2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

PONEMON INSTITUTE RESEARCH REPORT | EXECUTIVE SUMMARY

Benchmark research sponsored by Raytheon.Independently conducted by Ponemon Institute LLC. February 2018

© Ponemon Institute: Research Report Page 1

2018 Study on Global Megatrends in Cybersecurity Executive Summary

Ponemon Institute, February 2018 A major deterrent to achieving a strong security posture is the inability for IT professionals to know the big changes or megatrends in security threats that they need to be prepared for. Too many companies are overwhelmed with the daily attacks that are coming fast and furiously to think long-term and understand what investments they should be making in people, process and technologies to prevent a catastrophic data breach or cyber attack. Ponemon Institute conducted the megatrends study, sponsored by Raytheon, to help CISOs across the globe prepare for the future threat landscape that will be characterized by an increase in cyber extortion or ransomware attacks and data breaches caused by unsecured IoT devices. What are the solutions to the big megatrend problems? § Take steps to minimize the risk of a data breach caused by an unsecured Internet of

Things (IoT) device in the workplace. 59% of respondents say their organizations will not be able to minimize IoT risks by requiring the integration of security into the devices built or used in the workplace. As a possible consequence, 82% of respondents predict unsecured IoT devices will likely cause a data breach in their organizations. 80% say such a breach could be catastrophic.

§ Increase the engagement of boards of directors. 68% of respondents say their boards of

directors are not being briefed on what their organizations are doing to prevent or mitigate the consequences of a cyber attack.

§ Prepare for the risk of nation-state attacks and cyber warfare. 60% of respondents

predict that nation-state attacks against government and commercial organizations will worsen and could potentially lead to a cyber war. Today, only 22% of respondents say cyber warfare is a high risk. However, over the next three years, 51% of respondents say it will be a high risk. As a result, only 46% of respondents, a decrease from 59% of respondents in the 2015 study, believe their cybersecurity posture will improve and make them more effective in protecting their organizations from cyber threats.

§ Convince senior leadership to make cybersecurity a strategic priority. IT security

practitioners need to make the case that a strong cybersecurity posture protects organizations as they innovate and make important changes to their operations. Only 36% of respondents say their senior leadership believes cybersecurity is a strategic priority, which, in turn, affects funding for investment in technologies and personnel. Based on other Ponemon Institute research, business innovation and lower costs to respond to data breaches and cyber crime can be supported by a strong cybersecurity posture, as determined by the deployment of specific practices and technologies.

§ Prepare to deal with an increase in cyber extortion and ransomware attacks. CISOs will

be faced with a greater risk of cyber extortion, such as ransomware, according to 67% of respondents. 66% of respondents believe data breaches or cybersecurity exploits will seriously diminish their organization’s shareholder value.

§ Prepare to spend more to achieve regulatory compliance and respond to class action

lawsuits and tort litigation. Regulations that will have a high cost impact are federal laws regulating data protection and privacy, global data protection laws (including the EU’s

© Ponemon Institute: Research Report Page 2

General Data Protection Regulation1), state laws regulating data protection and privacy and mandates on critical infrastructure protection. Due to the continuing occurrence of data breaches, respondents predict their organization will be faced with costly class action lawsuits and tort litigation.

While the threat landscape may be worsening, companies are not hiding their heads in the sand. Specifically, organizations will increasingly rely upon the expertise of the CISO. Over the next three years, 72% of respondents believe their responsibilities will expand beyond the IT function and will evolve in importance and span of control. Good news for IT security professionals who are looking for a satisfying and financially rewarding career. Faced with the possibility of a catastrophic data breach, organizations will improve their cybersecurity governance practices. There will be more frequent audits and assessments of the effectiveness of their security policies and procedures to protect their most sensitive and confidential data assets. Boards of directors are expected to become more involved in overseeing the IT security function.

Finally, companies will invest in technologies that will strengthen their resilience to increasingly sophisticated and stealthy attacks. They will be adding such technologies as artificial intelligence, machine learning and big data analytics to their cybersecurity arsenal. According to the findings, over the next three years companies that do not have suitable technologies and expert staff could face a decline in their cybersecurity posture. In last year’s study, the lack of actionable intelligence was seen as a reason for a decline in cybersecurity posture. In conclusion, The 2018 Study on Global Megatrends in Cybersecurity provides a vision of the future and reveals the urgency required to address potential cyber threats against their organizations. Please contact research@ponemon.org or call us at 800.887.3118 if you have any questions.

Ponemon Institute

Advancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advance responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

1 The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. This new regulation will have a material impact on the way organizations collect, use, store and protect sensitive information.