Greatest IT Security Risks of 2013: Annual State of the Endpoint Report

2013 State of the Endpoint

Presentation by Dr. Larry PonemonDecember 5, 2012

04/18/2023 Ponemon Institute: Private & Confidential Information 2

About Ponemon Institute

• Ponemon Institute conducts independent research on cyber security, data protection and privacy issues.

• Since our founding 11+ years ago our mission has remained constant, which is to enable organizations in both the private and public sectors to have a clearer understanding of the practices, enabling technologies and potential threats that will affect the security, reliability and integrity of information assets and IT systems.

• Ponemon Institute research informs organizations on how to improve upon their data protection initiatives and enhance their brand and reputation as a trusted enterprise.

• In addition to research, Ponemon Institute offers independent assessment and strategic advisory services on privacy and data protection issues. The Institute also conducts workshops and training programs.

• The Institute is frequently engaged by leading companies to assess their privacy and data protection activities in accordance with generally accepted standards and practices on a global basis.

• The Institute also performs customized benchmark studies to help organizations identify inherent risk areas and gaps that might otherwise trigger regulatory action.

04/18/2023 3

Introduction

• Since 2010, Ponemon Institute and Lumension have tracked endpoint risk in organizations, the resources to address the risk and the technologies deployed to manage threats.

• This study reveals that the state of endpoint risk is not improving. One of the top concerns is the proliferation of personally owned mobile devices in the workplace such as smart phones and iPads.

• Malware attacks are increasing and are having a significant impact on IT

operating expenses. Advanced persistent threats and hactivism pose the biggest headache to IT security pros.

Ponemon Institute: Private & Confidential Information


MethodsA random sampling frame of 17,744 IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. As shown below, 923 respondents completed the survey. Screening removed 178 surveys and an additional 74 surveys that failed reliability checks were removed. The final sample was 671 surveys (or a 3.8 percent response rate).

Sample response FY 2012 FY 2011 FY 2010

Total sampling frame 17,744 18,988 11,890

Total returns 923 911 782

Rejected surveys 74 80 65

Screened surveys 178 143 153

Final sample 671 688 564

Response Rate 3.8% 3.6% 4.7%


Distribution of respondents according to primary industry classification

20%

12%

10%

9%8%

7%

5%

5%

5%

4%

3%

3%3%

2%2% 2%

Financial Services

Health & pharmaceuticals

Public Sector

Retailing

Services

Technology & software

Hospitality

Industrial

Education & research

Energy

Consumer products

Communications

Entertainment & media

Agriculture

Defense

Transportation


What organizational level best describes your current position?

19%

26%

19%

23%

7%

3% 3%

Director

Manager

Supervisor

Technician

Staff

Contractor

Other


The primary person you or the IT security leader reports to within the organization

54%

23%

9%

6%

4%3% 1%

Chief Information Officer

Chief Information Security Officer

Chief Risk Officer

Compliance Officer

Chief Security Officer

General Counsel

Chief Financial Officer


Worldwide headcount

7%

16%

21%

33%

19%

4%

Less than 500 people

500 to 1,000 people

1,001 to 5,000 people

5,001 to 25,000 people

25,001 to 75,000 people

More than 75,000 people

Results

The endpoint threat landscape


IT security risks considered to be on the rise Three choices permitted in 2010 and 5 choices permitted in 2011 and 2012

Removable media and/or media (CDs, DVDs)

Cloud computing infrastructure & providers

Negligent insider risk *

Our PC desktop/laptop

Mobile/remote employees

Across 3rd party applications

Mobile devices

0% 10% 20% 30% 40% 50% 60% 70% 80%

10%

18%

44%

44%

45%

9%

42%

43%

43%

41%

49%

56%

48%

39%

41%

44%

45%

53%

67%

73%

FY 2012 FY 2011 FY 2010

* This choice was not available for all fiscal years


IT security risks believed to be decreasing or staying the same Three choices permitted in 2010 and 5 choices permitted in 2011 and 2012

Our data centers

Within operating systems

Network infrastructure environment

Malicious insider risk *

Our server environment

Virtual computing environments

Lack of system connectivity/visibility *

Lack of organizational alignment *

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

14%

11%

11%

32%

20%

12%

10%

14%

16%

29%

28%

29%

39%

6%

8%

10%

15%

19%

19%

25%

36%

FY 2012 FY 2011 FY 2010



Is your IT network more secure now than it was a year ago?

FY 2012 FY 2011 FY 20100%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

33% 34%36%

46%

41%

36%

21%

25%

28%

Yes No Unsure


IT security risks of most concern since 2010More than three choices permitted in 2010 and 3 choices permitted in 2011 and 2012

Intrusions and data loss within virtual envi-ronments

Advanced persistent threats

Increased use of mobile platforms *

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

13%

24%

23%

24%

36%

22%

36%

47%

FY 2012 FY 2011 FY 2010



IT security risks that have declined or stayed the same More than three choices permitted in 2010 and 3 choices permitted in 2011 and 2012

Lack of an organizational wide security strategy *

Lack of integration between endpoint operations & security technologies

Insufficient collaboration among IT & business operations *

Inability to measure policy compliance *

Malicious insider risk

Increasingly sophisticated & targeted cyber attackers

Insufficient budget resources

Use of insecure cloud computing resources

Growing volume of malware

Negligent insider risk

0% 10% 20% 30% 40% 50% 60% 70%

13%

17%

16%

12%

11%

26%

32%

31%

29%

28%

12%

18%

13%

6%

12%

31%

30%

28%

30%

15%

20%

19%

40%

47%

49%

61%

50%

FY 2012 FY 2011 FY 2010*


Mobility is an IT security headache


Mobile devices pose a significant security riskStrongly agree and agree response combined

FY 2012 FY 20110%

10%

20%

30%

40%

50%

60%

70%

80%

90%

80%

74%


Technologies expected to increase in the next 12 to 24 monthsSubstantial increase and increase response combined

Social media / Web 2.0 *

Security event and incident management *

Use of internal cloud computing infrastructure

Virtualized environments

Use of 3rd party cloud computing infrastructure

Mobile devices / smart phones

0% 10% 20% 30% 40% 50% 60% 70% 80%

72%

45%

35%

52%

56%

70%

0.53

0.61

0.63

0.75

FY 2012 FY 2011

This choice was not available for FY 2012


Important mobile device management featuresThree choices permitted

Other

Remote wipe capability

Anti-theft features

Asset tracking

Encryption and other data loss technologies

Virus and malware detection or prevention

Provisioning and access policy management

0% 10% 20% 30% 40% 50% 60% 70% 80%

3%

41%

42%

47%

49%

55%

62%

1%

38%

39%

43%

44%

65%

70%

FY 2012 FY 2011


Personal mobile device use in the workplace

None 1 to 25% 26 to 50% 51 to 75% More than 75% Cannot determine0%

5%

10%

15%

20%

25%

30%

35%

40%

2%

16%

28%29%

18%

7%

3%

23%

34%

20%

13%

7%

FY 2012 FY 2011


Security policy for employee owned devices

0%

10%

20%

30%

40%

50%

29%

19%

39%

13%

21% 21%

46%

12%

FY 2012 FY 2011


Most vulnerable third-party applicationsThree choices permitted

Other

Mozilla Firefox

WinZip

Oracle applications

VMware

Apple apps

Apple/Mac OS

General 3rd party apps outside of Microsoft

Microsoft OS/applications

Adobe

Google Docs

0% 10% 20% 30% 40% 50% 60% 70%

4%

2%

19%

10%

17%

14%

15%

58%

57%

54%

46%

1%

6%

16%

22%

20%

20%

24%

46%

49%

50%

47%

0%

3%

11%

15%

18%

28%

30%

40%

44%

55%

55%

FY 2012 FY 2011 FY 2010

The malware threat


Monthly malware attempts or incidents

Less than 5 5 to 10 11 to 25 26 to 50 More than 50 Not sure0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

2%

9%11%

23%

35%

20%

3%

9%

13%

32%

43%

6%

11%

21%

35%

27%

FY 2012 FY 2011 FY 2010


Changes in malware incidents over the past year

Yes, major increase Yes, but only slight increase

No, they stayed the same No, they have decreased Not sure0%

5%

10%

15%

20%

25%

30%

35%

40%

37%

18%

22%

8%

15%

31%

22%

25%

8%

14%

26%

21%

25%

9%

17%

FY 2012 FY 2011 FY 2010


Most frequent and annoying incidents More than one choice permitted

Other

Exploitexisting software vulnerability > 3 months

Exploit existing software vulnerability < 3 months

SQL injection

Zero day attacks

Hacktivism

Clickjacking

Spyware

Advanced persistent threats / Targeted attacks*

Botnet attacks

Rootkits

Web-borne malware attacks

General malware

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

0%

6%

5%

12%

13%

15%

7%

0%

25%

8%

4%

3%

2%

5%

26%

28%

29%

31%

41%

43%

45%

54%

55%

65%

79%

86%

Which incidents are you seeing frequently in your organization’s IT networks?Which one incident represents your biggest headache?

*Termed Targeted Attacks in the 2011 survey


IT operating costs increase due to malware

Very significant Significant Some significance None0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

21%

43%

28%

8%

22%

41%

29%

8%

14%

40%

32%

14%

FY 2012 FY 2011 FY 2010

Barriers to achieving optimal security


IT security budget changes from last year

Increase Stay the same Decrease Unsure0%

10%

20%

30%

40%

50%

60%

29%

48%

12% 11%

25%

56%

10% 9%

FY 2012 FY 2011


Collaboration between IT operations and IT security

Colla

bora

tion

is ex

celle

nt

Colla

bora

tion

is ad

equa

te, b

ut ca

n be

impr

oved

Colla

bora

tion

is po

or o

r non

-exis

tent

0%

10%

20%

30%

40%

50%

60%

13%

46%41%

12%

48%40%

FY 2012 FY 2011


Admin privileges allowed

No

Yes, to

par

t of th

e us

er e

nviro

nmen

t

Yes, to

the

entir

e us

er e

nviro

nmen

t0%

5%

10%

15%

20%

25%

30%

35%

40%

45%40% 41%

19%


Greatest challenges in meeting federal compliance regulationsTwo choices permitted

None of the above

Manual data collection

Inconsistent reporting

Explaining issues and requirements to management

Increasing audit burden

Lack of resources

0% 10% 20% 30% 40% 50% 60% 70% 80%

12%

9%

11%

15%

73%

75%


Impact of external compliance requirements on IT security functionTwo choices permitted

None of the above

Formal audits to ensure policy enforcement

Requirements to update or create new training procedures

Requirements to update or create new policies

Improved control procedures

Better understanding of organizational IT risk

More funding for purchasing security technologies

More personnel and funding for meeting compliance initiatives

0% 10% 20% 30% 40% 50% 60%

13%

9%

10%

12%

20%

24%

53%

56%

Current and future technologies


Technologies in use or to be invested in over the next 12 months More than one choice permitted

Applic

atio

n co

ntro

l fire

wall

Applic

atio

n co

ntro

l/whi

telis

ting

Endpo

int m

anag

emen

t and

secu

rity s

uite

SEIM

Mob

ile d

evice

man

agem

ent *

0%

10%

20%

30%

40%

50%

60%

45%38%

34%

42%

55% 55%49% 47%

Current use of technology Expected increase in use of technology


Most effective tools for reducing IT risk Fiscal years 2012 and 2011 limited to 5 choices

Anti-virus & anti-malware

Application control/whitelisting

Application control firewall

Device control

Endpoint firewall

Endpoint management & security suites/platforms

Security event and incident management *

Vulnerability assessment *

Privilege management *

0% 10% 20% 30% 40% 50% 60% 70% 80%

57%

44%

52%

57%

59%

48%

70%

40%

37%

42%

44%

43%

41%

43%

55%

33%

36%

37%

37%

39%

40%

40%

45%

46%

FY 2012FY 2011FY 2010

* This choice not available for all fiscal years


Reasons for migrating to Windows 8Two choices permitted

Improvements in vendor support

Interoperability issues with other systems

Stability of the operating system

Improvements in speed and performance

Improvements in security

Efficiency and user productivity gains

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

19%

31%

33%

37%

38%

43%

Cloud computing and endpoint security


The existence and enforcement of cloud security policies

Yes No Unsure0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

40%

36%

24%

41%

45%

14%

Does your organization have a centralized cloud security policy?Do you enforce employees’ use of private clouds?


Conclusion & Recommendations

• Create acceptable use policies for personally owned devices in the workplace.

• Conduct risk assessments and consider the use of an integrated endpoint

security suite that includes vulnerability assessment, device control, anti-virus and anti-malware.

• Establish governance practices for privileged users at the device level to define

acceptable use of mobile, BYOD and corporate-owned asset as well as limit the installation of third-party applications.

• Ensure that policies and procedures clearly state the importance of protecting sensitive and confidential information stored in the cloud.

• To better address the difficulties in managing the endpoint risk, collaboration

between IT operations and IT security should be improved to achieve a better allocation of resources and the creation of strategies to address risks associated with hacktivism, BYOD, third-party applications and cloud computing.


Caveats

• There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

• Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.

• Sampling-frame bias: The accuracy is based on contact information and the degree

to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period.

• Self-reported results: The quality of survey research is based on the integrity of

confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.

Questions?

Ponemon Institutewww.ponemon.orgTel: 231.938.9900

Toll Free: 800.887.3118Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA

[email protected]

Documents

Greatest IT Security Risks of 2013: Annual State of the Endpoint Report