significant increase is in cyber threat monitoring according to 51 percent of respondents. The outsourcing of social media monitoring is expected to increase significantly. Today 11 percent of respondents say social media monitoring is outsourced and this is expected to increase, according to 39 percent of respondents. More organizations represented in this research believe the outsourcing of external domain monitoring will increase significantly.

Figure 8e. Security implementation today Figure 8f. Security implementation in two years

11%

15%

20%

16%

17%

23%

19%

20%

22%

30%

32%

33%

0% 10% 20% 30% 40%

Social media monitoring

Employee/agent monitoring

External domain monitoring

Anti phishing

Compliance monitoring

Cyber threat monitoring

Outside the perimeter

In house Outsourced

39%

19%

21%

24%

24%

45%

22%

24%

35%

36%

39%

51%

0% 20% 40% 60%

External domain monitoring

Social media monitoring

Employee/agent monitoring

Anti phishing

Compliance monitoring

Cyber threat monitoring

Outside the perimeter

In house Outsourced


Insufficient risk awareness is the main barrier to having an effective monitoring approach. Eighty-three percent of respondents believe their organizations are not effective in monitoring the Internet and social media. As shown in Figure 9, the main barriers to achieving a more effective monitoring approach are insufficient risk awareness (50 percent of respondents), lack of knowledgeable staff (45 percent of respondents) and lack of technologies and tools (43 percent of respondents). Figure 9. The main barriers to achieving an effective process for monitoring the Internet and social media Three choices permitted

As shown in Figure 10, 57 percent of respondents currently outsource the monitoring of the Internet and social media (35 percent), plan to do so in the next year (11 percent) or in the next two years (10 percent). Despite the lack of in-house expertise and technologies (as shown above), 40 percent of respondents say their organizations are not looking to outsource the monitoring of Internet and social media. Figure 10. Does your organization outsource, or plan to outsource the monitoring of the Internet and social media?

17%

18%

21%

25%

39%

42%

43%

45%

50%

0% 10% 20% 30% 40% 50% 60%

Complexity of business processes

Complexity of IT processes

Lack of funding

Lack of leadership

Existence of silos and turf issues

Not considered a priority issue

Lack of technologies and tools

Lack of knowledgeable staff

Insufficient risk awareness

4%

40%

10%

11%

35%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Unsure

No, we don’t plan to do so

Yes, we plan to do so in the next 24 months

Yes, we plan to do so in the next 12 months

Yes, we do so now


Impact of external threats External attacks have a revenue, operational and reputational impact on companies. Respondents were asked to rate the impact of external attacks on revenue, operations and reputation on a scale of 1 = most significant to 9 = least significant. As presented in Figure 11, external attacks that have the greatest reputational impact are branded exploits against customers and the public and hacktivism/activism/physical threats (1.88 and 2.34, respectively). External attacks that have the greatest revenue impact are data loss or theft, branded exploits against customers and the public and denial of service (1.67, 2.22 and 2.79, respectively). External attacks that have the greatest operational impact are data loss or theft and denial of service (1.90 and 2.17, respectively). Over the past two years, an average of almost $7 million was spent as a result of material attacks against employees, executives, physical assets, locations, IP or brand/reputation. Figure 11. The impact of external attacks on revenue, operational and reputational 9 = most significant to 1 = least significant

.

4.65

4.37

6.39

1.77

7.66

3.30

2.08

8.12

6.01

4.86

1.78

2.17

4.14

2.32

5.96

7.83

6.75

8.10

1.81

2.12

3.30

4.99

5.44

6.16

7.21

7.78

8.33

1.00 2.00 3.00 4.00 5.00 6.00 7.00 8.00 9.00



Executive threats/impersonations

Domain-based threats/cyber-attack infrastructure creation

Hacktivism/activism/event/physical threats

Cyber threats and incidents

Denial of service

Branded exploits against customers and the public

Data loss or theft

Revenue impact Operational impact Reputational impact


Senior executives recognize the risk of external threats to reputation. According to Figure 12, 60 percent of respondents say their organizations’ leaders recognize that external threats could affect reputation. Fifty-two percent of respondents say their leaders agree revenues could be affected by external threats and 47 percent say these threats could affect the safety and well being of key employees. Figure 12. Perceptions about the risk of external threats Strongly agree and Agree responses combined

47%

52%

60%

0% 10% 20% 30% 40% 50% 60% 70%

Leaders recognize that external threats could affect the safety and well being of key employees

Leaders recognize that external threats could affect revenues

Leaders recognize that external threats could affect reputation


External threats put companies’ sustainability in peril. According to Figure 13, 59 percent of respondents say the protection of intellectual property from external threats is essential or very important to the sustainability of their companies. Other crucial business objectives that should be part of an external threat management program are: expanding into new global markets (55 percent of respondents) and minimizing non-compliance with laws (53 percent of respondents). Figure 13. Objectives critical to sustainability Essential and Very Important responses combined

16%

20%

16%

18%

20%

23%

19%

21%

22%

25%

28%

23%

25%

30%

29%

27%

25%

29%

27%

31%

30%

31%

0% 10% 20% 30% 40% 50% 60% 70%

Maximizing shareholder value

Protecting executives from physical or reputational harm

Maximizing employee productivity

Increasing revenues and positive cash flow

Enhancing brand value and reputation

Maximizing customer acquisition

Protecting the public from third parties attacking them through branded exploits

Ensuring the safety of employees, executives and the public at live events

Minimizing non-compliance with laws

Expanding into new global markets

Protecting intellectual property



Ability to respond to external threats A lack of necessary tools and resources in most organizations diminishes the ability to respond to external threats. According to Figure 14, only 42 percent of respondents believe their company has the tools to mitigate external threats. The lack of tools also affects the ability to monitor, analyze and understand external threats. Specifically, only 41 percent of respondents say they have the tools and resources necessary to analyze and understand external threats and only 39 percent of respondents believe their companies have tools to monitor external threats. Figure 14. Perceptions about the ability to respond to external threats Strongly agree and Agree responses combined

39%

41%

42%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

My organization has the tools and resources necessary to mitigate external threats

My organization has the tools and resources necessary to analyze and understand external

threats

My organization has the tools and resources necessary to monitor external threats


Actionable intelligence is vital to the detection and containment of external threats. Respondents were asked what factors help companies quickly detect and contain external attacks from 1 = most important to 7 = least important. As shown in Figure 15, to respond to external threats, the factors most critical are actionable intelligence, resilience and a strong security posture. Figure 15. Factors that contribute to the ability to quickly detect and contain external attacks 7 = most important to 1 = least important

6.53 6.01

4.87

4.15

3.55

2.31

1.67

1.00

2.00

3.00

4.00

5.00

6.00

7.00

Actionable intelligence

Resilience Strong security posture

Expert staff Leadership Ample resources

Agility


The CIOs’ and CISOs’ responsibility for threats stops at the perimeter. Responsibility for directing efforts to minimize exposure to business risk stemming from threats on the network or at the security perimeter is concentrated in the chief information officer and chief information security officer function (36 percent and 21 percent of respondents, respectively), as shown in Figure 16. In contrast, responsibility for external threats is most often given to the lines of business or no one person. Figure 16. Responsibility for minimizing exposure to business risks stemming from external threats

1%

5%

6%

0%

3%

5%

9%

2%

19%

21%

16%

13%

0%

0%

0%

1%

2%

3%

5%

8%

12%

12%

21%

36%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Chief operating officer (COO)

Chief compliance officer (CCO)

Chief digital officer (CDO)

Chief financial officer (CFO)

Chief executive officer (CEO)

Chief risk officer (CRO)

General counsel

Chief technology officer (CTO)

No one person has overall responsibility

Line of business (LOB) leader

Chief information security officer (CISO)

Chief information officer (CIO)

Responsibility for threats on the network or at the security perimeter

Responsibility for external threats


Further, as shown in Figure 17, only 36 percent of respondents say their companies’ security leader (CISO) is very involved (12 percent of respondents) or has some involvement (24 percent of respondents) in the collection and evaluation of intelligence obtained from the Internet and social media. Figure 17. How involved is the security leader in the collection and evaluation of intelligence obtained from the Internet and social media?

34%

30%

24%

12%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Not involved

No, minimal involvement

Yes, some involvement

Yes, very involved


Special analysis: Industry differences In this section of the report, we provide a deeper analysis of how respondents in the financial services, health and pharma, industrial and manufacturing, public sector, services and retailing industries view the external threat. According to the findings, the financial services industry is most prepared to monitor and reduce external threats. The following are some key differences. According to Figure 18, the financial services industry is most likely to have a formal monitoring process. In contrast, services and industrial and manufacturing industries are less likely to have such a process. Figure 18. Our organization has a formal process for monitoring the Internet and social media Strongly agree and Agree responses combined

26%

18% 17% 16% 16%

11%

0%

5%

10%

15%

20%

25%

30%

Financial services

Retail Public sector Health & pharma

Services Industrial & manuf


As shown in Figure 19, 50 percent of respondents in financial services believe they have the tools and resources necessary to monitor external threats. In contrast, only 34 percent of respondents in health and pharma believe they have such tools and resources. Forty-seven percent of respondents also agree they have the tools and resources necessary to mitigate external threats. Only 29 percent of respondents in health and pharma believe they have the tools and resources to mitigate external threats. Respondents in the retail industry are the most confident in their ability to analyze and understand external threats. Figure 19. Perceptions about ability to monitor and reduce the risk of external threats Strongly agree and Agree responses combined

29%

41%

39%

35%

42%

47%

26%

39%

38%

45%

42%

44%

34%

36%

41%

41%

42%

50%

0% 10% 20% 30% 40% 50% 60%

Health & pharma

Services

Industrial & manuf

Retail

Public sector

Financial services


My organization has the tools and resources necessary to analyze and understand external threats



Special analysis: Position level differences Are perceptions about external threats influenced by the role and position of respondents? We divided the sample of 591 respondents between those who hold a position below director (471 respondents) and those who hold the position of director and above (120 respondents). Following are the most interesting differences between those two groups. According to Figure 20, respondents in the trenches who hold a position at or below manager are more confident in their organizations’ ability to monitor and reduce external threats than those at the director and above. The biggest gaps between these two groups are having the tools and resources necessary to monitor external threats (44 percent vs. 36 percent of respondents) and having the tools and resources to mitigate external threats (41 percent vs. 32 percent of respondents). Figure 20. Perceptions about ability to monitor and reduce external threats Strongly agree and Agree responses combined

41%

44%

42%

32%

36%

38%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%



My organization has the tools and resources necessary to analyze and understand external

threats

Director & above Manager & below


Both groups agree the ability to monitor for a variety of threats is critical to detecting and containing external threats. As shown in Figure 21, more senior-level respondents believe monitoring mobile apps, spear-phishing infrastructure and branded exploits are essential or very important (72 percent, 65 percent or 64 percent of respondents, respectively). Respondents who are most often in the trenches (managers and below) believe monitoring for social engineering activity or reconnaissance, cyber incidents and mobile apps (62 percent, 61 percent and 59 percent of respondents) are essential or very important. Figure 21. Important Internet and social media monitoring activities Essential and Very important responses combined

37%

50%

52%

58%

46%

62%

61%

53%

58%

56%

59%

42%

53%

54%

54%

56%

58%

58%

60%

64%

65%

72%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Monitoring physical incidents

Monitoring Internet domain names

Monitoring compliance

Monitoring phishing scams

Monitoring for others masquerading as employees or agents

Monitoring for social engineering activity or reconnaissance

Monitoring cyber incidents

Monitoring high value targets (such as C-level executives)

Monitoring branded exploits

Monitoring for spear-phishing infrastructure

Monitoring mobile apps



Managers and below consider the most important threat intelligence data are phishing IP addresses and malicious mobile app details. More senior level respondents consider rogue domain data and phishing IP addresses provides the most important insights into dealing with external threats, as shown in Figure 22. Figure 22. Most important threat intelligence data Essential and Very important responses combined

48%

53%

44%

52%

61%

62%

53%

40%

47%

47%

48%

51%

54%

57%

0% 10% 20% 30% 40% 50% 60% 70%

Social media accounts with the same owner(s)

Malicious twitter handles

Phishing kit data

Threat actor profiles and aliases

Malicious mobile app details

Phishing IP addresses

Rogue domain data



Part 3. Methods A sampling frame of 15,440 IT and IT security practitioners in the United States were selected as participants in the research. Table 1 shows 629 total returns. Screening and reliability checks required the removal of 38 surveys. Our final sample consisted of 591 surveys, or a 3.8 percent response rate. Table 1. Sample response Freq Pct% Sampling frame 15,440 100.0% Total returns 629 4.1% Rejected or screened surveys 38 0.2% Final sample 591 3.8%

Pie Chart 1 reports the respondent’s position level within participating organizations. By design, more than half of the respondents (63 percent) are at or above the supervisory levels. Pie Chart 1. Position level within the organization

According to Pie Chart 2, 74 percent of the respondents are from organizations with a global headcount of more than 1,000 employees. Pie Chart 2. Fulltime headcount of the global organization

2% 2%

16%

21%

15%

37%

3% 4%

C-level executive

Executive/VP

Director

Manager

Supervisor

Staff/technician

11%

15%

27% 17%

12%

10%

8%

Less than 500

500 to 1,000

1,001 to 5,000

5,001 to 10,000

10,001 to 25,000

25,001 to 75,000

More than 75,000


Pie Chart 3 reports the industry classification of respondents’ organizations. This chart identifies financial services (18 percent of respondents) as the largest segment, followed by health and pharmaceutical (11 percent of respondents), industrial and manufacturing (11 percent of respondents) and public sector (10 percent of respondents). Pie Chart 3. Primary industry classification

Part 4. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most Web-based surveys. ! Non-response bias: The current findings are based on a sample of survey returns. We sent

surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.

! Sampling-frame bias: The accuracy is based on contact information and the degree to which

the list is representative of individuals who are IT and IT security practitioners located in the United States. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.

! Self-reported results: The quality of survey research is based on the integrity of confidential

responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses.

2% 2% 2%

3% 3%

6% 6%

7% 9%

10% 10%

11% 11%

18%

0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%

Other Education & research

Entertainment & media Communications

Transportation Consumer

Energy & utilities Technology & software

Retail Public sector

Services Health & pharmaceuticals Industrial & manufacturing

Financial services


Appendix: Detailed Survey Results

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in June 2016.

Survey response Freq Pct% Total sampling frame 15,440 100.0% Total returns 629 4.1% Rejected or screened surveys 38 0.2% Final sample 591 3.8%

Part 1. Screening S1. What best describes your organizational role or area of focus? Pct%

IT security leader (CISO) 20% IT security operations (SecOps) 45% Data center management 5% IT security threat analyst 19% IT risk management 5% Enterprise risk management 6% None of the above (stop) 0% Total 100%

S2. Please check all the activities that you see as part of your job or role. Pct%

Managing budgets 44% Evaluating vendors 39% Setting priorities 41% Securing systems 70% Ensuring compliance 46% Ensuring system availability 30% None of the above (stop) 0% Total 270%

S3. What best describes the maturity stage of your organization’s IT security program? Pct%

Non-existent – we don’t have a program (stop) 0% Early stage – most program activities have not as yet been deployed 19% Middle stage – most program activities are only partially deployed 29% Late-middle stage – most program activities are fully deployed 27% Mature stage – all program activities are fully deployed 21% Unable to determine 4% Total 100% S4. What best describes the maturity stage of your organization’s IT

security program or activities around external threats? Pct% Non-existent – we don’t have a program (stop) 0% Early stage – most program activities have not as yet been deployed 29% Middle stage – most program activities are only partially deployed 36% Late-middle stage – most program activities are fully deployed 20% Mature stage – all program activities are fully deployed 11% Unable to determine 4% Total 100%


Part 2. Attributions & background Q1. Please rank order the following nine threat vectors in terms of their

revenue impact on your organization. 1 = Most significant to 9 = least significant. Average rank Rank order Branded exploits against customers and the public 2.22 2 Compliance/regulatory incidents 8.19 9 Cyber threats and incidents 3.84 4 Domain-based threats/cyber-attack infrastructure creation 5.01 6 Data loss or theft 1.67 1 Denial of Service 2.79 3 Executive threats / Impersonations 6.70 7 Hacktivism/activism/event/physical threats 4.56 5 Phishing/social engineering attacks 7.88 8

Q2. Please rank order the following nine threat vectors in terms of their operational impact on your organization. 1 = Most significant to 9 = least significant. Average rank Rank order Branded exploits against customers and the public 3.25 3 Compliance/regulatory incidents 5.14 5 Cyber threats and incidents 4.04 4 Domain-based threats/cyber-attack infrastructure creation 5.86 6 Data loss or theft 1.90 1 Denial of Service 2.17 2 Executive threats / impersonations 7.83 8 Hacktivism/activism/event/physical threats 7.68 7 Phishing/Social engineering attacks 8.22 9

Q3. Please rank order the following nine threat vectors in terms of their reputational impact on your organization. 1 = Most significant to 9 = least significant. Average rank Rank order Branded exploits against customers and the public 1.88 1 Compliance/regulatory incidents 5.35 5 Cyber threats and incidents 6.70 7 Domain-based threats/cyber-attack infrastructure creation 8.23 9 Data loss or theft 3.99 4 Denial of Service 7.92 8 Executive threats / Impersonations 3.61 3 Hacktivism/activism/event/physical threats 2.34 2 Phishing/social engineering attacks 5.63 6

Q4. Please rank order the following nine threat vector in terms their likelihood of occurrence in your organization. 1 = Most likely to 9 = least likely. Average rank Rank order Branded exploits against customers and the public 3.22 3 Compliance/regulatory incidents 3.76 4 Cyber threats and incidents 1.79 1 Domain-based threats/cyber-attack infrastructure creation 7.68 8 Data loss or theft 2.01 2 Denial of Service 5.89 6 Executive threats / impersonations 8.09 9 Hacktivism/activism/event/physical threats 6.58 7 Phishing/social engineering attacks 4.97 5


Please provide your opinion about each one of the following statements using the five-point scale provided below each item. % Strongly agree and Agree response

Strongly agree Agree

Q5. My organization’s leaders recognize that external threats could affect revenues. 19% 33% Q6. My organization’s leaders recognize that external threats could affect the safety and well being of key employees. 17% 30% Q7. My organization’s leaders recognize that external threats could affect reputation. 25% 35% Q8. My organization has the tools and resources necessary to monitor external threats. 16% 26% Q9. My organization has the tools and resources necessary to mitigate external threats. 15% 24% Q10. My organization has the tools and resources necessary to analyze and understand external threats. 15% 26% Q11. My organization has the expert personnel necessary to mitigate external threats. 16% 24% Q12. External threats in my organization are more difficult to detect than internal threats within the security perimeter. 26% 36% Q13. External threats in my organization are more difficult to contain than internal threats within the security perimeter. 23% 29%

Q14. What factors contribute to your organization’s ability to ensure external threats are detected and quickly contained? Please rank these seven factors from 1 = most to 7 = least important. Average rank Rank order Agility 6.33 7 Resilience 1.99 2 Actionable intelligence 1.47 1 Strong security posture 3.13 3 Expert staff 3.85 4 Ample resources 5.69 6 Leadership 4.45 5

Q15. What external threats worry your organization the most? Please select your top three choices. Pct%

Reputational damage 51% Branded exploits 40% Compliance/regulatory incidents 33% Hacktivism/activism 31% Phishing/social engineering attacks 29% Executive masquerades/employee or agent impersonations 24% Domain threats/cyber-infrastructure 20% Physical/event threats 20% Social domains 19% Social data leaks 17% Corporate identity theft 16% Total 300%


Following is a list of eight common business objectives critical to the sustainability for most companies. Using the scale, please rate the importance of external threat management in helping to achieve each stated objective. % Essential and Very important response Essential

Very important

Q16a. Maximizing shareholder value 16% 23% Q16b. Maximizing customer acquisition 23% 25% Q16c. Minimizing non-compliance with laws 22% 31% Q16d. Maximizing employee productivity 16% 30% Q16e. Increasing revenues and positive cash flow 18% 29% Q16f. Expanding into new global markets 25% 30% Q16g. Protecting intellectual property 28% 31% Q16h. Enhancing brand value and reputation 20% 27% Q16i. Protecting the public from third parties attacking them through branded exploits 19% 29% Q16j. Protecting executives from physical or reputational harm 20% 25% Q16k. Ensuring the safety of employees, executives and the public at live events 21% 27%

Q17a. Who has overall responsibility for directing your organization’s efforts to minimize exposure to business risks stemming from external threats? Check one best choice. Pct%

Chief compliance officer (CCO) 5% Chief digital officer (CDO) 6% Chief executive officer (CEO) 3% Chief financial officer (CFO) 0% Chief information officer (CIO) 13% Chief information security officer (CISO) 16% Chief operating officer (COO) 1% Chief risk officer (CRO) 5% Chief technology officer (CTO) 2% General counsel 9% Line of business (LOB) leader 21% No one person has overall responsibility 19% Total 100%

Q17b. Who has overall responsibility for directing your organization’s efforts to minimize exposure to business risk stemming from threats on the network or at the security perimeter? Please check one best choice. Pct%

Chief compliance officer (CCO) 0% Chief digital officer (CDO) 0% Chief executive officer (CEO) 2% Chief financial officer (CFO) 1% Chief information officer (CIO) 36% Chief information security officer (CISO) 21% Chief operating officer (COO) 0% Chief risk officer (CRO) 3% Chief technology officer (CTO) 8% General counsel 5% Line of business (LOB) leader 12% No one person has overall responsibility 12% Total 100%


Q18. For the following departments or functions, please characterize the working relationship that exists between the department or function and your organization’s security team. Please use the following scale: 1 = collaboration is excellent, 2 = collaboration is adequate, 3 = collaboration is poor or non-existent 1 = Excellent 3 = Poor Compliance 20% 29% Customer Support 13% 33% Executive Suite 15% 36% Information Technology 23% 27% Investor Relations 16% 33% Legal 16% 30% Marketing 11% 40%

Q19a. Please check one statement that best describes your organization’s approach for monitoring the Internet and social media in order to gain actionable intelligence about external threats. Pct%

We have a formal process in place that is applied consistently across the entire enterprise 17%

We have a formal process in place, but is not applied consistently across the enterprise 18%

Our process or approach is informal or “ad hoc” 23% We don’t have a process or approach 38% Cannot determine 4% Total 100%

Q19b. [If you have a formal process] Using the following 10-point scale, please rate the effectiveness of your organization’s process for monitoring the Internet and social media to gain actionable intelligence about external threats. Pct%

1 or 2 14% 3 or 4 27% 5 or 6 42% 7 or 8 9% 9 or 10 8% Total 100% Extrapolated value 4.90

Q19c. [For ratings below 7] What do you see as the main barriers to achieving a highly effective process for monitoring the Internet and social media to gain intelligence about external threats? Please select your top three choices. Pct%

Insufficient risk awareness 50% Lack of knowledgeable staff 45% Lack of technologies and tools 43% Not considered a priority issue 42% Existence of silos and turf issues 39% Lack of leadership 25% Lack of funding 21% Complexity of IT processes 18% Complexity of business processes 17% Other (please specify) 0% Total 300%


Q20. Is your organization’s security leader (CISO) directly involved in the collection and evaluation of intelligence obtained from the Internet and social media? Pct%

Yes, very involved 12% Yes, some involvement 24% No, minimal involvement 30% Not involved 34% Total 100%

Q21a. In the past 24 months, how many times has your organization experienced material attacks against employees, executives, physical assets, locations, IP or brand/reputation? Pct%

Zero 5% 1 to 10 21% 11 to 25 30% 26 to 50 27% 51 to 100 11% More than 100 6% Total 100% Extrapolated value 32.2

Q21b. What percent of the above material attacks were perpetrated via the Internet or social media? Pct%

None 8% Less than 10% 17% 10 to 25% 29% 26 to 50% 27% 51 to 75% 12% 76 to 100% 7% Total 100% Extrapolated value 30%

Part 3. Estimating costs Q22. What is the estimated total cost that your organization expended

as a result of material attacks against employees, executives, physical assets, locations, IP or brand/reputation over the past 24 months? Your best guess is welcome. Pct%

Zero 0% Less than $10,000 2% $10,001 to $100,000 4% $100,001 to $250,000 13% $250,001 to $500,000 12% $500,001 to $1,000,000 13% $1,000,001 to $5,000,000 24% $5,000,001 to $10,000,000 15% $10,000,001 to $25.000,000 12% $25,000,001 to $50,000,000 3% $50,00,001 to $100,000,000 2% More than $100,000,000 0% Total 100% Extrapolated value $6,737,630


Q23. Using all 100 points provided, please allocate your total cost estimate according to what you see as the most appropriate proportion for each one of the six cost categories mentioned above. Note that the total point allocation must sum to 100 for each column. Points

Cost of technical support 12 Cost of forensics to determine the root causes 9 Cost of employees’ idle time and lost productivity 25 Revenues lost or diminished 13 Cost associated with reputation and brand damage 25 Cost associated with compliance or regulatory failure 16 Total points (must allocate 100 points) 100

Part 4. Other questions Q24. Does your organization outsource, or plan to outsource, the

monitoring of the Internet and social media to gain intelligence about external threats? Pct%

Yes, we do so now 35% Yes, we plan to do so in the next 12 months 11% Yes, we plan to do so in the next 24 months 10% No, we don’t plan to do so 40% Unsure 4% Total 100%

Q25. Following are device, Internet and social media monitoring activities that may be important for detecting and containing external threats against your organization. Please rate the importance of each monitoring activity in terms of achieving a strong security posture. % Essential and Very important response Essential

Very important

Q25a. Monitoring Internet domain names 21% 30% Q25b. Monitoring branded exploits 25% 34% Q25c. Monitoring mobile apps 29% 33% Q25d. Monitoring phishing scams 24% 33% Q25e. Monitoring physical incidents 11% 27% Q25f. Monitoring cyber incidents 26% 34% Q25g. Monitoring for spear-phishing infrastructure 25% 33% Q25h. Monitoring for others masquerading as employees or agents 20% 28% Q25i Monitoring compliance 23% 29% Q25j Monitoring high value targets (such as C-level executives) 23% 31% Q25k. Monitoring for social engineering activity or reconnaissance 30% 31%


Q26. Please describe your organization’s current security implementation. Specifically, which of these capabilities do you deploy (either in house or outsourced)? Please leave blank if the given security capability is not deployed at present. In house Outsourced 24/7 Security Operations 24% 20% Anti phishing 30% 16% Compliance monitoring 32% 17% Cyber threat monitoring 33% 23% Employee/agent monitoring 20% 15% External domain monitoring 22% 20% Firewall monitoring 45% 35% Incorporation of external threat feeds 27% 23% Internal cyber threat awareness training 34% 24% Internal network monitoring 27% 23% Security incident and event management (SIEM) 30% 19% Security operations center 25% 20% Social media monitoring 19% 11% Threat analyst team 24% 17%

Q27. Please describe your organization’s forecasted security implementation within the next 24 months. Specifically, which of these capabilities will you deploy (either in house or outsourced)? Please leave blank if the given security capability is not expected to be deployed. Your best guess is welcome.\ In house Outsourced 24/7 Security operations 30% 30% Anti phishing 36% 24% Compliance monitoring 39% 24% Cyber threat monitoring 51% 45% Employee/agent monitoring 35% 21% External domain monitoring 22% 39% Firewall monitoring 47% 35% Incorporation of external threat feeds 42% 31% Internal cyber threat awareness training 34% 38% Internal network monitoring 31% 37% Security incident and event management (SIEM) 41% 30% Security operations center 41% 31% Social media monitoring 24% 19% Threat analyst team 29% 18%

Following are seven kinds of threat intelligence data that may be important to your security team and organization. Please rate the importance of each kind of intelligence data in terms of strengthening your organization’s security posture. % Essential and Very important response. Essential

Very important

Q28a. Malicious mobile app details 26% 33% Q28b. Malicious twitter handles 25% 27% Q28c. Phishing IP addresses 29% 31% Q28d. Phishing kit data 16% 29% Q28e. Rogue domain data 21% 33% Q28f. Social media accounts with the same owner(s) 19% 27% Q28g. Threat actor profiles and aliases 21% 30%


Part 6. Organization and respondents’ demographics Pct%

C-level executive 2% Executive/VP 2% Director 16% Manager 21% Supervisor 15% Staff/technician 37% Administrative 3% Consultant/contractor 4% Other (please specify) 0% Total 100%

D2. What range best describes the full-time headcount of your global organization? Pct%

Less than 500 11% 500 to 1,000 15% 1,001 to 5,000 27% 5,001 to 10,000 17% 10,001 to 25,000 12% 25,001 to 75,000 10% More than 75,000 8% Total 100%

D3. What best describes your organization’s primary industry classification? Pct%

Aerospace & defense 1% Agriculture & food services 1% Communications 3% Consumer 6% Education & research 2% Energy & utilities 6% Entertainment & media 2% Financial services 18% Health & pharmaceuticals 11% Industrial & manufacturing 11% Public sector 10% Retailing 9% Services 10% Technology & software 7% Transportation 3% Other 0% Total 100%


Pleasecontactresearch@ponemon.orgorcallusat800.877.3118ifyouhaveanyquestions.

Ponemon Institute

Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

security beyond the traditional perimeter -...

Documents