Larry Ponemon of Ponemon Institute Explores Current State of Mobile Application (In)Security
Sponsored by Lumension Ponemon Institute© Private & Confidential Document Page 1 2009 Security Mega...
-
Upload
clyde-dixon -
Category
Documents
-
view
215 -
download
1
Transcript of Sponsored by Lumension Ponemon Institute© Private & Confidential Document Page 1 2009 Security Mega...
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 1
2009 Security Mega Trends Survey
Independently conducted by Ponemon Institute LLC
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 2
Ponemon Institute LLC
The Institute is dedicated to advancing responsible information management practices that positively affect privacy and data protection in business and government.
The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations.
Ponemon Institute is a full member of CASRO (Council of American Survey Research Organizations. Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.
The Institute has assembled more than 50 leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.
The majority of active participants are privacy or information security leaders.
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 3
About the Study
• We asked respondents in IT operations and IT security to consider how eight Security Mega Trends affect their organizations today and during the next 12 to 24 months.
• Based on pre-survey interviews with IT experts, we selected the following eight Mega Trends: cloud computing, virtualization, mobility and mobile devices, cyber crime, outsourcing to third parties, data breaches and the risk of identity theft, peer-to-peer file sharing and Web 2.0
• We learned what survey respondents believe to be the biggest threats to a company’s sensitive and confidential data over the next 12 to 24 months.
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 4
Security Mega Trends
Mega Trend 1: Cloud computing
• Cloud computing refers to solutions owned by third-parties on data center locations outside the end-user company’s IT infrastructure. The demand for cloud computing is expanding quickly, especially as the cost of remote connectivity decreases.
Mega Trend 2: Virtualization
• Allows end-users to access multiple secure networks from a single computer, wherein the PC or laptop essentially acts as a hardware authentication token. With one computer, the end-user is able to gain access to separate virtual devices or machines. Virtualization makes server and operating system deployments more flexible and improves the use of storage and systems resources.
Mega Trend 3: Mobility
• Organizations are dependent upon a mobile workforce with access to information no matter where they work or travel. Typically, employees use the following: laptops, VPNs, PDAs, cell phones and memory sticks.
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 5
Security Mega Trends
Mega Trend 4: The external threat of organized cyber criminal syndicates • Cyber crime usually describes criminal activity in which the computer or
network is an essential part of the illegal criminal activity. This term also is used to include traditional crimes in which computers or networks are used to enable the illicit activity.
Mega Trend 5: Outsourcing to third parties• Organizations outsource sensitive and confidential customer and employee
data to vendors and other third parties to reduce processing costs and improve operating efficiencies.
Mega Trend 6: Data breaches involving personal information are increasing
• The Federal Trade Commission reports that the number one consumer complaint is the theft of identity. It addition to potential fines, organizations risk the loss of customer confidence and trust.
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 6
Security Mega Trends
Mega Trend 7: Peer-to-peer file sharing
• P2P file sharing networks allow a group of computers to connect with each other and directly access files from one another's hard drives. P2P file-sharing networks can cause inadvertent transfers and disclosures of documents that reside on an organization’s computers and laptops.
Mega Trend 8: Web 2.0
• Web 2.0 refers to a plethora of Internet tools that enhance information sharing and collaboration among users. These concepts have led to the evolution of web-based communities and hosted services, such as social networking sites, wikis and blogs.
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 7
And, the biggest threats are:
For the IT operations practitioner the biggest threats are:• Outsourcing sensitive data to third parties• Cyber Crime• A mobile workforce
For the IT security practitioner the biggest threats are:• Data breaches• Access to cloud computing• Outsourcing sensitive data to third parties
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 8
IT OperationsMega trend risk rating today and 12 to 24 months in the future
Bar Chart 1aMega trends today and in the next 12 to 24 months by respondents in IT operations
Each bar summarizes the combined percentage response for "Very High" and "High" security risks.
22%
25%
31%
35%
39%
44%
47%
47%
48%
50%
24%
18%
35%
36%
42%
40%
47%
49%
45%
50%
0% 10% 20% 30% 40% 50% 60%
Malware
Virtualization
Web 2.0
P2P file sharing
Cloud computing
Data breach
Mobility
Cyber crime
Mobile devices
Outsourcing
Risk as perceived today Risk as perceived in the next 12 to 24 months
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 9
IT SecurityMega trend risk rating today and 12 to 24 months in the future
Bar Chart 1bMega trends today and in the next 12 to 24 months by respondents in IT security
Each bar summarizes the combined percentage response for "Very High" and "High" security risks.
29%
39%
39%
46%
48%
58%
59%
60%
65%
66%
25%
41%
41%
44%
50%
61%
59%
48%
77%
65%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Virtualization
Malware
Web 2.0
P2P file sharing
Mobile devices
Cloud computing
Outsourcing
Mobility
Cyber crime
Data breach
Risk as perceived today Risk as perceived in the next 12 to 24 months
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 10
Two Samples
• Our study utilized two separate sampling frames (panels) built from conference, association and professional certification lists.
• Web-based survey responses were captured on a secure extranet platform.
• We utilized two separate samples of U.S. participants:
– IT operations: 825 (5.7% response)– IT security: 577 (5.0% response)
• Less than 1% rejection rate because of reliability failures.
• Respondents in both groups were asked to complete the same survey instrument.
• Margin of error is ≤ 3% on all adjective or yes/no responses for both samples
Sample description IT Operations IT Security
Total sampling frames 14,518 11,506
Bounce-back 3,957 2,109
Total returns 915 658
Rejected surveys 90 81
Final sample 825 577
Response rate 5.7% 5.0%
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 11
Mega TrendsComparison of IT Operations and IT Security Samples – Current Outlook
Line Graph 1aSecurity mega trends as perceived today for both samples
Each point reflects the percentage responses for very high or high security risks at presentt
0%
10%
20%
30%
40%
50%
60%
70%
Cloudcomputing
Virtualization Mobility Mobile devices Cyber crime Outsourcing Data breach P2P file sharing Web 2.0 Malware
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 12
Mega TrendsComparison of IT Operations and IT Security Samples – Future Outlook
Line Graph 1bSecurity mega trends as perceived 12 to 24 months for both samples
Each point reflects the percentage responses for very high or high security risks at presentt
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Cloudcomputing
Virtualization Mobility Mobile devices Cyber crime Outsourcing Data breach P2P file sharing Web 2.0 Malware
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 13
Mega Trend: Outsourcing Causes Data Breach
Bar Chart 2Security risks due to outsourcing
Each bar is the percentage of respondents who selected the noted information security risk
3%
3%
10%
23%
56%
1%
2%
4%
32%
60%
0% 10% 20% 30% 40% 50% 60% 70%
Inability to properly identify and authenticate remote users
Information may not be properly backed up
Increased threat of social engineering and cyber crimes
Unauthorized parties might be able to access private fileswithout authorization
Sensitive or confidential information may not be properlyprotected
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 14
Cyber Crime Experience
Bar Chart 3Did your organization have a cyber attack?
55%
13%
32%
92%
5% 3%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Yes No Don't know
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 15
Mega Trend: Cyber Crime Will Increase
Bar Chart 4Security risks due to cyber crime
Each bar is the percentage of respondents who selected the noted information security risk
14%
24%
61%
29%
29%
40%
0% 10% 20% 30% 40% 50% 60% 70%
Attack will cause the loss ofinformation about employeesor customers, thus requiring
data breach notification
Attack will result in the loss ofsensitive or confidentialbusiness information
including trade secrets
Attack will cause businessinterruption
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 16
Most Risky Mobile Devices
Bar Chart 5Most risky mobile devices
Each bar is the percentage of respondents who selected the device as their highest risk
8%
11%
14%
19%
48%
5%
15%
24%
18%
38%
0% 10% 20% 30% 40% 50% 60%
Cellular phones
USB memory sticks
Insecure wireless networks
PDAs and other handhelddevices
Laptop computers
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 17
Mega Trend: Mobile Workforce Increases Security Risk
Bar Chart 6Security risks due to a mobile workforce
Each bar is the percentage of respondents who selected the noted information security risk
3%
6%
10%
19%
59%
9%
2%
11%
16%
62%
0% 10% 20% 30% 40% 50% 60% 70%
Increased threat of social engineering and cyber crimes
Sensitive or confidential information may not be properlyprotected
Third parties might be able to access private files withoutauthorization
Information may not be properly backed up
Inability to properly identify and authenticate remote users
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 18
Confidence in the Ability to Prevent Data Loss
Bar Chart 7 How confident are you that your current security practices are able to prevent
customer and employee data from being lost or stolen?
12%
23%
40%
12% 13%
4%
12%
30%32%
22%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Very confident Confident Somew hat confident Not confident Uncertain
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 19
Mega Trend: Data Breach on the Rise
Bar Chart 8Security risks due to a data breach
Each bar is the percentage of respondents w ho selected the noted information security risk
17%
21%
24%
35%
5%
14%
46%
32%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Unauthorized parties gain access to private accounts
Diminished reputation as a result of negative media coverage
Sensitive or confidential information that ends up in the hands ofcyber criminals and identity thieves
Loss of customer or employee information, thus requiring notif icationof victims
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 20
Security Risks Due to Data Breach
Bar Chart 9Security risks due to a data breach
Each bar is the percentage of respondents who selected the noted information security risk
3%
12%
13%
18%
24%
29%
0%
29%
1%
13%
40%
17%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Information may not be properly backed up
Inability to protect sensitive or confidential information
Dow ntime as a result of cloud computing failure
Third parties might be able to access private f iles w ithoutauthorization
Inability to assess or verify the security of data centers in the cloud
Inability to restrict or limit use of cloud computing resources orapplications
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 21
Mega Trend: P2P File Sharing Causes Security Risk
Bar Chart 10Security risks due to P2P file sharing applications
Each bar is the percentage of respondents who selected the noted information security risk
2%
20%
30%
41%
3%
16%
20%
55%
0% 10% 20% 30% 40% 50% 60%
Use of P2P w ill cause businessinterruption
Use of P2P w ill cause the loss ofinformation about employees orcustomers, thus requiring data
breach notif ication
Use of P2P w ill increase the riskof malw are or virus infection
Use of P2P w ill result in the lossof sensitive or confidential
business information includingtrade secrets
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 22
Mega Trend: Web 2.0 Use Increases Security Risk
Bar Chart 11Security risks due to Web 2.0
Each bar is the percentage of respondents who selected the noted information security risk
12%
23%
26%
34%
4%
14%
13%
64%
0% 10% 20% 30% 40% 50% 60% 70%
Use of Web 2.0 will cause business interruption
Use of Web 2.0 will increase the risk of malware or virusinfection
Use of Web 2.0 will cause the loss of information aboutemployees or customers, thus requiring data breach
notification
Use of Web 2.0 will result in the loss of sensitive orconfidential business information including trade secrets
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 23
Mega Trend: Virtualization
Bar Chart 12Security risks due to virtualization
Each bar is the percentage of respondents who selected the noted information security risk
1%
9%
10%
28%
49%
0%
3%
11%
33%
48%
0% 10% 20% 30% 40% 50% 60%
Information may not beproperly backed up
Sensitive or confidentialinformation may not be
properly protected
Increased threat of socialengineering and cyber crimes
Third parties might be able toaccess private files without
authorization
Inability to properly identifyand authenticate users to
multiple systems
IT Operations IT Security
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 24
Recommendations
• In our study, IT operations and security practitioners ranked the mega trends they believe pose a high or very high risk to sensitive and confidential information. To address these risks, we recommend the following: – Create and enforce policies that ensure access to private data files is
restricted to authorized parties only.– Secure corporate endpoints to protect against data leakage and
malware.– Make sure third parties who have access to your sensitive and
confidential information take appropriate security precautions. – Train employees and contractors to understand their responsibility in the
protection of data assets.– Ensure that mobile devices are encrypted and that employees
understand the organizations’ policies with respect to downloading sensitive information and working remotely.
– Understand precautions that should be taken when traveling with laptops, PDAs and other data bearing devices.
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 25
Samples’ Organizational Characteristics
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 26
Samples’ CombinedIndustry Distribution
Pie Chart 1Industry distribution of the combined IT operations and IT security samples
17%
11%
9%
8%6%
6%
6%
6%
6%
5%
5%
3%2%2%2%1% Financial services
Government
Pharma & Healthcare
Education
Defense
Technology & Software
Hospitality & Leisure
Retail
Professional Services
Telecom
Manufacturing
Research
Energy
Airlines
Entertainment
Transportation
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 27
Sample CharacteristicsThe mean experience level for the IT operations sample is 8.9 years and for the IT security sample is 9.4 years.
Table 2What organizational level of respondents IT Operations IT Security
Senior Executive 1% 0%
Vice President 2% 2%
Director 21% 24%
Manager 24% 26%
Associate/Staff/Technician 45% 39%
Consultant 4% 6%
Other 2% 3%
Total 100% 100%
Sponsored by LumensionPonemon Institute© Private & Confidential Document
Page 28
Table 3aGeographic location Pct%
Northeast 20%
Mid-Atlantic 19%
Midwest 19%
Southeast 13%
Southwest 14%
Pacific 17%
Total 100%
Table 3b.Organizational headcount Pct%.
Less than 500 people 2%
500 to 1,000 people 4%
1,001 to 5,000 people 12%
5,001 to 25,000 people 29%
25,001 to 75,000 people 34%
More than 75,000 people 19%
Total 100%
Sample Characteristics60% of respondents are male and 40% female.