Embed Size (px)
Citation preview
The Need for a New IT Security Architecture: United Kingdom
Ponemon Institute© Research Report
Sponsored by Citrix Independently conducted by Ponemon Institute LLC Publication Date: May 2017
Ponemon Institute© Research Report Page 1
The Need for a New IT Security Architecture: United Kingdom Ponemon Institute, May 2017
Part 1. Introduction The Need for a New IT Security Architecture: United Kingdom1 sponsored by Citrix and conducted by Ponemon Institute reveals trends in IT security risks and reasons why security practices and policies need to evolve in order to deal with threats from disruptive technologies, cyber crime and compliance. Changes in the workplace and problems managing IT security are also increasing risks to the organisation. We surveyed 399 IT and IT security practitioners in the United Kingdom on the following topics. § Risks created by outdated and inefficient IT security technologies.
§ Risks created by compliance with regulations, especially compliance with the EU’s General
Data Protection Regulations (GDPR).
§ The influx of unapproved applications and devices as well as organisational dysfunction created by differences among generations in the workplace.
§ Risks created by cyber crime, employee negligence and organisational dysfunction and the
technologies respondents believe are most effective at dealing with these risks. Organisations are concerned they will not be able to manage emerging risks because of outdated security solutions. As shown in Figure 1, 76 percent of respondents say their organisation’s existing security solutions are outdated and inadequate. What is needed, according to 86 percent of respondents, is a new IT security framework to improve their security posture and reduce risk. A new strategy is especially important in order to manage such potential risks from the Internet of Things (77 percent of respondents). Figure 1. Why companies are at risk Strongly agree and Agree responses combined
1 In this study, we surveyed 4,268 IT and IT security practitioners in Australia/New Zealand, Brazil, Canada, China, Germany, France, India, Japan, Korea, Mexico, the Netherlands, the United Arab Emirates, the United Kingdom and the United States. The individual country findings are presented in separate reports.
76%
77%
86%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100%
Some of our organisation’s existing security solutions are outdated and inadequate
My organisation is not fully prepared to deal with potential security risks resulting from the
“Internet of Things”
A new IT security framework is needed to improve our security posture and reduce risk
Ponemon Institute© Research Report Page 2
Part 2. Key findings In this section, we provide a detailed analysis of the key findings. Following are the topics covered in this research. § Trends in cyber crime, human factor, organisational and compliance risks § Why a new IT security architecture is needed § Achieving a better IT security infrastructure
Trends in cyber crime, human factor, organisational and compliance risks Most negative cyber crime risks. We asked respondents to rate the potential negative impact of eight cyber crime risks. The findings reveal that these risks have a very significant impact on organisations, as shown in Figure 2. The top cyber crime risks are malicious or criminal insiders (85 percent of respondents), emergence of hacktivism (81 percent of respondents), cyber warfare or cyber terrorism (81 percent of respondents), breaches involving large volumes of data and breaches involving high-value information such as intellectual property and trade secrets (both 79 percent of respondents). Figure 2. Trends in cyber crime risk 7+ responses on a scale of 1 = no negative impact to 10 = significant negative impact
58%
72%
75%
79%
79%
81%
81%
85%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Emergence of cyber syndicates
Stealth and sophistication of cyber attackers
Nation state attackers
Breaches involving high-value information
Breaches involving large volumes of data
Cyber warfare or cyber terrorism
Emergence of hacktivism (i.e., activist-motivated hacking attempts)
Malicious or criminal insiders
Ponemon Institute© Research Report Page 3
The workplace is changing and so are the human factor risks. According to Figure 3, while 83 percent of respondents are concerned about the inability to hire and retain security staff with knowledge and credential, employee behaviours are creating risks. These are employee complacency about security (78 percent of respondents), lack of employee awareness of security practices (77 percent of respondents) and more millennials in the workplace (71 percent of respondents). Figure 3. Trends in the human factor risk 7+ responses on a scale of 1 = no negative impact to 10 = significant negative impact
48%
58%
59%
61%
67%
69%
71%
77%
78%
83%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Globalisation of workforce
Automation replaces employees
Contract workers
Inability to enforce employees' compliance with policies
Inability to control employees' devices and apps
More employees working outside the office
More millenials in the workplace
Lack of employee awareness of security practices
Employee complacency about security
Insufficient security staff with knowledge and credentials
Ponemon Institute© Research Report Page 4
Millennials pose the greatest risk to sensitive and confidential data. According to Figure 4, millennials (age 18 to 34) pose the greatest risk followed by gen X (age 35 to 50). Baby boomers (age 51 to 69) pose the least amount of risk. Figure 4. Which age group poses the greatest risk to sensitive & confidential data in the workplace?
62%
23%
15%
0%
10%
20%
30%
40%
50%
60%
70%
18 to 34 (millennials) 35 to 50 (gen X) 51 to 69 (baby boomers)
Ponemon Institute© Research Report Page 5
Millennials and gen X are most likely to use unapproved apps and devices in the workplace. Figure 5 shows the greatest risks created by all three generations. The most interesting differences among the generations is the likelihood that millennials and gen X are most likely to circumvent any security policies and use unapproved apps and devices (40 percent and 34 percent of respondents, respectively). In contrast, baby boomers are more susceptible to phishing and social engineering scams (32 percent of respondents) or they tend not to know how to protect sensitive and confidential information (26 percent of respondents). Figure 5. What are the greatest risks posed by millennials, gen X and baby boomers?
6%
0%
32%
26%
16%
20%
8%
0%
14%
16%
28%
34%
4%
1%
13%
18%
24%
40%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
None of the above
Other
More susceptible to phishing & social engineering scams
Lack of knowledge about how to protect sensitive and confidential information
Negligence or carelessness in following our organisation’s security policies
Use of unapproved apps and devices in the workplace
Millennials Gen X Baby boomers
Ponemon Institute© Research Report Page 6
Employees’ use of social media is expected to pose the greatest risk. Figure 6 lists seven disruptive technologies that could pose risks to the IT security infrastructure. As shown, the most negative impact will be created by the use of cloud services and infrastructure (89 percent of respondents), and the use of digital identities2 (78 percent of respondents). Employees use of social media in the workplace (77 percent of respondents) and the use of personally-owned mobile devices in the workplace (BYOD) (64 percent of respondents) are also considered a risk to organisations. Figure 6. Trends in disruptive technology risks 7+ responses on a scale of 1 = no negative impact to 10 = significant negative impact
2 A digital identity is information on an entity used by computer systems to represent an external agent. That agent may be a person, organisation, application or device. ISO/IEC 24760-1 defines identity as a "set of attributes related to an entity". Source: Wikipedia
33%
59%
61%
64%
77%
78%
89%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100%
Company’s use of IT virtualisation technologies
Company’s use of file sharing and document collaboration tools
Employees’ use of favorite cloud apps in the workplace
Employees’ use of personally-owned mobile devices in the workplace (BYOD)
Employees’ use of social media in the workplace
Company’s use of digital identities
Company’s use of cloud services and infrastructure
Ponemon Institute© Research Report Page 7
Organisations admit challenges in reducing the risk from unapproved apps and devices. As shown in Figure 7, only 32 percent of respondents rate their effectiveness as high (7+ responses) in reducing the risk from an influx of new, unapproved apps and devices. Respondents say their organisations are more effective in ensuring workforce continuity and ongoing business operations when disruptions and disasters occur (51 percent of respondents) and ensuring the availability and performance of traffic over any network connection and device (67 percent of respondents). Figure 7. Effectiveness in reducing risks to information assets 7+ responses on a scale of 1 = low effectiveness to 10 = high effectiveness
Complexity of business and IT operations is a significant security risk. According to 84 percent of respondents, the inability to secure access rights is making organisations more vulnerable to security threats, as shown in Figure 8. Other trends are complexity of business and IT operations and silos and the lack of collaboration between IT security and lines of business (76 percent and 70 percent of respondents, respectively). Figure 8. Trends in the organisational factor risk 7+ responses on a scale of 1 = no negative impact to 10 = significant negative impact
32%
51%
67%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Reducing the risk from an influx of new, unapproved apps and devices
Ensuring workforce continuity and ongoing business operations when disruptions and
disasters occur
Ensuring the availability and performance of traffic over any network connection and device
60%
65%
67%
70%
70%
76%
84%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Lack of funding to support cyber defence
Growth of data assets
Inability to integrate disparate technologies
Integration of third parties into internal networks and applications
Silos and the lack of collaboration between IT security and lines of business
Complexity of business and IT operations
Inability to secure access rights
Ponemon Institute© Research Report Page 8
A new IT security framework is needed to address the challenges of international regulations. Less than half of the organisations represented in this research (49 percent of respondents) believe their security infrastructure facilitates compliance and regulatory enforcement with a centralised approach to controlling, monitoring and reporting of data. As a result, respondents are concerned about how their organisations will address the risks associated with the introduction of new international privacy and security regulations and cybersecurity mandates. As shown in Figure 9, the findings reveal that respondents are most concerned about complying with: mandates on critical infrastructure protection (82 percent of respondents), the EU’s General Data Protection Regulations (GDPR) (69 percent of respondents) and international privacy and data protection standards (68 percent of respondents). Figure 9. Trends in compliance risk 7+ responses on a scale of 1 = no negative impact to 10 = significant negative impact
33%
34%
39%
46%
52%
53%
63%
68%
69%
82%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
State laws regulating data protection and privacy
IT security governance
E-Discovery requirements
Class action and tort litigation
National cyber defence strategies
Self-regulatory programs (such as ISO 27.001, PCI DSS and NIST)
Federal laws regulating data protection and privacy
International privacy and data protection standards
General Data Protection Regulations (GDPR)
Mandates on critical infrastructure protection
Ponemon Institute© Research Report Page 9
Organisations worry about potential fines if they are not in compliance with GDPR. Eighty-nine percent of respondents are aware of GDPR and 70 percent of these respondents say their organisations have allocated budget and started to prepare for these new regulations. Figure 10 reveals the concerns of those respondents who are aware of the GDPR. The biggest concern is the potential fine of up to 20 million euros or 4 percent of annual worldwide revenues, whichever is greater (68 percent of respondents). Another major worry is that their businesses outside the EU will also be impacted by the regulation (55 percent of respondents). Only 20 percent of respondents have no concern. Figure 10. Concerns about compliance with GDPR Three choices permitted
18%
20%
24%
27%
27%
28%
33%
55%
68%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Direct legal compliance obligations for “data processors”
No concern
Customer loss
Tighter requirements for obtaining valid consent to the processing of personal data
New data breach reporting obligations
Extended data protection rights for individuals, including the “right to be forgotten”
New restrictions on profiling and targeted advertising
Increased territorial scope, impacting more businesses including many outside the EU
New penalties of up to 20 million euros or 4 percent of annual worldwide revenue, whichever
is greater
Ponemon Institute© Research Report Page 10
Why a new IT security architecture is needed Certain technologies are needed for a new IT security infrastructure. As discussed above, respondents believe their organisations’ IT security solutions are outdated and failing to mitigate the risks of cyber crime, employee behaviour and organisational problems. As shown in Figure 11, the most important technologies are machine learning (81 percent of respondents), anti-virus & anti-malware (81 percent of respondents), identity & access management (78 percent of respondents) and data management (75 percent of respondents). Figure 11. The most important technologies for a new IT security infrastructure 1 = low importance to 10 = high importance, 7 + responses reported
62%
65%
72%
73%
75%
78%
81%
81%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
SIEM and security intelligence
Big data analytics
Application management
Configuration & log management
Data management
Identity & access management
Anti-virus & anti-malware
Machine learning
Ponemon Institute© Research Report Page 11
Organisations are at risk because they often do not have a unified view of users across the enterprise. According to Figure 12, the new IT security architecture should provide a unified view of users across the enterprise, according to 54 percent of respondents. Almost half (48 percent of respondents) say they want to be able to have visibility into all business-critical applications or systems. Not as critical is the ability to apply controls that span across the enterprise and the ability to protect their security infrastructure while supporting business innovation (27 percent and 25 percent of respondents, respectively). Figure 12. What are the top two goals of a new IT security framework in your organisation? Two choices permitted
25%
27%
46%
48%
54%
0% 10% 20% 30% 40% 50% 60%
Ability to protect our security infrastructure while supporting business innovation
Ability to apply controls that span across the enterprise
Ability to keep up with new or emerging attacks
Visibility into all business-critical applications or systems
A unified view of users across the enterprise
Ponemon Institute© Research Report Page 12
Outdated and inadequate security solutions put organisations at risk. As shown in Figure 13, 76 percent of respondents believe some of their organisation’s existing security solutions are outdated and inadequate. As a result, they give their organisation poor marks on reducing the inherent risk of unmanaged data (only 34 percent of respondents agree), reducing the risk of unapproved applications (only 30 percent of respondents), having the security technologies to adequately protect information assets and IT infrastructure (only 41 percent of respondents) and having the right policies and procedures in place to protect information assets and critical infrastructure (only 47 percent of respondents). Figure 13. Perceptions about security technologies Strongly agree and Agree responses combined
30%
34%
41%
47%
76%
0% 10% 20% 30% 40% 50% 60% 70% 80%
My organisation effectively reduces the inherent risk of unapproved applications
My organisation effectively reduces the inherent risk of unmanaged data
My organisation has the security technologies to adequately protect information assets and IT
infrastructure
My organisation has the right policies and procedures in place to protect information assets
and critical infrastructure
Some of our organisation’s existing security solutions are outdated and inadequate
Ponemon Institute© Research Report Page 13
Security solutions and policies are not effective in addressing insider risk. As shown in Figure 14, only 37 percent of respondents are confident that employees’ devices are not allowing criminals access to their corporate networks and data. About half (52 percent of respondents) say their organisation has security policies in place to ensure that employees and third parties only have the appropriate access to sensitive business information. Another area of risk is the perception that employees and third parties bypass security policies and technologies because they are too complex (47 percent of respondents). This is often the case because their organisations’ security policies hinder employees’ productivity (41 percent of respondents). Figure 14. Perceptions about the insider risk Strongly agree and Agree responses combined
37%
41%
47%
52%
0% 10% 20% 30% 40% 50% 60%
My organisation is able to ensure employee-owned devices are not allowing criminals access
to our corporate networks and data
My organisation’s security policies hinder employees’ productivity
In my organisation, employees and third parties bypass security policies and technologies
because they are too complex
My organisation has security policies in place to ensure employees and third parties only have the appropriate access to sensitive business
information
Ponemon Institute© Research Report Page 14
Organisations struggle to reduce risks to information assets. As shown in Figure 15, only 41 percent of respondents say their organisation is highly effective in using access control and multi-factor authentication solutions to protect information on devices, servers or in the cloud. Only 44 percent of respondents rate their organisations’ effectiveness as high in protecting sensitive apps and data at rest, in use and in motion, and slightly more than half (51 percent of respondents) rate their effectiveness as high in reducing the risk of attacks such as DDoS, browser and ransomware. Figure 15. Effectiveness in reducing risks to information assets 7+ responses on a scale of 1 = low effectiveness to 10 = high effectiveness
41%
44%
51%
0% 10% 20% 30% 40% 50% 60%
Effectiveness of access control and multi-factor authentication solutions in protecting information
on devices, servers or in the cloud
Effectiveness in protecting sensitive apps and data at rest, in use and in motion
Effectiveness in reducing the risk of attacks such as DDoS, browser and ransomware
Ponemon Institute© Research Report Page 15
Machine learning and identity & access management (IAM) are considered the most important technologies to reduce security risks. What technologies will organisations depend upon most in the next two years? According to Figure 16, 81 percent of respondents rate machine learning and 78 percent rate IAM as very important to reducing security risks. Other important technologies include virtual private network (VPN) (73 percent of respondents), Web application firewalls (WAF) (71 percent of respondents) and big data analytics (65 percent of respondents). Figure 16. Trends in the most important technologies to reduce security risks 7+ responses on a scale of 1 = low importance to 10 = high importance
61%
62%
65%
65%
71%
73%
78%
81%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Enterprise mobility management (EMM)
SIEM and security intelligence
Enterprise file synchronisation & sharing (EFSS)
Big data analytics
Web application firewalls (WAF)
Virtual private network (VPN)
Identity & access management
Machine learning
Ponemon Institute© Research Report Page 16
Achieving a better IT security infrastructure Improvements in staffing and technologies will improve security posture. As shown in Figure 17, the two most important goals are to improve the expertise and quality of staff (69 percent of respondents) and to improve the technologies they invest in (66 percent of respondents). Also important is an increase in funding (62 percent of respondents), ability to minimise employee-related risk (51 percent of respondents) and reduction in complexity (50 percent of respondents). Figure 17. Business goals that improve security posture More than one choice permitted
6%
32%
37%
40%
47%
50%
51%
62%
66%
69%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Other
Increase in C-level support
Reduction in compliance burden
Security leadership
Improvement in threat intelligence sharing
Reduction in complexity
Ability to minimise employee-related risk
Increase in funding
Improvement in technologies
Improvement in staffing
Ponemon Institute© Research Report Page 17
Security posture is affected by the inability to hire and retain staff. As discussed above, organisations can improve their security posture by improving their staffing and technologies. By not achieving these goals, as shown in Figure 18, 87 percent of respondents say the lack of expert staff will decrease the organisation’s security posture, and 74 percent of respondents say a lack of suitable technologies has a negative effect on security posture. Other factors that have a negative impact on security posture are lack of funding (65 percent of respondents), inability to minimise employee-related risk (54 percent of respondents) and too much complexity (43 percent of respondents). Figure 18. What decreases overall security posture? More than one choice permitted
Companies will receive a slight increase in budgets. Lack of funding is considered a barrier to having a strong security posture. On average, the organisations represented in this research will spend about $15 million (U.S. dollars) on IT security in 2017. For most (71 percent of respondents), this represents a slight increase (32 percent) or no change (39 percent) in the IT security budget, as shown in Figure 19. Figure 19. Budgets will increase or stay the same
2%
39%
41%
41%
43%
43%
54%
65%
74%
87%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Other
Lack of C-level support
Lack of security leadership
Increase in compliance burden
Lack of actionable intelligence
Too much complexity in business and IT …
Inability to minimise employee-related risk
Lack of funding
Lack of suitable technologies
Inability to hire and retain expert staff
19%
32%
39%
9%
1%0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Increase significantly
Slight increase No change Slight decrease Significant decrease
Ponemon Institute© Research Report Page 18
Part 3. Methods A sampling frame composed of 9,521 IT and IT security practitioners in the United Kingdom were selected for participation in this survey. Table 1 shows 445 respondents completed the survey. Screening removed 46 respondent surveys. The final sample was 399 respondent surveys (or a 4.2 percent response rate). Table 1. Sample response Freq Pct% Total sampling frame 9,521 100.0% Total returns 445 4.7% Rejected surveys 46 0.5% Final sample 399 4.2%
Pie Chart 1 reports the respondent’s organisational level within participating organisations. By design, more than half of the respondents (50 percent) are at or above the supervisory levels. Pie Chart 1. Position level within the organisation
As shown in Pie Chart 2, 57 percent of respondents report directly to the CIO, 16 percent report to the CISO and 6 percent report to the CTO. Pie Chart 2. The primary person reported to within the organisation
3% 18%
19%
10%
36%
9% 2% 3%
Vice PresidentDirectorManagerSupervisorTechnicianAssociate/StaffConsultantOther
57%
16%
6%
4%
4% 3%
3% 3% 2% 2% Chief Information OfficerChief Information Security OfficerChief Technology OfficerChief Security OfficerChief Risk OfficerCompliance OfficerDirector of Internal AuditGeneral CounselCEO/PresidentChief Financial Officer
Ponemon Institute© Research Report Page 19
Pie Chart 3 reports the primary industry focus of respondents’ organisations. This chart identifies financial services (16 percent of respondents) as the largest segment, followed by public sector (12 percent of respondents) and health and pharmaceutical (9 percent of respondents). Pie Chart 3. Primary industry focus
Seventy-one percent of the respondents are from organisations with a global headcount of more than 500 employees, as shown in Pie Chart 4. Pie Chart 4. Worldwide headcount of the organisation
16%
12%
9%
9% 9% 8%
8%
6%
6%
6% 3% 3% 2% 3%
Financial servicesPublic sectorHealth & pharmaceuticalIndustrial & manufacturingServicesRetailTechnology & softwareConsumer productsEnergy & utilitiesHospitality & leisureEducation & researchEntertainment & mediaCommunicationsOther
12%
17%
21% 23%
17%
7% 3%
Less than 100
100 to 500
501 to 5,000
5,001 to 10,000
10,001 to 25,000
25,001 to 75,000
More than 75,000
Ponemon Institute© Research Report Page 20
Please write to [email protected] or call 800.877.3118 if you have any questions.
Ponemon Institute
Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advance responsible information and privacy-management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organisations. We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.
