WIXLIB

These are the global average findings and as the diagramshows there are regional differences. US and UKorganizations felt most at risk, yet in other countries withsimilar risk profiles, their senior executives don’t feel quiteas concerned. For example, German organizations have thehighest respondent numbers that do not feel at risk frominsider threats and the lowest levels that felt vulnerable.Not VulnerableGAverage breach detection timescales are still measuredin months; the published numbers may at last be droppingdown towards the 200 day mark. But, given that thebreach-detection timescales are still far too high, it isnot surprising to find that almost nine out of ten seniormanagement respondents to the survey (89%) felt theirorganizations were vulnerable to an insider attack. Some34%, one third of all respondents, said they felt theirorganizations were very or extremely vulnerable.USThe number and size of insider breaches continuesto rise year on year. But realistically, outside of the USwhere almost all data breaches have to be reported andacted upon, the numbers represent only a proportion ofthe breaches that often remain unreported or have takenplace and not yet been identified.Threat Levels (Percent)VulnerableASGlobally, concerns aboutinsider threats continue to growFigure 2: Vulnerability of organizationsto insider threatsof respondents believe they are at riskare very or extremely vulnerable92%are looking to increase or maintain existingspending on IT security and data protectionThe global average shows 89% of organizations as beingvulnerable and only 11% reporting that their organizationswere safe. These figures confirm that most organizationsare concerned about the impact of insider threats andoverall do not feel that they are in control of the situation.Only 11% report that theirorganizations are safe frominsider threats.7

locational issues when foreign intervention and legalsovereignty come into play, make the case for improvingcloud-services data protection. Also, as more data needsto transition between on-premise systems and cloud andbig data environments, organizations need to make useof more inclusive data protection facilities to control andprotect their data as it moves between corporate systems.TOP 3 LOCATIONS WHEREDATA IS AT RISK IN VOLUME: Databases (49%) File Servers (39%) Cloud (36%)The top three locations by volume where companysensitive data is stored and must be protected are:databases (49%), file servers (39%), and the rapidgrowth area for cloud service environments (36%).The position is fairly consistent across most majorgeographies and mainstream verticals includingfinancial services, healthcare, and the retail sector.Another discussion that should take place revolvesaround the perception of risk that mobile devices anduser mobility bring to the table. By comparison only 20%of sensitive company data is held on mobile devicesand, of that 20%, a large proportion is being held oncompany-owned laptops and other company-protectedmobile devices. In our opinion the discussion isn’t reallyabout the data volumes involved, and if it were, 20% is stillsignificant enough to cause anxiety. But the real concernfor the 70% of IT Decision Makers who were worried aboutmobile device protection is firmly about the lack of controlover the mobile devices that are in use. It is also about nothaving enough information to know what data has beencopied to those devices and not having the controls inplace to stop copies of company-sensitivedata being made.Along with the ubiquitous use of databases andservers, cloud and more recently big data take-uplevels now force a stronger protection case to bemade. Growing data volumes, when put alongsideworries about a lack of control over third-partyaccess; the use of third-party admins; and dataGood quality monitoring and access control technologyprovide part of the answer. Irrespective of where the datais being held, it is important to know and be able to controlwho gets access and what they can do with that access.This provides the ability to highlight and report on misusethat could otherwise put company-sensitive data at risk.Corporate servers and databases pose thehighest risk, yet spending remains stubbornlyfocused on endpoint and mobileActual riskPerception of risk504545354030% Spend Figures25201510530252015105tackupSaaPC S&WM SoHa ure 3: Data risks based on actual volumes of sensitive datastored in each location compared to the perception of risk835ghHi ergheSa rmM L euc owh erLowerData Percentages40Figure 4: Global spending on securitysolutions during the next 12 months

Figure 3 shows the difference between the perceivedpotential damage from mobile devices and where sensitivedata is located. It is close to a 70/20 position. The globalaverage shows 70% of respondents are more worried thanthey should be about a 20% exposure to risk. Indeed, at amore local level in the ASEAN and US markets the levels ofconcern are at a high of 86% and 81% respectively.In our opinion and as highlighted, the risk comparisonshould focus more on data volumes—how the highvolumes of sensitive data held on databases, servers,and in the cloud are protected and managed, rather thanthe lack of control over mobile devices and how they areused. By volume mobile data levels are low, but devices,locational use, and the mainstream lack of control beyondthe firewall are all contributing factors.“56% of respondentswill be looking toincrease their securityspend to deal withinsider threats.”Businesses are spending more onsecurity software to address the threatThe Global Insider Threat Report shows that only 7% ofresponding organizations believe that next year they willbe in a position to spend less on data protection andinformation security than was the case this year. Sadly,unless there are exceptional circumstances, we wouldmake a case to show that even this small percentage oforganizations are probably wrong. The global survey resultsshow that 56% of respondents will be looking to increasetheir security spend to deal with insider threats next yearand the remaining 37% will be spending at least as muchas they are now.Network Defenses52Endpoint & Mobile Device Protection50Data in Motion Defenses4747Data at Rest DefensesAnalysis & Correlation Tools46Figure 5: The leading categories where organizations plan toincrease security spend during the next 12 monthsWhat is not so clear is how well organizations aregoing about targeting their increasing, but often hardwon security budgets. The scattergun approach thatsees increases spread across a wide range of securityprotection solutions suggests that there is still a significantamount of firefighting going on.Ovum believes that better results would be achieved bytargeting the available funds on risk-based strategiesto deal with the protection of sensitive data, monitoringand reporting on usage, and controlling user access. Inthis respect there do appear to be some positive signsincluding the increased use of encryption-based dataprotection tools for data at rest and for protecting datain transit when traveling between corporate systems.9

Data breach protection replacescompliance as the number one prioritythat are capable of evolving to deal with the changingcompliance agenda.In Ovum enterprise surveys conducted over the last twoyears, improving security, risk, and compliance have beenthe top priorities for enterprise clients. For many thesecurity and risk elements were seen as the drivers forachieving the ultimate goal of remaining compliant withindustry and regional regulations. This has consistentlypushed the issue of compliance to the head of manyenterprise security initiatives, often without enough thoughtbeing given to wider enterprise protection requirements.Unfortunately, there are far too many organizations that areable to tick all the compliance boxes but their defenseshave not proved to be good enough to prevent insiderthreats and data theft. Sony, Target, and Vodafone wereall compliant at the time they suffered a data breach.Although it continues to be true that budget contributionsfor compliance projects remain easier to get from theboard, which can help when looking to fund securitybreach protection strategies, it is often the case thatcompliance regulations lag behind real-world dataprotection requirements. Therefore, a more holisticapproach is needed to address immediate data breachprotection requirements, while delivering security solutionsThe 2015 version of the Vormetric Global Insider ThreatReport sees the previous obsession with compliancebeing overhauled by an increased focus on data breachprotection. Preventing data breaches, contractualrequirements, and protecting intellectual property allscored better than in previous surveys and significantly“achieving compliance” now drops down the priority list.The reasons why are clear. The last 12 months have seena continuous flow of high-profile organizations reportingthat their security has been breached, including data theftby employees and others with insider status. The numbersdon’t lie; over 40% of organizations reported that they hadeither experienced a data breach or failed a security auditin the last year. Senior managers are feeling threatened asdata losses mount up. In some extreme cases the CEO hashad to go, taking levels of responsibility up to board leveland well beyond the usual sacrificial lamb at CISO level.What this does mean in practical terms for data protectionis a stronger focus on implementing best-practice solutionsthat are relevant to enterprise protection.“FOR THE FIRST TIME, PREVENTING DATA BREACHES,CONTRACTUAL REQUIREMENTS, AND PROTECTING INTELLECTUALPROPERTY ARE NOW HIGHER PRIORITIES THAN COMPLIANCE.”Security Spending Drivers (Percent)Highest Impact27Preventing A Data Breach IncidentProtection of Critical Intellectual Property22Protection of Finances & Other Assets21Fulfilling Requirements From Customers,Partners, or ProspectsFulfilling Compliance Requirements &Passing re 6: The business protection spending drivers for organization’s ranked by priority (1–5)10Second2424

The most effective data protection technologies and theones most frequently deployed by enterprise organizationswere database and file encryption products, dataaccess monitoring solutions, and data loss preventiontechnologies. As shown below, these topped a long list ofprotection solutions and were considered by enterpriserespondents to offer the most effective protectionagainst insider threats. Surprisingly tokenization, whichhas compliance-related uses, came bottom of the list. Thismay be due to restricted knowledge about the specificbenefits the technology has. For example, if organizationsneed to protect data for specific purposes such as fulfillingpayment card industry data security standard (PCI DSS)compliance, tokenization has scoping advantages overother forms of encryption that ensure the scope of auditrequirements is reduced, as well as enabling the data to beused by other systems without compromising security.Security Protection LevelsPercentage UsingDatabase/File EncryptionData Access MonitoringData Loss Prevention (DLP)Privileged User Access ManagementCloud Security GatewayApplication Layer EncryptionSiem and Other Log Analysis and Analytical ToolsMulti-factor AuthenticationAccount Controls Provided By Directory Services SoftwareData MaskingSingle Sign OnFederated Identity ManagementTokenization0%10%20%30%40%50%60%Figure 7: Protection solutions used by enterprise organizations against insider threatsTHE MOST EFFECTIVE DATAPROTECTION TECHNOLOGIES: Database and file encryption Data Access Monitoring11

THE IMPORTANCE OFAVOIDING THE FINANCIALPENALTIES RESULTING FROMA DATA BREACH VARIES: US 39% Global 33% Germany 19%REGIONAL DIFFERENCES —HOW VIEWS ON INSIDERTHREATS VARY BETWEEN DIFFERENT REGIONSThe report highlighted many regional data protection variations, someof which were influenced by particular situations. For example, in the USover 1 in 5 organizations reported that they had experienced a data breach(22%) in the last 12 months, and 33% were looking to do more to protectcompany-sensitive data as a direct result of seeing the damage caused toa competitor following a security breach. The 34% response from UScompanies was 5% above the global average.As well as the US, other nationalities differ on their priorities for protectingsensitive data, and in these particular cases local conditions have a stronginfluence. Legal costs and regulatory fines are high in the US, thereforeprotecting against data breach penalties was a higher priority for USorganizations at 39%—the US top three were reputation and brandprotection (47%), implementing best practices (44%), and compliancerequirements (43%).When compared to the global average of 33% for data breach protectionand a national low of 18% in Germany, the US was significantly out of line.In contrast, Japan retains its focus on compliance as the number one priorityfor 79% of respondents, with brand reputation at number two and partnerand customer requirements in third position.The US expresses greater levels of concern than other regionsRisk responses and associated concerns over insider threats fromrespondents in the US and associated concerns over insider threats from USorganizations were significantly higher than those reported in other leadingmarkets. The reasons are a combination of strong regulatory and legal controlsthat come into effect as soon as a data breach is detected and the realitiesof a situation, which has seen 44% of North American organizations suffer aserious security breach or fail a compliance audit during the last 12 months.The evidence is both public and compelling. For example, the falloutand legal impact of the Target breach rumbles on as the costs continue tomount. The latest high-profile incidents include Home Depot, the world’slargest home improvement retailer where investigations into its more recentpayment data systems breach are ongoing. So far it is known that theperpetrators used a third-party vendor’s access credentials to break in to theHome Depot network, and these credentials were used to acquire additionalrights that allowed them to navigate the network and deploy custom-builtmalware on the company’s self-checkout systems. Payment card data andcustomer email information appears to have been disclosed, thereforecustomers will need to keep a look out for unexpected credit and debitcard transactions and be on their guard for phishing scams.12

Sony Pictures got itself back into the data breach limelightrecently after a group calling itself the Guardians of Peaceleaked elements of its intellectual property. JP Morgan, thebiggest US bank, has admitted that a previously discloseddata breach affected 76 million households and 7 millionsmall businesses, and of course there are many othersthat have been forced to go on the record during the lasttwelve months.Perhaps as a result of these, and other highly publicdata breaches, 93% of US organizations said that theyfelt somewhat vulnerable or more to insider attacks, only7% felt safe. These figures are above the global average,but the level of difference is most apparent when the USis compared to Germany (where 18% of organizations feltthat they had taken sufficient precautions to be safe frominsider data theft) and the ASEAN region and Japan, whichreported that 16% and 14% of organizations respectivelyfelt safe.“93% OF US ORGANIZATIONS SAID THAT THEY FELTVULNERABLE TO INSIDER ATTACKS, ONLY 7% FELT SAFE.”Threat Levels SEAN1684Global1189Not VulnerableFigure 8: The vulnerability of US organizations to insider threats whencompared to other regions13

Japan sees insider threats differentlyThe global report identifies privileged users as thegroup that poses the highest levels of risk to enterpriseorganizations. However, while this position is consistentacross most countries and regions, there are notableexceptions and Japan is one of those. As shown inFigure 9 ordinary employees (56%) are considered tobe the biggest risk, contractors and services providerscame second (52%), while privileged users (37%) werepositioned as a much lower risk. The reasons behindthe differences are not particularly obvious, but couldhave a lot to do with how insider theft is dealt withand reported within US and European markets whencompared to Japan.There is no evidence to suggest that Japaneseorganizations have spent more on privileged managementtechnology than organizations in other countries andtherefore addressed the problem through the use oftechnology. It is however worth bearing in mind, whenconsidering the Japanese stance on the security risksposed by ordinary employees, that half of employeeswho leave their job will keep corporate data from their oldemployer, and more than half of all insider breaches arecaused by well-meaning employees who make mistakesand/or share their access credentials with third parties.Overall, the vulnerability position of Japanese organizationswas close to the global average. Eighty-six percentreported that their companies were vulnerable to insiderthreats, with the global average set at 89%. Another areawhere there were clear variations from the global norm wasin the most important reasons for securing sensitive data.In the majority of markets brand protection and complianceachieved a similar roughly 50% response, but in Japancompliance was the clear winner supported by 79% ofrespondents and 21 points above the second category. Bycomparison the compliance figure was almost double thatof the US (44%) and more than double the figure reportedPercentage Level by User GroupOrdinary Employees5652Contractors and Service ProvidersPrivileged UsersExecutive ManagersBusiness PartnersOther IT Staff37232220Figure 9: Japanese position for insiders who pose the largest risk to an organization14

by other countries in the ASEAN region (34%).It appears that the value of compliance, which hasbeen a cornerstone of the Japanese approach,remains strong. Whereas other markets have seenthe compliance advantage

respondents said privileged users, nine percentage points behind on 46% were contractors and service providers, and then business partners at 43%. Databases, file servers, and the cloud hold the vast bulk of sensitive data assets, but for many (38%) mobile is perceived as a h