Transcription
CompTIA Security Research Study 2007Trends and Observations onOrganizational SecurityCarol Balkcom, Product Manager, Security
Goals of this sessionTo share some trends and observations related tosecurity policy, training and spending overtimeTo discuss with session participants(anonymously) the security policies in theirorganizations Are we making any headway?
About the annual CompTIA security researchThe CompTIA Security Research database is comprised of 5,692 responses.639 in 2002 (Members 50, Non-members 589)896 in 2003 (Members 74, Non-members 822)489 in 2004 (Members 101, Non-members 388)574 in 2005 (Members 20, Non-members 554)1070 in 2006 (Members 32, Non-members 1038)2024 in 2007* (Members 63, Non-members 1,961)This report is focused on 2007 data. Results are broken down by country, with US resultssupported by trending data from 2005 and 2006 where relevant. International results includeCanada, UK and China and are not trended (this is the first year).Surveys were sent to CompTIA association members and 3rd party list sources representingprofessionals associated with IT Security. Surveys were fielded in January and February 2008 viathe web. TNS designed the questionnaire with assistance from CompTIA.* 2007 represents total countries, including US, Canada, UK and China.
About the surveyObjectivesTNS and CompTIA jointly designed a Web-based questionnaire to concentrateon certain focus areas and issues surrounding IT security training andcertification, including: Identify key trends associated with IT security Quantify current and future spending on IT security Assess the costs associated with IT security breaches Understand the causes of IT security breaches and the impact of those incidents Identify trends associated with information security training for remote/mobileemployees Determine the impact and effectiveness of information security training andcertifications Understand future security issues and challenges that organizations will face Develop comparisons across industries and company size
Respondent Profiles 2007: Role Within IT OrganizationRoles among respondents are widely distributed, with Managers and Administrators making up the bulk in all countries.However, Managers and Engineers tend to be more common among Chinese respondents, while Executives are moreprevalent among Canadian respondents.Total 2%n 2024n 25%Administrator36%n 131Director12%Executive11%n 413Question: What is your role within the IT organization and with regard to IT and network security?* Represents respondents in this study only; does not reflect the universe of ITorganizatio ns within the 4 markets measured.Administrator24%Executive7%n 373Director2%
Respondent Profiles 2007: Organization2007 Number of EmployeesIn the US, respondents come from organizations of all sizes, though there is a slight skew toward mid-size companies of100-999 employees. Echoing revenue distribution, Canadian and UK respondents are heavily skewed toward smallcompanies of less than 100 employees while Chinese respondents tend to be employed in mid-sized to largeorganizations of 100 to 9,999 employees.Total %10,000 or more11%1-9934%n 174310,000 or more14%Don't know/refused3%1-9930%n 1011CanadaUK1,000-9,99914%1,000-9,9999%10,000 or more10%Don't know/refused3%1,000-9,99930%100-99946%10,000 or more5%10,000 or more10%1-9952%n 107Question:China100-99920%100-9999%1-9969%Don't know/refused3%Number of employees at your entire organization.* Represents respondents in this study only; does not reflect the universe of ITorganizations within the 4 markets measured.n 320Don't know/refused4%1-99n 305 18%Don't know/refused1%
Respondent Profiles: Organization – US TrendIn the US, more and more respondent organizations are investing in computer security with more dedicated funds thanever before. In fact, 95% of organizations allotted some amount of their IT budget to computer security in 2007,representing an 8% growth over 2005. Additionally, funds earmarked for computer security has been on an upswingsince 2005, suggesting a greater reliance on technology and processes to keep security breaches at bay.Percentage of IT Budget Spent onComputer SecurityPercentage of IT Budget Spent onComputer Security by %20%% of Responses2007200620052007Range of Responses: 377-992Question:What percentage of the IT budget is currently spent on computer security at your organization?* Means were calculated differently last year, so trended data differs from 2006 report.2006200530%
IT Security Overview: Security Enforcement, US ResultsNearly all US companies use firewalls, proxy servers and/or antivirus software to enforce security requirements, and thishas remained consistent over time. Though much less popular, multi-factor authentification and penetration testing haveexperienced growing usage during the past year.200620072005Firewalls/Proxy Servers93%94%Antivirus software92%94%Intrusion DetectionSystems50%Physical access control39%Multi-factorauthentication36%Penetration Testing32%Other3%None of the above1%0%20%91%96%49%US companiesare top usersof firewalls/proxy serversIn China multifactorauthentificationis used morethan in US(45%)40% 60%80% 100%Increased significantly compared to 2006No. of Respondents 1091Decreased significantly compared to 200643%38%29%32%19%28%25%4%1%0%0%n/a20% 40%60% 80% 100%No. of Respondents 10530%20% 40%60% 80% 100%No. of Respondents 574Question: What technologies are being employed at your organization to enforce security requirements? (Check all that apply)
IT Security Overview: IT Security Policy, US ResultsIn a positive trend, a growing proportion of organizations is putting into place comprehensive written IT security policies,most of which cover remote/mobile employees.Does your organization have a comprehensivewritten IT security policy in place?Canadiancompanies lesslikely to havewritten policies(44%)Does that written IT Security Policy include specificinformation that covers remote/mobile employees?20072007Yes81%Yes66%No34%No13%Fewer UKcompaniescover remoteemployees inpolicy (73%)Don't know6%n 1031*2006n 6732005Yes62%2006Yes81%Yes59%No41%No38%No14%Don't know5%n 1005*n 572n 617Question: Does your organization have a comprehensive written IT security policy in place?Question: Does that written IT Security Policy include specific information that covers remote/mobile employees?*Responses in 2006 and 2007 exclude “don’t know”, which was not an option in 2005
IT Security Certification: Certification Requirements, US ResultsRequired security certification for employees has significantly increased since 2006 and 2005, with about one-third of allorganizations now requiring security certification for employees.20062007Yes; current/new employees18%Yes; current/new employees10%Yes; current/new employees15%Yes; newemployees6%Yes; currentemployees8%No68%No. of Respondents 1015Yes; newemployees6%Yes; currentemployees5%No. of Respondents 1019Chineseorganizations aremuch more likelyto requirecertification (78%)Question:2005Is IT security certification a requirement at your organization?Yes; newemployees2%No74%Yes; currentemployees2%No86%No. of Respondents 533
IT Security Training: Non-IT Staff Security Related Training,US ResultsNon-IT employees are often provided some security training, as over half of organizations offer it for new and/or currentstaff. However, only one-quarter of organizations offers it to everyone.Is information security trainingavailable for non-IT employees atyour organization?What percentage of non-IT employeesat your organization has hadcomputer security-related training?Yes, for currentand new non-ITemployees30%100% - All thenon-ITemployees atmy org26%No46%Yes, for newnon-ITemployees8%Yes, for currentnon-ITemployees16%No. of Responses 10280% - No non-ITemployees atmy org3%75 - 99%14%US is less likely thanUK or China to offertraining to non-IT staff(UK 34%China 8%)Less than 25%22%25 - 49%20%50 - 74%15%No. of Responses 551Questions added in 2007
IT Security Overview: Security Issues, US ResultsSpyware, the lack of user awareness, and the existence of viruses and worms are the most compelling security issuesfaced by US organizations. In a positive trend, a lack of security policy enforcement is affecting significantly fewerorganizations compared to last year. However, denial of service has become a threat among significantly moreorganizations compared to 2006.200620072005n/aSpyware53%55%Lack of user awareness52%54%Virus / WormAuthorized user abuse51%43%Remote access43%40%47%Browser-based attacks42%41%48%Wireless networking security41%31%Lack of written security policy30%Denial of ServiceSocial engineering23%Use handheld devices for data transfer23%Change control tracking22%23%Voice over IPIncreased significantly compared to 200639%27%36%35%33%31%21%27%24%Virus/ worm isthe #1 issue inChina and 32%31%Lack of enforcement of security policyOther49%44%35%Data theftWeak authentication practices58%40% 60%80% 100%No. of Respondents 11000%20% 40%1%60% 80% 100%No. of Respondents 10660%20% 40%No. of Respondents 567Decreased significantly compared to 2006Question:60% 80% 100%In general, what types of security issues are currently being faced by your organization? (Check all that apply)
IT Security Breach: Severity Levels of Security Breaches,US ResultsAlthough the average number of security breaches hasn’t budged in the past three years, breaches themselves havegrown in severity, suggesting an amplified impact on organizations facing security violations.2007Severity level ofsecurity breacheslast 12 months20065.302464.8810Average Severity Level (0-10),Not at All Severeto Very SevereNo. of Responses: 379Question:200502462.3810Average Severity Level (0-10),Not at All Severeto Very SevereNo. of Responses: 352Please rate the average severity level of all of your security breaches in the past 12 months.(Use a 0-10 scale where 0 is not at all severe and 10 is very severe.)0246810Average Severity Level (0-10),Not at All Severeto Very SevereNo. of Responses: 551
IT Security Breach: Severity Levels of Most Severe Breach, USResults – by IndustryThe most severe security breaches experienced by US companies in the past year have been relatively moderate(average ratings are less than 6 on a 10-pt. severity scale), with the education sector reporting the least rage SeverityRange of Responses: 23-290Question: Please rate the most severe security breach in the past 12 months. (Use a 0-10 scale where 0 is not at all severe and 10 is verysevere.) Your answer must be greater than or equal to the average severity level of all your security breaches in the past 12 months .
IT Security Breach: Unintentional Internal, US ResultsEmployees responsible for unintentional security breaches are dealt with in a variety of ways, most commonly byreceiving additional training/retraining. Termination is the second most common response to unintentional breaches.Sample Verbatim Comments:No set policy.First - Warning; No policies/Second - Termination actionsReview8%5% policies/actionsWarning(s) 4% rd-Term4%TerminationRetraining, warning, disciplinary action up totermination.Other27%Don't know/Not sureRefused/No Answer4%9%No. of Mentions 397Question:Disciplinary action up to and including termination ofemployee.Retrain but eventually fire if no change in employeesbehavior.Fire them/Termination13%Training/Retraining16%Training, system scans for possible breaches,interaction with security specialists at the controlpoint.Warning, probation, termination.Security Awareness training, 2nd, 3rd offenses formal reprimand leading to possible termination.We attempt to set up new policies to make sureemployees are aware of the proper procedures totake to make sure these mistakes do not happenagain.How does your organization address employees responsible for unintentional internal securitybreaches? In your response include any standard policies/action dealing with first, second orthird offenses, such as retraining, warnings and terminations.*Question added in 2007
IT Security Training: Non-IT Staff with Computer Security RelatedTraining, US Results – by Company SizeSmaller companies (1-99 employees) tend to provide security related training for all their staff while larger companies areless prone to doing so – likely a reflection of higher costs associated with training more employees.1-99 Employees 25%21%100-999 Employees25 - 49%11%None4%25 - 49%30%50 - 74%14%50 - 74%14%75 - 99%14%All non-IT staff36%1,000-9,999 Employees50 - 74%20%75 - 99%13% 25%23%None1%All non-IT staff19%10,000 or More Employees25 - 49%16%75 - 99%12%50 - 74%13%25 - 49%19%All non-IT staff26% 25%20%Range of Responses: 92-173None3%75 - 99%21% 25%25%None2%Question: What percentage of non-IT employees at your organization has had computer security training?All non-IT staff23%
IT Security Breach: Severity Levels of Most Severe Breach, USResults – by Company SizeSmaller companies are less likely than larger ones to have very severe security breaches, possibly a result of their fewerconnections to outside entities and their narrower reach. On the other hand, companies having between one-thousandand ten-thousand employees appear to be the most vulnerable to severe breaches.5.79Total5.221-99 Employees100-999 Employees5.841,000-9,999 Employees6.4110,000 or More Employees5.860246810Average SeverityRange of Responses: 51-290Question: Please rate the most severe security breach in the past 12 months. (Use a 0-10 scale where 0 is not at all severe and 10 is verysevere.) Your answer must be greater than or equal to the average severity level of all your security breaches in the past 12 months .
IT Security: Training for Mobile/Remote Workers, US ResultsMost US organizations allow data access for remote/mobile employees, with the majority using encryption to secure datatransmission via remote access. Trends have remained consistent since 2006.Encrypt Data TransmissionsVia Remote Access**Allow Data Access forRemote/Mobile 0%30%20%10%0%Access for remoteemployees is much lessavailable in Canada(50%) and UK (52%)( ) No. of Responses*Question: Does your company allow data access for remote/mobile employees?**Question: Do you encrypt data transmissions via remote access?14%16%86%84%2007(807)2006(791)YesNo
IT Security: Awareness Training for Mobile/Remote Workers,US ResultsHalf of organizations have implemented security awareness training/education to remote employees or are planning to in2008. However, this means that half either haven’t considered it or have no immediate plans to implement it.Yes, we have consideredimplementing security awarenesstraining/education, but have noimmediate plans to implement 16%No, we have not consideredimplementing securityawareness training/educationNo. of Responses 808Question:34%37%13%Yes, we have implementedsecurity awarenesstraining/educationYes, we plan to implementsecurity awarenesstraining/education during 2008Chinese companiesare much more likelyto implementsecurity awarenesstraining in 2008(42%)Has your company considered, or implemented, its own security awareness training specifically for mobile/remote employees?
New York Daily News – Tuesday Oct. 2nd, 2007Natalie Fishman takes great care to protect her personalinformation. Unfortunately, she's discovered the third parties sheshares it with don't have the same interest in keeping it safe.Just recently, she received a letter from the city FinancialInformation Services Agency informing her about the loss of alaptop loaded with financial information on as many as 280,000 cityretirees. Someone stole the computer in August from a consultantwho took it to a restaurant.
In development:CompTIA Security TrustmarkThe CompTIA Security Trustmark accredits those Solution Providerswho promote security business practices that invoke the trust of endusers. It is a baseline standard of security practices andcompetencies as agreed upon by the service and support industry.The CompTIA Security Trustmark requires Solution Providers to keepa comprehensive report of internal security processes and processesat customer sites. It also requires reports of their security levelskills/certifications, security vendor product training/knowledge, andoverall IT capabilities that relate to security practices.
IT Security: Reduction of Major Security Breaches Since Implementationof Security Awareness Training for Remote/Mobile Workers, US ResultsOrganizations that offer security awareness training for remote/mobile employees overwhelmingly experience fewermajor security breaches.Yes88%No12%All respondents in Canadaand China believe the numberof breaches have beenreducedNo. of Responses 297Question: Do you think the number of major security breaches in your organization have been reduced since your organization’s securityawareness training/education for remote/mobile employees? (A major security breach is one that causes real harm, has confidential informationtaken, or causes business interruption.)
Group Discussion:How does YOUR organization fitthe statistics? Written policy General employee training Mobile devices
About the annual CompTIA security research The CompTIA Security Research database is comprised of 5,692 responses. 639 in 2002 (Members 50, Non-members 589) 896 in 2003 (Members 74, Non-members 822) 489 in 2004 (Members 101, Non-members 388) 574 in 2005 (Members 20, Non-members 554) 1070 in 2006 (Members 32, Non-members 1038)
