2017 State of Digital Risk Management Key Findings -...
Transcript of 2017 State of Digital Risk Management Key Findings -...
1 © 2016 Proofpoint, Inc.
2017 STATE OF DIGITAL & SOCIAL MEDIA RISK MANAGEMENT
2 © 2016 Proofpoint, Inc.
ABOUT THE STUDY2017 STATE OF DIGITAL & SOCIAL MEDIA RISK MANAGEMENT
3 © 2016 Proofpoint, Inc.
ABOUT THE STUDY
§ Survey-based study conducted by JEM Consulting & Advisory Services, a Silicon Valley-based management consultancy for the digital age
§ Sponsored by Proofpoint§ Online survey conducted Q1 2017§ 202 responses to survey by leaders with responsibility for digital
governance and / or digital risk management§ Sample included: § 90% US-based organizations§ All sizes from SMB – large enterprise organizations§ All sectors§ 50+ industries, including both B2B & B2C
4 © 2016 Proofpoint, Inc.
Howmanyemployeesdoesyourorganizationhave?
12.3,12%
2.5,3%
7.4,8%
8.9,9%
19.2,19%20.2,20%
7.9,8%
7.4,7%
4.9,5%
9.4,9%
1-4
5-9
10-19
20-99
100-499
500-9,999
10,000+
10,001- 25,000
25,001- 50,000
50,000+
5 © 2016 Proofpoint, Inc.
Isyourorganization:
Publiccompany27%
Privatecompany59%
Non-profitorganization
4%
Educationalinstitution
5%
Governmentalorganization
5%
Publiccompany
Privatecompany
Non-profitorganization
Educationalinstitution
6 © 2016 Proofpoint, Inc.
Whatisyourfunction?
22%DIGITALTEAM
47%IT
7%MARKETING
5%SOCIALMEDIA
19%VARIOUS
7 © 2016 Proofpoint, Inc.
TOP FINDINGS2017 STATE OF DIGITAL & SOCIAL MEDIA RISK MANAGEMENT
8 © 2016 Proofpoint, Inc.
7 Key Findings1. Organizations face a wide, complex and increasing number and range of digital
and social media risks. 2. Organizations are concerned about a wide range of social media risks, from
brand reputation resulting from employee mistakes, to hacks, fraud and counterfeiting using fake social media accounts; integration with other systems such as CRM and intranet and regulatory compliance (FTC and HIPAA).
3. As the number and types of risks continue to expand, the responsibility for managing digital and social media risks extends well beyond the IT department.
4. While most organizations have established policies, procedures and programs to manage more traditional IT security and digital risk effectively, they are less mature in their management of new types of digital and social media risks
5. Digital governance teams and Digital Centers of Excellence are becoming more common at organizations to help manage digital and social media risks.
6. Companies are slow to adopt tools and technologies to help them manage this growing number of digital and social media risks.
7. Most organizations do not have a fully optimized, managed, and resourced process and program for managing digital and social media risk.
9 © 2016 Proofpoint, Inc.
KEY FINDING # 1Organizations face a wide, complex and increasing number and range of digital and social media risks.
10 © 2016 Proofpoint, Inc.
Whatarethebiggestchallengesyoucurrentlyfacewithregardtoyourdigitalriskmanagement?(Pleaseselectallthatapply)
11 © 2016 Proofpoint, Inc.
KEY FINDING # 2Organizations are concerned about a wide range of social media risks, from brand reputation to hacks, fraud, integration with other systems to regulatory compliance.
12 © 2016 Proofpoint, Inc.
RISKFACTOR Percent
Brandreputation 64.9%
Securityofyouremployees'socialchannels 50.5%
Integrationswithothersystems(e.g.,CRM,intranet)
47.5%
FTCregulatorycompliance 39.6%
HIPAA Compliance 5.0%
Concerns About Employee Use of Social Media
13 © 2016 Proofpoint, Inc.
KEY FINDING # 3As the number and types of risks continue to expand, the responsibility for managing digital and social media risks extends well beyond the IT department.
14 © 2016 Proofpoint, Inc.
Whichdepartments/functionsareprimarilyresponsibleformanagingdigitalriskinyourorganization?(Selectallthatapply.)
Other: HR, Privacy/Protection, Legal, Knowledge Management, Data Team, etc
15 © 2016 Proofpoint, Inc.
Whoisresponsiblefordataprotectioninyourorganization?
16 © 2016 Proofpoint, Inc.
KEY FINDING # 4While most organizations have established policies, procedures and programs to manage more traditional IT security and digital risk effectively, they are less mature in their management of new types of digital and social media risks.
17 © 2016 Proofpoint, Inc.
Doesyourorganizationhaveanti-virusmeasuresinplace?(Policies,Procedures,Technologies)
Yes88%
No12%
Yes
No
18 © 2016 Proofpoint, Inc.
Dothesecoverallsystemareas,includingliveanddevelopmentenvironments,desktops,servers,gateways,laptops
andothermobiledevices?
Yes89%
No11%
Yes
No
19 © 2016 Proofpoint, Inc.
Hasyourorganizationperformedanyexternalorinternalsecurityreviewsinthepast12months?
82%YES
18%NO
Yes
No
20 © 2016 Proofpoint, Inc.
Doesaninformationsecuritypolicyexist?
Yes79%
No21%
Yes
No
21 © 2016 Proofpoint, Inc.
Ifyes,areperiodicreviewsandupdatesofthepolicyperformed?
Yes91%
No9%
Yes
No
22 © 2016 Proofpoint, Inc.
DoesyourorganizationhaveaPrivacyPolicy?
Yes78%
No22%
Yes
No
23 © 2016 Proofpoint, Inc.
Ifyes,isyourprivacypolicycompliantwiththeEUDataProtectionDirective?
Yes67%
No12%
N/A21%
Yes
No
N/A
24 © 2016 Proofpoint, Inc.
Isyourorganizationregisteredinaccordancewiththerelevantdataprotectionauthorities?
Yes67%
No16%
N/A17%
Yes
No
N/A
25 © 2016 Proofpoint, Inc.
DoesyourorganizationhaveaDataProtectionandPrivacycomplianceprogram?
Yes72%
No23%
Idon'tknow5%
Yes
No
Idon'tknow
26 © 2016 Proofpoint, Inc.
Doyouhaveacomplianceprogramcoveringclientconfidentialityanddataprotection?
Yes75%
No22%
Idon'tknow3%
Yes
No
Idon'tknow
27 © 2016 Proofpoint, Inc.
Doesacomprehensiveinventoryexistthatdetailsallinformationassets,softwareassets,hardwareassetsandservices?
80%YES
14%NO
6%DON’TKNOW
Yes
No
Idon'tknow
28 © 2016 Proofpoint, Inc.
Doesaformalprocessexistforreportingandhandlingsecurityincidents,weaknessesandsoftwareissues?
Yes75%
No25%
Yes
No
29 © 2016 Proofpoint, Inc.
Doesyourorganizationhaveclearlydefinedresponsibilitiesandproceduresformanagingsecurityincidents?
Yes81%
No19%
Yes
No
30 © 2016 Proofpoint, Inc.
Doesaformalbusinesscontinuityplanexist?
Yes71%
No29%
Yes
No
31 © 2016 Proofpoint, Inc.
Doyouhaveatrainingprogramforyouremployeestoeducatethemregardingsecurity,privacyanddataprotectionpolicies
andriskmitigation?
Yes72%
No28%
Yes
No
32 © 2016 Proofpoint, Inc.
Ifyes,isthetrainingmandatory?
Yes82%
No18%
Yes
No
33 © 2016 Proofpoint, Inc.
Areyouconcernedaboutemployeesmistakenlysharingconfidential,regulated,orembarrassinginformationviatheirsocialmediaactivity?
Notconcerned20%
Somewhatconcerned45%
Veryconcerned35%
Notconcerned
Somewhatconcerned
Veryconcerned
34 © 2016 Proofpoint, Inc.
Areyouconcernedabouthackersandtrollstargetingemployees'socialmediaaccounts?
Notconcerned18%
Somewhatconcerned39%
Veryconcerned43%
Notconcerned
Somewhatconcerned
Veryconcerned
35 © 2016 Proofpoint, Inc.
Areyouconcernedaboutsocialmediascamsandphishing?
Notconcerned20%
Somewhatconcerned33%
Veryconcerned47%
Notconcerned
Somewhatconcerned
Veryconcerned
36 © 2016 Proofpoint, Inc.
Areyouconcernedaboutfraudandcounterfeitingusingfakesocialmediaaccounts?
Notconcerned20%
Somewhatconcerned35%
Veryconcerned45%
Notconcerned
Somewhatconcerned
Veryconcerned
37 © 2016 Proofpoint, Inc.
Doesyourorganizationhaveasocialmediapolicy?
Yes67%
No33%
Yes
No
38 © 2016 Proofpoint, Inc.
Ifyes,doesyourorganizationhavesocialmediatrainingforemployees?
Yes80%
No20%
Yes
No
39 © 2016 Proofpoint, Inc.
Ifyes,isthistrainingmandatory?
52%YES
20%YES,FORCERTAIN
EMPLOYEES
28%NO
Yes,forallemployees
Yes,forcertainemployees
No
40 © 2016 Proofpoint, Inc.
KEY FINDING # 5Digital governance teams and Digital Centers of Excellence are becoming more common at organizations to help manage digital and social media risks.
41 © 2016 Proofpoint, Inc.
Doesyourorganizationhaveadigitalgovernanceteamand/orDigitalCenterofExcellence?
70%YES
30%NO
Yes
No
42 © 2016 Proofpoint, Inc.
KEY FINDING # 6Companies are slow to adopt tools and technologies to help them manage this growing number of digital and social media risks.
43 © 2016 Proofpoint, Inc.
Doyouusetool(s)/vendor(s)tomanageyourdigitalrisk?
50%YES
50%NO
Yes
No
44 © 2016 Proofpoint, Inc.
Doyouuseanytoolstohelpmitigatesocialmediabrand,securityandcompliancerisks?
33%YES
67%NO
Yes
No
45 © 2016 Proofpoint, Inc.
KEY FINDING # 7Most organizations do not have a fully optimized, managed, and resourced process and program for managing digital and social media risk.
46 © 2016 Proofpoint, Inc.
Howwouldyourateyourorganization’smaturitylevelasitrelatestodigitalandsocialmediariskmanagement?
MATURITY LEVELASSESSMENT Percent1.InitialStage(developingacomprehensiveprogram,butmanagedthroughindividualefforts)
31.2%
2.Defined(processisdefinedandconfirmedasastandardbusinessprocess)
26.2%
3.Managed(managedinaccordancewithagreed-uponmetrics)
33.2%
4.Optimized(fullymanaged,resourcedandincludescontinuousprocessimprovement)
9.4%
47 © 2016 Proofpoint, Inc.
RECOMMENDATIONS BEST PRACTICES2017 STATE OF DIGITAL & SOCIAL MEDIA RISK
48 © 2016 Proofpoint, Inc.
Recommendations for Best Practices
§ More comprehensive and effective communication and collaboration between the growing number of departments and functions responsible for risk management
§ Formalize policies, processes and programs to address all areas of digital and social media risk
§ Develop and mandate employee training and enablement to understand and manage these risks
§ Deploy new tools and technologies to proactively identify and manage advanced attacks delivered via email, social media and mobile apps
§ Comprehensive approach to risk management, including strategy, governance and enablement through a Digital Center of Excellence
49 © 2016 Proofpoint, Inc.
Recommendations for Best Practices§ Formalize and integrate disparate functional approaches to and
responsibilities for digital and social media risk management into a Digital Center of Excellence (DCOE)
§ Cross-functional leadership of DCOE§ DCOE acts as a trusted strategic partner to help teams understand and
embed new digital and social media technologies and programs safely and effectively
§ DCOE provides digital leadership, oversight, training, best-in-class advice, communicate best practices
§ Result: A comprehensive approach to digital and social media strategy, enablement, governance and risk management; greater collaboration and communication; improved efficiencies and effectiveness