2009 security mega trends & emerging threats
DESCRIPTION
To help define what the biggest security threats will be to an organization’s sensitive and confidential data over the next 12 to 24 months, Lumension has teamed up with the Ponemon Institute, a leading research firm, to charter our first annual 2009 Security Mega Trends Survey. The survey also outlines key alignments and gaps between two traditionally disparate groups - IT Security and IT Operations when it comes to these new and emerging threats.TRANSCRIPT
2009 Security Mega Trends Survey
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 1
Independently conducted by Ponemon Institute LLC
November 2008
About the study
• The 2009 Security Mega Trends Survey was conducted by Ponemon Institute and sponsored by Lumension to better understand if certain publicized IT risks to personal and confidential data are or should be more or less of a concern for organizations.
• We asked respondents in IT operations and IT security to consider how eight Security Mega Trends affect organizations today and
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 2
how eight Security Mega Trends affect organizations today and during the next 12 to 24 months.
• Based on interviews with IT experts in operations and information security, we selected the following eight Mega Trends for this study: cloud computing, virtualization, mobility and mobile devices, cyber crime, outsourcing to third parties, data breaches and the risk of identity theft, peer-to-peer file sharing and Web 2.0
Security Mega Trends
Mega Trend 1: Cloud computing
• Cloud computing refers to distributed computing solutions owned by third-parties on data center locations outside the end-user company’s IT infrastructure. The demand for cloud computing is expanding quickly, especially as the cost of remote connectivity decreases.
Mega Trend 2: Virtualization
• Virtualization technology allows end-users to access multiple secure networks from a single computer, wherein the PC or laptop essentially acts as a hardware authentication token. With one computer, the end-user is able to gain access to
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 3
authentication token. With one computer, the end-user is able to gain access to separate virtual devices or machines. Virtualization makes server and operating system deployments more flexible and improves the use of storage and systems resources.
Mega Trend 3: Mobility
• Organizations are dependent upon a mobile workforce with access to information no matter where they work or travel. Employees can use the following mobile devices when they travel or work at home: laptops, VPNs, PDAs, cell phones and memory sticks. The opportunity to work from home or other locations is a benefit to many employees. In addition, mobility can increase employees’ productivity and as a result improve the organization’s bottom line.
Security Mega Trends
Mega Trend 4: The external threat of organized cyber criminal syndicates
• The black market for personal records makes data theft an attractive crime for thieves
around the world. Cyber crime usually describes criminal activity in which the
computer or network is an essential part of the illegal criminal activity. This term also
is used to include traditional crimes in which computers or networks are used to
enable the illicit activity.
Mega Trend 5: Outsourcing to third parties
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 4
Mega Trend 5: Outsourcing to third parties
• Organizations outsource sensitive and confidential customer and employee data to
vendors and other third parties to reduce processing costs and improve operating
efficiencies. These purposes can include (but are not limited to): marketing and sales
campaigns, software application development, call center operations, and mortgage
and other credit application processing.
Mega Trend 6: Data breaches involving personal information are increasing
• The Federal Trade Commission reports that the number one consumer complaint it
receives concerns the theft of identity. It addition to potential fines, organizations risk
the loss of customer confidence and trust. Some experts believe that identity theft
crimes will increase substantially over the next several years.
Security Mega Trends
Mega Trend 7: Peer-to-peer file sharing
• P2P file sharing networks allow a group of computers to connect with each other and directly access files from one another's hard drives. P2P file sharing networks started with Napster by enabling Internet users to share music files. P2P file-sharing networks can cause inadvertent transfers and disclosures of documents that reside on an organization’s computers and laptops. File sharing networks where inadvertent file sharing typically occurs include networks. For example, a sales representative downloads a peer-to-peer music sharing application onto his company assigned
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 5
downloads a peer-to-peer music sharing application onto his company assigned notebook computer. This P2P file sharing network exposes confidential business documents contained on his computer.
Mega Trend 8: Web 2.0
• Web 2.0 refers to a plethora of Internet tools that enhance information sharing and collaboration among users. These concepts have led to the evolution of web-based communities and hosted services, such as social networking sites, wikis and blogs. This term does not refer to an update to any technical. Unsupervised monitoring of employees’ use of Web 2.0 applications can result in the loss of critical confidential business data on the Internet. The other risk is that damaging information can be posted about an organization that can negatively affect its reputation.
Two Samples
• Our study utilized two separate sampling
frames (panels) built from
conference, association and professional
certification lists.
• Web-based survey responses were
captured on a secure extranet platform.
• We utilized two separate samples of U.S.
Sample description IT Operations IT Security
Total sampling frames 14,518 11,506
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 6
• We utilized two separate samples of U.S.
participants:
– IT operations: 825 (5.7% response)
– IT security: 577 (5.0% response)
• Less than 1% rejection rate because of
reliability failures.
• Respondents in both groups were asked
to complete the same survey instrument.
• Margin of error is ≤ 3% on all adjective or
yes/no responses for both samples
Bounce-back 3,957 2,109
Total returns 915 658
Rejected surveys 90 81
Final sample 825 577
Response rate 5.7% 5.0%
The SurveyExample: Cloud Computing
Mega Trend 1: Cloud computing
Cloud computing refers to distributed computing solutions owned by third-parties on data centerlocations outside the end-user company’s IT infrastructure. Consumers of cloud computing servicespurchase capacity on-demand and are not concerned with the underlying technologies usedto increase computing capacity.
The demand for cloud computing is expanding quickly, especially as the cost of remote connectivitydecreases. The services that can be delivered from the cloud have expanded Web applications to
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 7
decreases. The services that can be delivered from the cloud have expanded Web applications toinclude storage, raw computing capability, and access to any number of specialized applications orservices.
Q1a. How familiar are you with cloud computing?� Very familiar� Familiar� Not familiar
Q1b. Does your organization access cloud computing resources or applications?� Yes� No� Unsure
The Survey – ContinuedExample: Cloud Computing
What are the security implications?
Experts say the use of cloud computing increases information security risks because the end-user’sorganization is unable to control the data management environment.•Q1c. Do you believe that cloud computing increases the information security risks within yourcompany?
� Yes� No (Go to Q2a)
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 8
� No (Go to Q2a)
Q1d. If yes, what is the most significant security risk associated with cloud computing? Please checkonly one choice:
� Inability to assess or verify the security of data centers in the cloud� Inability to protect sensitive or confidential information� Inability to restrict or limit use of cloud computing resources or applications� Third parties might be able to access private files without authorization� Information may not be properly backed up� Downtime as a result of cloud computing failure� Other (please specify)
The Survey – ContinuedExample: Cloud Computing
Mega Trend 1: Cloud computing
Q1e. If yes, please rate the security risk presented by cloud computing withinyour organization today.
� Very low� Low� Moderate� High
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 9
� High� Very high
Q1e. If yes, please rate the security risk presented by cloud computing in yourorganization within the next 12 to 24 months.
� Very low� Low� Moderate� High� Very high
Mega TrendsComparison of IT Operations and IT Security Samples – Current Outlook
Line Graph 1a
Security mega trends as perceived today for both samplesEach point reflects the percentage responses for very high or high security risks at presentt
50%
60%
70%
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 10
0%
10%
20%
30%
40%
50%
Cloud
computing
Virtualizat ion M obility M obile devices Cyber crime Outsourcing Data breach P2P f ile sharing Web 2.0 M alware
IT Operations IT Security
Mega TrendsComparison of IT Operations and IT Security Samples – Future Outlook
Line Graph 1b
Security mega trends as perceived 12 to 24 months for both samplesEach point reflects the percentage responses for very high or high security risks at presentt
70%
80%
90%
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 11
0%
10%
20%
30%
40%
50%
60%
Cloud
computing
Virtualizat ion M obility M obile devices Cyber crime Outsourcing Data breach P2P f ile sharing Web 2.0 M alware
IT Operations IT Security
IT OperationsMega trend risk rating today and 12 to 24 months in the future
Bar Chart 1a
Mega trends today and in the next 12 to 24 months by respondents in IT operations
Each bar summarizes the combined percentage response for "Very High" and "High" security risks.
47%
47%
48%
50%
47%
49%
45%
50%
Mobility
Cyber crime
Mobile devices
Outsourcing
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 12
22%
25%
31%
35%
39%
44%
24%
18%
35%
36%
42%
40%
0% 10% 20% 30% 40% 50% 60%
Malware
Virtualization
Web 2.0
P2P file sharing
Cloud computing
Data breach
Risk as perceived today Risk as perceived in the next 12 to 24 months
IT SecurityMega trend risk rating today and 12 to 24 months in the future
Bar Chart 1b
Mega trends today and in the next 12 to 24 months by respondents in IT security
Each bar summarizes the combined percentage response for "Very High" and "High" security risks.
59%
60%
65%
66%
59%
48%
77%
65%
Outsourcing
Mobility
Cyber crime
Data breach
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 13
29%
39%
39%
46%
48%
58%
25%
41%
41%
44%
50%
61%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Virtualization
Malware
Web 2.0
P2P file sharing
Mobile devices
Cloud computing
Risk as perceived today Risk as perceived in the next 12 to 24 months
Mega Trend: Outsourcing Causes Data Breach
Bar Chart 2
Security risks due to outsourcing
Each bar is the percentage of respondents who selected the noted information security risk
56%
32%
60%
Unauthorized parties might be able to access private files
Sensitive or confidential information may not be properly
protected
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 14
3%
3%
10%
23%
1%
2%
4%
0% 10% 20% 30% 40% 50% 60% 70%
Inability to properly identify and authenticate remote users
Information may not be properly backed up
Increased threat of social engineering and cyber crimes
without authorization
IT Operations IT Security
Cyber Crime Experience
Bar Chart 3
Did your organization have a cyber attack?
92%
80%
90%
100%
IT Operations IT Security
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 15
55%
13%
32%
5% 3%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Yes No Don't know
Mega Trend: Cyber Crime Will Increase
Bar Chart 4
Security risks due to cyber crime
Each bar is the percentage of respondents who selected the noted information security risk
61%
40%Attack will cause business
interruption
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 16
14%
24%
29%
29%
0% 10% 20% 30% 40% 50% 60% 70%
Attack will cause the loss of
information about employees
or customers, thus requiring
data breach notification
Attack will result in the loss of
sensitive or confidential
business information
including trade secretsIT Operations IT Security
Most Risky Mobile Devices
Bar Chart 5
Most risky mobile devices
Each bar is the percentage of respondents who selected the device as their highest risk
48%
18%
38%
PDAs and other handheld
Laptop computers
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 17
8%
11%
14%
19%
5%
15%
24%
18%
0% 10% 20% 30% 40% 50% 60%
Cellular phones
USB memory sticks
Insecure wireless networks
PDAs and other handheld
devices
IT Operations IT Security
Mega Trend: Mobile Workforce
Increases Security Risk
Bar Chart 6
Security risks due to a mobile workforce
Each bar is the percentage of respondents who selected the noted information security risk
59%
16%
62%Inability to properly identify and authenticate remote users
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 18
3%
6%
10%
19%
9%
2%
11%
16%
0% 10% 20% 30% 40% 50% 60% 70%
Increased threat of social engineering and cyber crimes
Sensitive or confidential information may not be properly
protected
Third parties might be able to access private files without
authorization
Information may not be properly backed up
IT Operations IT Security
Confidence in the Ability to Prevent Data Loss
Bar Chart 7
How confident are you that your current security practices are able to prevent
customer and employee data from being lost or stolen?
40%
32%35%
40%
45%
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 19
12%
23%
12% 13%
4%
12%
30%32%
22%
0%
5%
10%
15%
20%
25%
30%
35%
Very confident Confident Somew hat confident Not confident Uncertain
IT Operations IT Security
Mega Trend: Data Breach on the Rise
Bar Chart 8
Security risks due to a data breachEach bar is the percentage of respondents w ho selected the noted information security risk
35%
32%Loss of customer or employee information, thus requiring notif ication
of victims
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 20
17%
21%
24%
5%
14%
46%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Unauthorized parties gain access to private accounts
Diminished reputation as a result of negative media coverage
Sensitive or confidential information that ends up in the hands of
cyber criminals and identity thieves
IT Operations IT Security
Security Risks Due to Data Breach
Bar Chart 9
Security risks due to a data breach
Each bar is the percentage of respondents who selected the noted information security risk
24%
29%
40%
17%
Inability to assess or verify the security of data centers in the cloud
Inability to restrict or limit use of cloud computing resources or
applications
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 21
3%
12%
13%
18%
24%
0%
29%
1%
13%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Information may not be properly backed up
Inability to protect sensitive or confidential information
Dow ntime as a result of cloud computing failure
Third parties might be able to access private f iles w ithout
authorization
IT Operations IT Security
Mega Trend: P2P File Sharing
Causes Security Risk
Bar Chart 10
Security risks due to P2P file sharing applications
Each bar is the percentage of respondents who selected the noted information security risk
41%
55%Use of P2P w ill result in the loss
of sensitive or confidential
business information including
trade secrets
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 22
2%
20%
30%
3%
16%
20%
0% 10% 20% 30% 40% 50% 60%
Use of P2P w ill cause business
interruption
Use of P2P w ill cause the loss of
information about employees or
customers, thus requiring data
breach notif ication
Use of P2P w ill increase the risk
of malw are or virus infection
IT Operations IT Security
Mega Trend: Web 2.0 Use Increases Security Risk
Bar Chart 11
Security risks due to Web 2.0
Each bar is the percentage of respondents who selected the noted information security risk
34%
64%Use of Web 2.0 will result in the loss of sensitive or
confidential business information including trade secrets
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 23
12%
23%
26%
4%
14%
13%
0% 10% 20% 30% 40% 50% 60% 70%
Use of Web 2.0 will cause business interruption
Use of Web 2.0 will increase the risk of malware or virus
infection
Use of Web 2.0 will cause the loss of information about
employees or customers, thus requiring data breach
notification
IT Operations IT Security
Mega Trend: Virtualization
Bar Chart 12
Security risks due to virtualization
Each bar is the percentage of respondents who selected the noted information security risk
49%
33%
48%
Third parties might be able to
access private files without
Inability to properly identify
and authenticate users to
multiple systems
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 24
1%
9%
10%
28%
0%
3%
11%
33%
0% 10% 20% 30% 40% 50% 60%
Information may not be
properly backed up
Sensitive or confidential
information may not be
properly protected
Increased threat of social
engineering and cyber crimes
access private files without
authorization
IT Operations IT Security
Implications
• Organizations are faced with a plethora of security threats to their confidential and sensitive data assets. We asked IT operations and security practitioners to rank those they believe have a high or very high risk to sensitive and confidential information. Based on the risks associated with each of these threats, we believe organizations should consider the following solutions:
– Create and enforce policies that ensure access to private data files is restricted to authorized parties only.
– Secure corporate endpoints to protect against data leakage and malware.
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 25
– Secure corporate endpoints to protect against data leakage and malware.
– Make sure third parties who have access to your sensitive and confidential information take appropriate security precautions.
– Train employees and contractors to understand their responsibility in the protection of data assets.
– Ensure that mobile devices are encrypted and that employees understand the organizations’ policies with respect to downloading sensitive information and working remotely.
– Understand precautions that should be taken when traveling with laptops, PDAs and other data bearing devices.
Conclusion
• We believe the findings from this study provide organizations with guidance on which threats are more critical than others to address. IT operations and IT security professionals identified outsourcing of sensitive information to third parties, external threat of organized cyber criminal syndicates, a mobile workforce, data breaches and
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 26
cyber criminal syndicates, a mobile workforce, data breaches and access to cloud computing as the most significant
Samples’ Organizational Characteristics
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 27
Samples’ CombinedIndustry Distribution
Pie Chart 1
Industry distribution of the combined IT operations and IT security samples
17%
5%
5%
3%2%2%2%1% Financial services
Government
Pharma & Healthcare
Education
Defense
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 28
11%
9%
8%6%
6%
6%
6%
6%
5%
Technology & Software
Hospitality & Leisure
Retail
Professional Services
Telecom
Manufacturing
Research
Energy
Airlines
Entertainment
Transportation
Sample CharacteristicsThe mean experience level for the IT operations sample
is 8.9 years and for the IT security sample is 9.4 years.
Table 2
What organizational level of respondents IT Operations IT Security
Senior Executive 1% 0%
Vice President 2% 2%
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 29
Director 21% 24%
Manager 24% 26%
Associate/Staff/Technician 45% 39%
Consultant 4% 6%
Other 2% 3%
Total 100% 100%
Table 3aGeographic location Pct%
Northeast 20%
Mid-Atlantic 19%
Midwest 19%
Table 3b.Organizational headcount Pct%.
Less than 500 people 2%
500 to 1,000 people 4%
1,001 to 5,000 people 12%
Sample Characteristics60% of respondents are male and 40% female.
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 30
Midwest 19%
Southeast 13%
Southwest 14%
Pacific 17%
Total 100%
1,001 to 5,000 people 12%
5,001 to 25,000 people 29%
25,001 to 75,000 people 34%
More than 75,000 people 19%
Total 100%
Ponemon Institute LLC
� The Institute is dedicated to advancing responsible information management
practices that positively affect privacy and data protection in business and
government.
� The Institute conducts independent research, educates leaders from the private
and public sectors and verifies the privacy and data protection practices of
organizations.
Sponsored by :
Ponemon Institute© Private & Confidential Document
Page 31
� Ponemon Institute is a full member of CASRO (Council of American Survey
Research Organizations. Dr. Ponemon serves as CASRO’s chairman of
Government & Public Affairs Committee of the Board.
� The Institute has assembled more than 50 leading multinational corporations
called the RIM Council, which focuses the development and execution of ethical
principles for the collection and use of personal data about people and
households.
� The majority of active participants are privacy or information security leaders.