CompTIA Security Research Study 2007 - IIT School of ... · CompTIA Security Research Study 2007...
Transcript of CompTIA Security Research Study 2007 - IIT School of ... · CompTIA Security Research Study 2007...
CompTIA Security Research Study 2007
Trends and Observations on
Organizational Security
Carol Balkcom, Product Manager, Security+
Goals of this session
To share some trends and observations related to
security policy, training and spending over
time
To discuss with session participants
(anonymously) the security policies in their
organizations
�Are we making any headway?
About the annual CompTIA security research
The CompTIA Security Research database is comprised of 5,692 responses.
639 in 2002 (Members = 50, Non-members = 589)
896 in 2003 (Members = 74, Non-members = 822)
489 in 2004 (Members = 101, Non-members = 388)
574 in 2005 (Members = 20, Non-members = 554)
1070 in 2006 (Members = 32, Non-members = 1038)
2024 in 2007* (Members = 63, Non-members = 1,961)
This report is focused on 2007 data. Results are broken down by country, with US results
supported by trending data from 2005 and 2006 where relevant. International results include
Canada, UK and China and are not trended (this is the first year).
Surveys were sent to CompTIA association members and 3rd party list sources representing
professionals associated with IT Security. Surveys were fielded in January and February 2008 via
the web. TNS designed the questionnaire with assistance from CompTIA.
* 2007 represents total countries, including US, Canada, UK and China.
About the survey
Objectives
TNS and CompTIA jointly designed a Web-based questionnaire to concentrate on certain focus areas and issues surrounding IT security training and certification, including:
• Identify key trends associated with IT security
• Quantify current and future spending on IT security
• Assess the costs associated with IT security breaches
• Understand the causes of IT security breaches and the impact of those incidents
• Identify trends associated with information security training for remote/mobile employees
• Determine the impact and effectiveness of information security training and certifications
• Understand future security issues and challenges that organizations will face
• Develop comparisons across industries and company size
Administrator
32%
Manager
31%
Engineering
15%
Director
10%
Executive
12%
Administrator
33%
Manager
30%
Engineering13%
Director
12%
Executive
12%
Administrator
31%
Manager
28% Engineering
8%
Director
8%
Executive
25%
Administrator
36%
Manager
30%
Engineering
11%
Director
12%
Executive
11%
Administrator
24%
Manager
38%
Engineering
29%
Executive
7%
Director
2%
n = 131
USTotal *
Canada China
Respondent Profiles 2007: Role Within IT Organization
Question: What is your role within the IT organization and with regard to IT and network security?
UK
Roles among respondents are widely distributed, with Managers and Administrators making up the bulk in all countries. However, Managers and Engineers tend to be more common among Chinese respondents, while Executives are more
prevalent among Canadian respondents.
n = 413 n = 373
n = 2024 n = 1107
* Represents respondents in this study only; does not reflect the universe of IT
organizations within the 4 markets measured.
1-99
34%
100-999
32%
1,000-9,999
20%
Don't know/
refused
3%
10,000 or more
11%
1-99
30%
100-999
33% 1,000-9,999
20%
10,000 or more
14%
Don't know/
refused
3%
1-99
69%
100-999
9%
1,000-9,999
9%
10,000 or more
10%
Don't know/
refused
3%
1-99
52%
100-999
20%
1,000-9,999
14%
10,000 or more
10%
Don't know/
refused
4%1-99
18%
100-999
46%
1,000-9,999
30%
Don't know/
refused
1%
10,000 or more
5%
Respondent Profiles 2007: Organization2007 Number of Employees
Question: Number of employees at your entire organization.
n = 107
USTotal *
Canada ChinaUK
In the US, respondents come from organizations of all sizes, though there is a slight skew toward mid-size companies of 100-999 employees. Echoing revenue distribution, Canadian and UK respondents are heavily skewed toward small companies of less than 100 employees while Chinese respondents tend to be employed in mid-sized to large organizations of 100 to 9,999 employees.
n = 320 n = 305
n = 1743 n = 1011
* Represents respondents in this study only; does not reflect the universe of IT
organizations within the 4 markets measured.
Question: What percentage of the IT budget is currently spent on computer security at your organization?
Percentage of IT Budget Spent on Computer Security
Percentage of IT Budget Spent on Computer Security by Year*
Respondent Profiles: Organization – US TrendIn the US, more and more respondent organizations are investing in computer security with more dedicated funds than ever before. In fact, 95% of organizations allotted some amount of their IT budget to computer security in 2007, representing an 8% growth over 2005. Additionally, funds earmarked for computer security has been on an upswing
since 2005, suggesting a greater reliance on technology and processes to keep security breaches at bay.
5%
21%
20%
11%
39%
4%
3%
25%
21%
11%
37%
3%
12%
35%
18%
9%
23%
3%
0% 10% 20% 30% 40% 50%
2007 2006 2005
0
5
10
15
20-50
51-100
Range of Responses: 377-992
% of Responses
19%
18%
13%
0% 10% 20% 30%
2007 2006 2005
* Means were calculated differently last year, so trended data differs from 2006 report.
94%
94%
49%
38%
32%
28%
4%
0%
0% 20% 40% 60% 80% 100%
No. of Respondents = 1053
2006
91%
96%
43%
29%
19%
25%
1%
0% 20% 40% 60% 80% 100%
No. of Respondents = 574
2005
IT Security Overview: Security Enforcement, US Results
Question: What technologies are being employed at your organization to enforce security requirements? (Check all that apply)
Nearly all US companies use firewalls, proxy servers and/or antivirus software to enforce security requirements, and this
has remained consistent over time. Though much less popular, multi-factor authentification and penetration testing have experienced growing usage during the past year.
Firewalls/Proxy Servers
Antivirus software
Intrusion Detection
Systems
Physical access control
Multi-factor
authentication
Penetration Testing
Other
None of the above
93%
92%
50%
39%
36%
32%
3%
1%
0% 20% 40% 60% 80% 100%
No. of Respondents = 1091
2007
n/a
Increased significantly compared to 2006
Decreased significantly compared to 2006
US companies
are top users
of firewalls/ proxy servers
In China multi-
factor
authentificationis used more
than in US
(45%)
Yes
62%
No
38%
Yes
59%
No
41%
Yes
66%
No
34%
IT Security Overview: IT Security Policy, US Results
Does your organization have a comprehensive written IT security policy in place?
2006
n = 1005*
2005
n = 572
2007
n = 1031*
Does that written IT Security Policy include specific information that covers remote/mobile employees?
Yes
81%
No
14%
Don't know
5%
2006
n = 617
In a positive trend, a growing proportion of organizations is putting into place comprehensive written IT security policies,
most of which cover remote/mobile employees.
*Responses in 2006 and 2007 exclude “don’t know”, which was not an option in 2005
Question: Does your organization have a comprehensive written IT security policy in place?
Question: Does that written IT Security Policy include specific information that covers remote/mobile employees?
Yes
81%
No
13%
Don't know
6%
2007
n = 673
Canadian
companies less
likely to have
written policies
(44%)
Fewer UK
companies
cover remote
employees in
policy (73%)
Yes; current
employees
5%
Yes; new
employees
6%
No
74%
Yes; current/
new employees
15%
No. of Respondents = 1019
2006
Yes; current
employees
2%
Yes; new
employees
2%
No
86%
Yes; current/
new employees
10%
IT Security Certification: Certification Requirements, US Results
Required security certification for employees has significantly increased since 2006 and 2005, with about one-third of all
organizations now requiring security certification for employees.
Question: Is IT security certification a requirement at your organization?
No. of Respondents = 533
2005
Yes; current
employees
8%
Yes; new
employees
6%
No
68%
Yes; current/
new employees
18%
No. of Respondents = 1015
2007
Chinese
organizations are
much more likely
to require
certification (78%)
Yes, for current
non-IT
employees
16%
No
46%
Yes, for new
non-IT
employees
8%
Yes, for current
and new non-IT
employees
30%
No. of Responses = 1028
Non-IT employees are often provided some security training, as over half of organizations offer it for new and/or current
staff. However, only one-quarter of organizations offers it to everyone.
IT Security Training: Non-IT Staff Security Related Training, US Results
Is information security training available for non-IT employees at
your organization?
Questions added in 2007
0% - No non-IT
employees at
my org
3%Less than 25%
22%
25 - 49%
20%50 - 74%
15%
75 - 99%
14%
100% - All the
non-IT
employees at
my org
26%
No. of Responses = 551
What percentage of non-IT employeesat your organization has had
computer security-related training?
US is less likely than
UK or China to offer
training to non-IT staff
(UK=34%
China = 8%)
55%
54%
49%
44%
40%
41%
39%
32%
31%
36%
33%
21%
24%
22%
23%
16%
3%
0% 20% 40% 60% 80% 100%
58%
64%
42%
47%
48%
39%
24%
27%
35%
31%
27%
22%
24%
1%
0% 20% 40% 60% 80% 100%
53%
52%
51%
43%
43%
42%
41%
35%
31%
31%
30%
23%
23%
23%
22%
16%
2%
0% 20% 40% 60% 80% 100%
IT Security Overview: Security Issues, US Results
Spyware, the lack of user awareness, and the existence of viruses and worms are the most compelling security issues
faced by US organizations. In a positive trend, a lack of security policy enforcement is affecting significantly fewer
organizations compared to last year. However, denial of service has become a threat among significantly more
organizations compared to 2006.
Spyware
Lack of user awareness
Virus / Worm
Authorized user abuse
Remote access
Browser-based attacks
Wireless networking security
Data theft
Weak authentication practices
Lack of enforcement of security policy
Lack of written security policy
Denial of Service
Social engineering
Use handheld devices for data transfer
Change control tracking
Voice over IP
Other
No. of Respondents = 1066
2006
Question: In general, what types of security issues are currently being faced by your organization? (Check all that apply)
No. of Respondents = 567
2005
n/a
n/a
n/a
Increased significantly compared to 2006
Decreased significantly compared to 2006No. of Respondents = 1100
2007
Virus/ worm is
the #1 issue in
China and UK
4.8
0 2 4 6 8 10
2.3
0 2 4 6 8 10
5.3
0 2 4 6 8 10
IT Security Breach: Severity Levels of Security Breaches,
US Results
Average Severity Level (0-10), Not at All Severe
to Very Severe
2005
No. of Responses: 379
Average Severity Level (0-10), Not at All Severe
to Very Severe
2007
Severity level of security breaches
last 12 months
Although the average number of security breaches hasn’t budged in the past three years, breaches themselves have grown in severity, suggesting an amplified impact on organizations facing security violations.
No. of Responses: 551
Average Severity Level (0-10), Not at All Severe
to Very Severe
2006
No. of Responses: 352
Question: Please rate the average severity level of all of your security breaches in the past 12 months.
(Use a 0-10 scale where 0 is not at all severe and 10 is very severe.)
5.79
5.67
6.32
6.57
5.83
4.72
0 2 4 6 8 10
Range of Responses: 23-290
IT Security Breach: Severity Levels of Most Severe Breach, US
Results – by Industry
The most severe security breaches experienced by US companies in the past year have been relatively moderate (average ratings are less than 6 on a 10-pt. severity scale), with the education sector reporting the least extreme
violations.
Question: Please rate the most severe security breach in the past 12 months. (Use a 0-10 scale where 0 is not at all severe and 10 is very
severe.) Your answer must be <greater than or equal to the average severity level of all your security breaches in the past 12 months>.
Total
Government
IT
Financial
Manufacturing
Education
Average Severity
Don't know/
Not sure
4%Refused/No Answer
9%
Other
27%
Warning(s) -
Written/Verbal
10%
Fire them/
Termination
13%
Training/Retraining
16%
No policies/
actions
5%Review
policies/actions
4%
First - Warning;
Second - Termination
8%
First-Training;
Second-Warning;
Third-Term
4%
No. of Mentions = 397
Sample Verbatim Comments:
IT Security Breach: Unintentional Internal, US Results
No set policy.
Training, system scans for possible breaches, interaction with security specialists at the control point.
Disciplinary action up to and including termination of employee.
Termination
Retrain but eventually fire if no change in employees behavior.
Retraining, warning, disciplinary action up to termination.
Warning, probation, termination.
Security Awareness training, 2nd, 3rd offenses = formal reprimand leading to possible termination.
We attempt to set up new policies to make sure employees are aware of the proper procedures to take to make sure these mistakes do not happen again.
Employees responsible for unintentional security breaches are dealt with in a variety of ways, most commonly by
receiving additional training/retraining. Termination is the second most common response to unintentional breaches.
Question: How does your organization address employees responsible for unintentional internal security
breaches? In your response include any standard policies/action dealing with first, second or
third offenses, such as retraining, warnings and terminations.
*Question added in 2007
None
3%
< 25%
20%
25 - 49%
19%
50 - 74%
20%75 - 99%
12%
All non-IT staff
26%
None
2%
< 25%
25%
25 - 49%
16%50 - 74%
13%
75 - 99%
21%
All non-IT staff
23%
None
1%
< 25%
23%
25 - 49%
30%
50 - 74%
14%
75 - 99%
13%
All non-IT staff
19%
None
4%
< 25%
21%25 - 49%
11%
50 - 74%
14%
75 - 99%
14%All non-IT staff
36%
1-99 Employees 100-999 Employees
1,000-9,999 Employees 10,000 or More Employees
Range of Responses: 92-173
IT Security Training: Non-IT Staff with Computer Security Related
Training, US Results – by Company Size
Smaller companies (1-99 employees) tend to provide security related training for all their staff while larger companies are
less prone to doing so – likely a reflection of higher costs associated with training more employees.
Question: What percentage of non-IT employees at your organization has had computer security training?
5.79
5.22
5.84
6.41
5.86
0 2 4 6 8 10
Range of Responses: 51-290
IT Security Breach: Severity Levels of Most Severe Breach, US
Results – by Company Size
Smaller companies are less likely than larger ones to have very severe security breaches, possibly a result of their fewer
connections to outside entities and their narrower reach. On the other hand, companies having between one-thousand
and ten-thousand employees appear to be the most vulnerable to severe breaches.
Question: Please rate the most severe security breach in the past 12 months. (Use a 0-10 scale where 0 is not at all severe and 10 is very
severe.) Your answer must be <greater than or equal to the average severity level of all your security breaches in the past 12 months>.
Total
1-99 Employees
100-999 Employees
1,000-9,999 Employees
10,000 or More Employees
Average Severity
86% 84%
16%14%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2007
(807)
2006
(791)
Yes No
80% 79%
21%20%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2007
(1014)
2006
(1015)
Yes No
IT Security: Training for Mobile/Remote Workers, US Results
Allow Data Access for Remote/Mobile Employees*
Encrypt Data Transmissions Via Remote Access**
Most US organizations allow data access for remote/mobile employees, with the majority using encryption to secure data
transmission via remote access. Trends have remained consistent since 2006.
*Question: Does your company allow data access for remote/mobile employees?
**Question: Do you encrypt data transmissions via remote access?
( ) = No. of Responses
Access for remote
employees is much less
available in Canada
(50%) and UK (52%)
IT Security: Awareness Training for Mobile/Remote Workers, US Results
No. of Responses = 808
Question: Has your company considered, or implemented, its own security awareness training specifically for mobile/remote employees?
Yes, we have implemented
security awareness
training/education
Half of organizations have implemented security awareness training/education to remote employees or are planning to in
2008. However, this means that half either haven’t considered it or have no immediate plans to implement it.
34%
16%
13%
37%
No, we have not considered
implementing security awareness training/education
Yes, we have considered implementing security awareness
training/education, but have no immediate plans to implement
Yes, we plan to implement
security awareness training/education during 2008
Chinese companies are much more likely
to implement security awareness
training in 2008 (42%)
Natalie Fishman takes great care to protect her personal
information. Unfortunately, she's discovered the third parties she
shares it with don't have the same interest in keeping it safe.
Just recently, she received a letter from the city Financial
Information Services Agency informing her about the loss of a
laptop loaded with financial information on as many as 280,000 city
retirees. Someone stole the computer in August from a consultant who took it to a restaurant.
New York Daily News – Tuesday Oct. 2nd, 2007
The CompTIA Security Trustmark accredits those Solution Providers
who promote security business practices that invoke the trust of end-
users. It is a baseline standard of security practices and
competencies as agreed upon by the service and support industry.
The CompTIA Security Trustmark requires Solution Providers to keep
a comprehensive report of internal security processes and processes
at customer sites. It also requires reports of their security level
skills/certifications, security vendor product training/knowledge, and
overall IT capabilities that relate to security practices.
In development: CompTIA Security Trustmark
Yes
88%
No
12%
No. of Responses = 297
IT Security: Reduction of Major Security Breaches Since Implementation of Security Awareness Training for Remote/Mobile Workers, US Results
Organizations that offer security awareness training for remote/mobile employees overwhelmingly experience fewer major security breaches.
Question: Do you think the number of major security breaches in your organization have been reduced since your organization’s security
awareness training/education for remote/mobile employees? (A major security breach is one that causes real harm, has confidential information
taken, or causes business interruption.)
All respondents in Canada
and China believe the number
of breaches have been
reduced