comptia international trends in cybersecurity

International Trends in CybersecurityApril 2016

REMINDER: The complete International Trends in Cybersecurity report and 12 country snapshots can be viewed free of charge at CompTIA.org (with simple registration)

https://www.comptia.org/

The Importance of IT Security Continues to Grow

NET Lower No Change Moderately Higher

Significantly Higher

6%

18%

49%

27%

3%

18%

43%

35%

Today

Two Years From Now

79%NET of businesses

expect IT security to become a higher priority over the next two years

Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509

NET Higher: Significantly Higher + Moderately HigherNET Lower: Significantly Lower + Moderately Lower

International Summary

Satisfaction With Current Security Level

Maturing Economies

Mature Economies


20%

28%

23%

56%

53%

54%

25%

20%

23%

NET Satisfactory

77%

72%

80%


CompletelySatisfactory

MostlySatisfactory

Adequate/Unsatisfactory

NET Satisfactory: Completely + Mostly SatisfactoryAdequate/Unsatisfactory: Simply Adequate + Mostly Unsatisfactory + Completely Unsatisfactory

Note: see slide 18 for which countries are categorized in Mature Economies vs. Maturing Economies.

Top Drivers for Changing IT Security Approach

1. Change in IT operations (e.g. cloud, mobility)2. Reports of security breaches at other firms3. Internal security breach or incident4. Change in business operations or client base5. Knowledge gained from training or certification


1. Change in IT operations (e.g. cloud, mobility)2. Reports of security breaches at other firms3. Internal security breach or incident4. Knowledge gained from training or certification5. Change in business operations or client base

Mature Economies


Maturing Economies1. Change in IT operations (e.g. cloud, mobility)2. Change in business operations or client base3. Internal security breach or incident4. Knowledge gained from training or certification5. Reports of security breaches at other firms

Top Factors Impacting IT Security Practices

Volume of security threats

Greater availability of hacking tools

Sophistication of security threats

More reliance on Internet applications

Greater tech interconnectivity

Growing organization of hackers

Rise of social networking

38%

40%

41%

45%

46%

46%

49%

32%

32%

37%

39%

37%

39%

39%

36%

37%

39%

42%

42%

43%

45%


Mature Economies

Maturing Economies


Top IT Security Concerns

1. Malware (e.g. viruses, worms, trojans)2. Hacking (e.g. DoS attack)3. Data loss/leakage4. Physical security threats (e.g. device theft)5. Privacy concerns6. Social engineering/Phishing7. Intentional abuse by insiders (e.g. staff)8. Understanding security risks of emerging

areas9. Regulatory compliance10. Human error among general staff

Top Serious Concerns Greatest Growth in Concern (More Critical Today vs. Two Years Ago)



1. Data loss/leakage2. Malware (e.g. viruses, worms, trojans)3. Hacking (e.g. DoS attack)4. Social engineering/Phishing5. Understanding security risks of emerging

areas6. Privacy concerns7. Physical security threats (e.g. device theft)8. Intentional abuse by insiders (e.g. staff)9. Regulatory compliance10. Human error among general staff

Mobile Security Incidents

None of the above

Violation of policy on corporate data

Employees disabling security features

Mobile phishing attack

Mobile malware

Lost device

18%

31%

33%

34%

40%

40%

31%

26%

20%

22%

22%

32%

24%

28%

28%

29%

32%

37%


Mature Economies

Maturing Economies


76% of organizations overall self-report experiencing at least one of these mobile security events

Top 5 Concerns Over Mobile Security Threats

1. Open WiFi networks2. Mobile-specific viruses or malware3. USB flash drives4. Theft or loss of corporate devices5. Unauthorized apps


1. Theft or loss of corporate devices2. Open WiFi networks3. Mobile-specific viruses or malware4. Unauthorized apps5. Social media

Mature Economies


Maturing Economies

1. Open WiFi networks2. USB flash drives3. Mobile-specific viruses or malware4. Theft or loss of corporate devices5. Unauthorized apps

Experiences With Data Loss

No/Don't know

Yes, probably

Yes, definitely

28%

38%

34%

51%

29%

20%

41%

35%

24%

International Summary Mature Economies Maturing Economies

Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509 and n=850 who had a loss

Many are aware of their company experiencing some type of loss of confidential data through carelessness or negligence in the past 12 months

Types of Data Lost

• Employee data• Financial data• Customer records• Intellectual property

Top Areas Where Managers Plan to

Improve DLP

• Spyware prevention• Consumer app restriction• Mobile file encryption• BYOD restriction• Device safety policy

enforcement/creation

Self-Reported Occurrence of Security Breaches

None 1-10 breaches > 10 breaches

27%

64%

9%

35%

58%

7%

22%

69%

9%


Mature Economies

Maturing Economies

Over the past 12 months

61%of all firms

experienced at least one serious

breach


73%of all firms

experienced at least one breach

Human Element a Major Part of Security Risk

42%

58%

Technology error

Human error


Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,200 who had a security incident in the past 12 months

Top Human Error Sources

42% General carelessness

37% Failure to get up to speed on new threats

37% Lack of expertise with websites and applications

37% End user failure to follow policies and procedures

36% Lack of expertise with networks, servers and other

infrastructure

34% IT staff failure to follow policies and procedures

Human Error Becoming More of a Factor in Security Breaches and Incidents

NET technology error more of a factor

No change in the allocation

NET human error more of a _x000d_factor in security breaches

13%

19%

68%

13%

30%

57%

13%

23%

64%

International Summary Mature Economies Maturing Economies

Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,200 who had a security breach in the past 12 months

NET More of a factor: Significantly More + Moderately More

23%of organizations where human error is now significantly

more of a factor

Human error is significantly more of a factor among firms in Maturing Economies (27%) vs. those in Mature Economies (18%) now compared to two years ago

Utilization of Security Assessments and Training Among Staff

None of the above

Ad hoc security experiments

Formal vulnerability assessments

Online course

Posted security policies

Random security audits

Ongoing security training program

New employee orientation

6%

30%

33%

34%

34%

41%

45%

43%

10%

18%

22%

26%

35%

30%

34%

43%

8%

25%

28%

31%

35%

36%

41%

43%


Mature Economies

Maturing Economies


92% of companies overall use at least one of these formats to assess or improve security knowledge among employees

Managers Value IT Security Certifications

80%

17%

3%

NET Valuable Neutral

NET Not that Valuable


38% Very Valuable 68%

25%6%

NET Valuable Neutral NET Not that Valuable

Mature Economies

25% Very Valuable

Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,246 managers/executives

NET Valuable: Very Valuable + ValuableNET Not that Valuable: Not that Valuable + Not at all Valuable

Maturing Economies

49% Very Valuable

89%

10%1%

99%NET Important to

managers in Maturing Economies (72% very

important)

The Importance of Testing After IT Security Training

Not that Important

Somewhat Important

Very Important4%

34%

63%

7%

42%

51%

1%

27%

72%International Summary

Mature Economies

Maturing Economies

Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,246 managers/executives

96% NET of managers overall believe it is important (very + somewhat) to test after IT security training to confirm knowledge gains

93%NET Important to

managers in Mature Economies (51% very

important)

NET Important: Very Important + Somewhat Important

Security Awareness Levels Among Employees

39%

52%9%

Advanced Basic Low priority



Top Potential Business Impacts of Deficiencies in Security

Awareness

39% Unaware of areas where company may be exposed

39% Incurred costs for (re)training current workforce

37% Loss of business as a result of security issues with

customer data

36% Failure to keep up with changes in regulatory environment

36% Unaware of new trends in security

Effectiveness of Security Training

Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,392 firms using security training

- “Continual training on new threats.”

- “Regular retraining.”

- “More comprehensive and formalised training.”

- “Keep it up to date.”

- “Regular reviews.”

- “Mandatory training.”

- “More tests of employees’ security understanding.”

- “A more strict regime and more random security audits.”

- “Have a particular person assigned for the training.”

- “More investment in new tech.”

- “More hands-on simulations of real-world breaches.”

- “There should be very strict policies be enforce on proper

training. Proper budgets for training.”

- “Shorter training sessions but more of them.”

- “Tests must be done every three months. Continuous

training.”

Suggestions for Improving Training*

*Sampling of international comments representing common themes

Interna-tional

SummaryMature

EconomiesMaturing

EconomiesNET Effective (Extremely + Fairly Effective)

73% 70% 76%

Extremely Effective 23% 22% 25%

Fairly Effective 50% 48% 51%

Moderately Effective 22% 26% 20%

Slightly Effective 4% 4% 3%

Not at all Effective 0% 1% 0%

About This ResearchCompTIA’s 2016 International Trends in Cybersecurity was conducted to collect and share information on behaviors, techniques, and opportunities associated with information technology (IT) security across several countries. The objectives of this research include:• Evaluate and track changes in IT security practices, policies, threats, breaches, etc. over time • Identify drivers and inhibitors among IT decision makers when evaluating security tech• Gain insights into the security issues associated with emerging tech (e.g. cloud computing, mobile solutions)• Track trends in IT security training and education The data for this study was collected via a quantitative online survey conducted January 21 to February 18, 2016 among 1,509 IT and business executives directly involved in setting or executing IT security policies and processes within their organizations. See the Appendix for Respondent Profile details such as industry, company size, and job role. The 12 countries covered in this study include: Australia (n=125); Brazil (n=126); Canada (n=125); Germany (n=125); India (n=131); Japan (n=125); Malaysia (n=125); Mexico (n=126): South Africa (n=125); Thailand (n=125); United Arab Emirates (n=126); United Kingdom (n=125).

Maturing Economies: Brazil, India, Malaysia, Mexico, South Africa, Thailand, UAE (n=884). Mature Economies: Australia, Canada, Germany, Japan, UK, (n=625).

Surveys were localized and translated to allow respondents to participate in their native language. Additionally, precautions were taken to minimize misinterpretations of questions. However, research has shown, cultural differences exist and can affect responses to certain question types, such as 5-point satisfaction rating questions. Viewers of this report should keep that in mind when comparing results across countries.

The margin of sampling error at 95% confidence for aggregate results is +/- 2.5 percentage points. Sampling error is larger for subgroups of the data. As with any survey, sampling error is only one source of possible error. While non-sampling error cannot be accurately calculated, precautionary steps were taken in all phases of the survey design, collection and processing of the data to minimize its influence. Note: because data collection occurred via an online survey, in countries where Internet penetration is lower among businesses, the non-sampling error could be higher.

More information and all country snapshots are available at CompTIA.org/internationalsecurity. CompTIA is responsible for all content contained in this report. Any questions regarding the study should be directed to CompTIA Research & Market Intelligence staff at [email protected].

CompTIA is a member of the Marketing Research Association (MRA) and adheres to the MRA’s Code of Market Research Ethics and Standards.

https://www.comptia.org/internationalsecurity

https://www.comptia.org/internationalsecurity

mailto:[email protected]

Thank You

Copyright (c) 2016 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

REMINDER: The complete International Trends in Cybersecurity report and 12 country snapshots can be viewed free of charge at CompTIA.org (with simple registration)

https://www.comptia.org/