Exposing the Cybersecurity Cracks: Netherlands Part I: Deficient, Disconnected & in the Dark

Ponemon Institute© Research Report

Sponsored by Websense, Inc. Independently conducted by Ponemon Institute LLC Publication Date: June 2014

Ponemon Institute© Research Report

2

2

Exposing the Cybersecurity Cracks: Netherlands Part I: Deficient, Disconnected & in the Dark

Executive Summary Ponemon Institute, June 2014

Ponemon Institute is pleased to present the findings of its two-part study, Exposing the Cybersecurity Cracks: Netherlands sponsored by Websense, Inc. This first report uncovers the deficient, disconnected and in-the-dark conditions that challenge IT security professionals. Areas of focus include a deficit in security solution effectiveness, a disconnect regarding the perceived value of confidential data and limited visibility into cybercriminal activity. The study surveyed 287 IT and IT security practitioners in the Netherlands with an average of nine years’ experience in the field. In addition to the Netherlands, this research was also conducted in 14 other countries – United States, Canada, Australia, China, Hong Kong, Singapore, India, United Kingdom, Germany, France, Sweden, Italy, Mexico and Brazil. This report features the findings for organizations in the Netherlands1. DEFICIENT Findings reveal that security professionals have systems that fall short in terms of protection from cyber attacks and data leakage. They need access to heightened threat intelligence and defenses. Because the security threat landscape is more challenging and dynamic than ever, having the intelligence to anticipate, identify and reduce the threats is critical. § Sixty-five percent of respondents do not think their organization is protected from advanced

cyber attacks and 66 percent doubt they can stop the exfiltration of confidential information. § Most respondents (64 percent) believe cybersecurity threats sometimes fall through the

cracks of their companies’ existing security systems. § Forty-six percent of companies represented in this research experienced one or more

substantial cyber attacks in the past year. (We define a substantial attack as one that infiltrated networks or enterprise systems.)

§ Thirty-nine percent of companies do not have adequate intelligence or are unsure about

attempted attacks and their impact. § Further, 47 percent say their security solutions do not inform them or they are unsure if their

solution can inform them about the root causes of an attack. DISCONNECTED There is a disconnect regarding the perceived value of confidential data. § Eighty-one percent of respondents say their company’s leaders do not equate losing

confidential data with a potential loss of revenue, despite Ponemon Institute research indicating the average cost of an organizational data breach is $5.4 million 2.

§ Thirty-seven percent say their board-level executives have a sub-par understanding of

security issues. This figure has not been measured in previous surveys, but it is presumed that cybersecurity awareness has most likely increased over the last few years.

1 The complete report, Exposing the Cybersecurity Cracks: A Global Perspective, Part I: Deficient, Disconnected & in the Dark contains the consolidated global findings. 2 2013 Cost of Data Breach Study: Global Analysis, conducted by Ponemon Institute and sponsored by Symantec.

Ponemon Institute© Research Report

3

3

IN THE DARK Many security professionals find it hard to keep track of the threat landscape and are not sure if they had been a victim of an attack. § Forty-seven percent believe they have a good understanding about the threat landscape

facing their company. § Fifty-five percent of respondents could say with certainty that their organization lost sensitive

or confidential information as a result of a cyber attack. § Thirty-two percent of those who had lost sensitive or confidential information did not know

exactly what data had been stolen. Key Findings: Deficient, Disconnected & in the Dark The following is an analysis of key findings and differences based on the responses from the participating organizations located in the Netherlands. DEFICIENT There is a deficiency in an organization’s ability to protect against cyber attacks and have the right technology to stop data loss and theft. Results show a worrisome cybersecurity trend. When asked about the state of cybersecurity today, 65 percent of respondents do not think that their organization is protected from advanced cyber attacks. Sixty-six percent do not have security that can stop cybercriminals from stealing corporate information. Only 21 percent agree that it is possible to create a security program that can withstand all targeted attacks. It is not surprising, therefore, that most respondents (64 percent) believe that cybersecurity threats sometimes fall through the cracks of their companies’ existing security systems. Many security professionals struggle to keep pace. With high-profile attacks hitting the headlines week in and week out, cybersecurity professionals struggle to keep pace with the threat landscape. Forty-six percent of companies represented in this study experienced one or more substantial cyber attacks during the previous 12 months. (A substantial attack is defined as one that infiltrated networks of enterprise systems.) Attack intelligence needs improvement. Thirty-five percent of respondents say their company’s security solutions do not provide adequate intelligence to inform them about an attempted cyber attack and the potential consequences. However, 61 percent say their solutions do provide actionable information. Forty-seven percent of respondents say their current security solutions do not provide information about the sources and/or root causes of cyber attacks or respondents are unsure. DISCONNECTED There is a disconnect in perception about the perceived value of confidential data. According to respondents, there is a gap between data breach perception and reality – specifically regarding the potential revenue loss to their business. Eighty-one percent of respondents say their executives do not believe that the loss of their organization’s confidential data could result in a potential loss of revenue.

Ponemon Institute© Research Report

4

4

Thirty-seven percent of respondents say their board members and executives have a sub-par understanding of security issues. However, cyber security awareness is growing among this group and should continue into the future. IN THE DARK Many security professionals are in the dark. Research reveals that respondents find it difficult to keep track of the threat landscape and even know if their organization has been attacked. Further, only less than half (47 percent) have a good understanding of the threat landscape facing their company today. The biggest targets of cyber attacks are customer data and intellectual property. Many security professionals have sleepless nights due to the sophistication of today’s threats. Respondents were asked if their organization had indeed lost data as the result of a cyber attack and, if yes, what types of data were lost or stolen. While 55 percent of respondents say with certainty that their companies lost sensitive or confidential information as a result of a cyber attack, 9 percent are uncertain. Data most often targeted is customer data followed by intellectual property. However, 32 percent of those who had lost sensitive or confidential information did not know what exactly had been stolen. Conclusion This research report exposes the cracks in cybersecurity defenses for organizations. How can companies better manage the cyber attacks targeting their sensitive and confidential information? The following are some recommendations: § Eliminate the uncertainty of cyber risks by investing in technologies that provide visibility and

details about attempted attacks and how successful attacks would affect your company. § Look for access to better threat intelligence and real-time defenses. § Deploy an all-encompassing defense strategy that incorporates web, email and mobile

channels. Avoid hyper-focusing on one channel and examine all the channels your users and network use to interact with information.

§ Assess security solution capabilities and deployments against a comprehensive kill-chain

model to eliminate gaps and minimize excessive overlap. § Find effective employee security education methods to promote cooperation and

communicate the seriousness of cyber attacks and reduce high risk behavior.

Ponemon Institute

Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.