SURVEY REPORT 2017 GLOBAL ENTERPRISE SECURITY SURVEY CYBERSECURITY CHALLENGES FACING EVERY IT PROFESSIONAL - HOW ARE ATTITUDES TOWARDS CYBERSECURITY IN BUSINESS CHANGING?
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SURVEY REPORT
2017 GLOBAL ENTERPRISE SECURITY SURVEYCYBERSECURITY CHALLENGES FACING EVERY IT PROFESSIONAL - HOW ARE ATTITUDES TOWARDS CYBERSECURITY IN BUSINESS CHANGING?
2
SURVEY REPORT: 2017 GLOBAL ENTERPRISE SECURITY SURVEY
At the time of writing, the dust is just settling on yet another high-profile data breach. A US credit report company experienced a
attack between May and July 2017, in which hackers got away
with the data of 143 million Americans.
By the time you read this, another equally catastrophic security breach may well have befallen another major business. They’re happening all the time. And for every step forward businesses take in their hack defenses, cybercriminals take two.
To avoid more compromised customer data and boardroom casualties, organizations need to ask themselves some hard questions. Is the board truly committed to IT security? Have recent security breaches really changed security focus, spend and culture? Where has investment been and has it been in the right place?
These are the questions which Fortinet aims to answer through its 2017 global survey on the changing attitudes towards cybersecurity in business.
KEY FINDINGS
THE MAJORITY OF BUSINESSES HAVE EXPERIENCED A SECURITY BREACH IN THE PAST TWO YEARS
85% of the businesses surveyed (Figure 1) have been victims of a security breach in the past two years. Malware and ransomware are the most prevalent threats, with 47% of organizations having experienced an attack of that kind (Figure 1), and 50% of respondents still viewing them as one of their top three risks today (Figure 1).
FIGURE 1: SECURITY BREACHES
MalwareRansomware
Data breach(internal or external)
Fraud(eg. identity,email)
Social engineering(eg. phishing)
Denial of Service(DDoS) attacks
Device breaches(IoT, BYOD)
None of these
I don’t know
Experienced in the last 2 years Top threats
47%
50%
37%
40%
36%
36%
33%
33%
31%
29%
29%
29%
14%
6%
1%
1%
3
SURVEY REPORT: 2017 GLOBAL ENTERPRISE SECURITY SURVEY
CYBERSECURITY HAS BECOME A SIGNIFICANT IT INVESTMENT TO BUSINESSES
Unsurprisingly, given the scale and impact of the cybersecurity threat, IT security has become a key investment to businesses as part of their IT strategy. According to the survey, three out of every five (61% - Figure 2) spend 10% or more of their IT budget on security. And 71% spend more than they did one year ago (Figure 3).
FIGURE 2: % OF IT BUDGET SPENT ON SECURITY FIGURE 3: CHANGE IN IT BUDGET OVER LAST YEAR
FIGURE 4: INVESTMENT AREAS IN 2017 FIGURE 5: TOP 3 PRIORITIES INVESTMENT IN 2018
Upgrade of security solutions
New securitysolutions & services
Implementation ofsecurity policies and processes
Staff training and certification and employee education
Auditing/Security assessment
Staffing/New hires in IT security
Invested in Highest spend
56%expect to invest innew solutions andservices in 2018
67%60%
56%
54%
41%
26%
15%
27%
60%
37%
57%
22%
52%
34%
23%
4%
3%
8%
INVESTMENT AREAS 2017 TOP 3 PRIORITIES FOR 2018
10%
22%
25%
21%
15%
Less than 4%
4% - 6%
7% - 10%
11% - 15%
16% - 20%
Over 20%
Don’t know
3% 4%
Average spendon IT security
14% Increased71%
Stayedthe same28%
Decreased1%
7%
The average businessincreased its spend
on IT security this year by
While businesses for the most part invest in keeping solutions up to date (67% in 2017 – Figure 4), there is also more expenditure being made in new security solutions and services, perhaps reflecting the ever changing nature of security threat. 60% invested in new security solutions and services in 2017 and 56% expect to do so in 2018 (Figure 5).
4
SURVEY REPORT: 2017 GLOBAL ENTERPRISE SECURITY SURVEY
BOARD MEMBERS ARE NOT MAKING CYBERSECURITY A SIGNIFICANT ENOUGH PRIORITY
And yet, in spite of a clear and present threat, 48% of IT decision makers believe that cybersecurity is still not a top priority discussion for the board. In fact, the security agenda appears to be essentially reactive. According to the survey, increases in cybersecurity investment comes either in the wake of global cyberattacks like WannaCry (49%) or to comply with government regulations (34%). We can expect that these drivers of board awareness to become more prominent – especially with the passage of the General Data Protection Regulation in the EU, which will go into effect in 2018.
According to respondents, the board appears to be more involved in post-breach management than prevention – only taking action as a result of security breaches in 93% of cases (Figure 6) with the vast majority (77% - Figure 6) wanting to know what happened, i.e. identifying the cause of the breach and reviewing IT security processes while two-thirds (67% - Figure 6) want to review or increase the budget in response.
FIGURE 6: BOARD REACTION TO BREACHES
*A net is the total number of people that chose at least one of the answers included in the net. As the question is a multiple choice, nets are different from the sum of the single answers they include (people who chose two or more answers included in the same net are not double-counted).
The stats lead to the conclusion that boards only take action when things go wrong, and that there might be a blame culture around IT security. Indeed, in 70% of breach incidents (Figure 7), the board blames IT – either a specific individual or the department as a whole – while only 60% recognize inadequate investments (Figure 7).
*A net is the total number of people that chose at least one of the answers included in the net. As the question is a multiple choice, nets are different from the sum of the single answers they include (people who chose two or more answers included in the same net are not double-counted).
As a result, IT decision makers feel strongly that cybersecurity should become a top management priority with 77% of the respondents saying that the board should actually put IT security under greater scrutiny.
FIGURE 7: PERCEIVED RESPONSIBILITY FOR BREACH
47% 47%
42%38%
6%1%
Look at processes* Look at budget*
Prioritised a review of theIT securityprocesses in place
Prioritised identifyingthe cause ofthe breach
Made more bugdetavailable for IT security
Reviewed the level of investment compared tothe risk to the business
Nothing, they felt it wasadequately handled
They were not aware
77% 67%
IT people
With the ITdepartment
With a specificindividual inthe ITdepartement
With an employeeoutside the IT departement
With the inadequateinvestment in securityproducts/solutions
With the lack ofinvestments insecurity personnel
Nowhere - the breach wasseen as unavoidable
70%*Other people
28%*Lack of investment
60%*
42%
29% 28%32% 31%
7%
5
SURVEY REPORT: 2017 GLOBAL ENTERPRISE SECURITY SURVEY
TRANSITION TO THE CLOUD IS GETTING BOARD’S ATTENTION
Fortunately, the future isn’t all doom and gloom. In fact, the digital transformation journey that so many businesses are on may eventually result in a greater focus on cybersecurity.
A key driver behind this is that the business benefits of migrating key applications and data to the cloud are so clear that 77% of IT professionals believe the transition to the cloud is a priority for the board. The end result is that 74% of respondents believe that migration to the cloud will make cloud security a growing priority in the future. This trend is actually supported by the fact that, today, only 37% of respondents (Figure 8) say the cloud security emerges as the most disregarded area when it comes time and/or resource allocation. As a result, half of businesses (50%) surveyed are already planning investment in cloud security over the next 12 months.
This is a clear call to arms for IT professionals everywhere. The cloud already has the board’s attention – this is opportune moment to ensure that cybersecurity in general is on the agenda as well.
FIGURE 8: ORGANIZATION’S COMMITMENT
ORGANIZATIONS ARE COMPLACENT ABOUT THEIR CYBERSECURITY POSTURE
Over half (53% - Figure 9) of organizations surveyed rate their current IT security as either good or excellent. Nearly three-quarters (72% - Figure 9) believe they are doing better than their peers. Barely one in twenty (6% - Figure 9) cybersecurity professionals believes they are lagging behind.
That can’t be right, can it?
With so many organizations experiencing security breaches, some of these organizations must be overestimating how protected they are. Major attacks such as WannaCry and NotPetya targeted existing weaknesses that, for most, could have easily been secured. Yet, whether due to overconfidence or complacency, they weren’t.
FIGURE 9: RATING OF THEIR ORGANIZATIONS’S IT SECURITY
Cloud Security
IT securtiy breach prevention
IT security breach detection
Defining processes (eg for escalation)
Mitigation procedures for security breaches
Auditing/security assessment
IT security monitoring
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
37% 43% 20%
34%
34%
33%
33%
31%
30%
46%
44%
46%
46%
46%
47%
19%
22%
22%
21%
22%
22%
Too litlle time/source About right Too much time/sources
Compared to own sector
12%
34%
Rating of IT security today 14%14%27%25%12%5%5%
12%17%24%19%10%12%6%
Good (8-10): 53%
Ahead of the Curve (7-10): 72%
5= In line with the rest
0 to 4 5 6 7 8 9 10 From 0 (poor) to 10 (excellent)
6
SURVEY REPORT: 2017 GLOBAL ENTERPRISE SECURITY SURVEY
Worryingly, the research shows that this complacency appears in other areas as well. As organizations adopt more and more technology, for whatever reason, the security implications associated with them seems to be treated as an afterthought. For example, through wireless, cloud and IoT there are more ways than ever to hack into a network. In this light, it’s surprising to see that only 24% of IT professionals are planning to segment their network in 2018. Effective internal segmentation can limit lateral movement across a network during an attack, confining the breach to a specific area and minimizing potential data loss. In the upcoming General Data Protection Regulation (GDPR), minimizing data loss in the case of a data breach will be critical to minimize or avoid its substantial fines.
Managing access to the network is another area where organizations have fallen into complacency. Only 54% feel confident that they have adequate control and visibility over whom is allowed in the network and what resources can be accessed (Figure 10). Being able to track and manage network access policy is a fundamental aspect of cybersecurity, especially in conjunction with the use of internal segmentation, but it appears that nearly half don’t have a handle on it.
FIGURE 10: ITDMS CONFIDENCE LEVEL
MORE NEEDS TO BE DONE ABOUT EMPLOYEE EDUCATION
When asked about what they would have done differently over their career in security (Figure 11), 42% of IT decision makers responded (Figure 11) that they would have invested more in employee security awareness training to prevent a security breach (43% - Figure 11) and better position their organization to deal with the current IT security threat (41% - Figure 11).
FIGURE 11: HINDSIGHT
Not at all confident Not very confident Fairly confident Highly confident Extremely confident
Can effectively mitigate current security risks
Can enforce IT security processes within your organization
Can identify the data that an intruder has had access to
Can identify the source of a data breach
Can detect security breaches
Have full visibility and control of all devices (including IoT)with network access to your systems
Have full visibility and access level of all third parties
Have full visibility and access control to thenetwork of all employees
15%37%37%9%2
2
3
3
3
2
2
2
18%36%35%9%
17%34%34%12%
16%35%34%11%
17%36%36%9%
17%33%37%11%
16%34%36%12%
18%36%34%10%
Invested more in employee security awareness training
Invested more moneyin security technology
Invested more in internal security processes and policies
Increased the number of IT staff
Invested more in educatingthe board/C-suite on cyber risks
Chosen different securitytechnologies to invest in
Prevent a security breach
Better position the organization todeal with the current IT security threat
Foster accountability about IT security
Facilitate acceptance of updatedsecurity policies
Save money in the long-term
Facilitate business transformationwhithin the organisation
Foster transparency about IT security
None of these
I wish I had... Because...
42% 43%
41%
35%
34%
33%
33%
30%
1%
41%
40%
35%
33%
32%
7
SURVEY REPORT: 2017 GLOBAL ENTERPRISE SECURITY SURVEY
FIGURE 12: PROCEDURES AND EDUCATIONAL ACTIVITIES PLANNED FOR 2018
CYBERSECURITY IS AN ONGOING JOURNEY
According to the research, 76% of IT decision makers consider their organization is on a security journey (Figure 13), an often seemingly endless journey due to the challenges associated with securing today’s enterprise network. Whether struggling to secure an ever faster network – 52% of IT professionals (Figure 13) say they have difficulty finding solutions that can keep up with the performance demands of the network – or trying to simplify the network to improve security efficacy - 54% of IT decision makers (Figure 13) say that they will need to significantly reduce the number of vendors in the network - it is clear that the challenges will multiply as the number of high profile data breaches continue to make headlines.
FIGURE 13: ONGOING AND FUTURE CHALLENGES
This year, over half of organizations (52%) have invested in employee security awareness training. On a positive note, over two-thirds (67% - Figure 12) are now planning programs to educate employees about IT security.
IT security awarenesstraining/best pratices foremployees
Procedures to communicate ITsecurity policies to employees
Escalation process to initiate in the event of a breach
None of these
67%
56%
41%
2%
Strongly Agree
Enterprise security is an ongoing journey for us 32% 44% 18% 3% 3%
31% 44% 19% 5% 3%The increasing migration to the cloud will make cloud
security a growing priority going forward
10%21% 38% 26% 4%Changing regulations and data protection legislation cans
sometimes be a distraction from our IT security strategy 1%
18% 36% 29% 13% 4%
We will need to significantly reduce the number of pointsolutions/vendors in the company’s network if
we are to eliminate security gaps
18% 34% 24% 17% 7%We struggle to find a security solution that can keep up with
the performance demands of our underlying network
16% 32% 27% 17% 7%We don’t prioritise BYOD and IoT security enough as part of
our overall security strategy 1%
16% 32% 24% 19% 8%We don’t prioritise threat intelligence enough as part of our
security strategy 1%
Agree Neutral Disagree Strongly Disagree Don’t know
SURVEY REPORT: 2017 GLOBAL ENTERPRISE SECURITY SURVEY
Copyright © 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700www.fortinet.com/sales
EMEA SALES OFFICE905 rue Albert Einstein06560 ValbonneFranceTel: +33.4.8987.0500
APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730
LATIN AMERICA HEADQUARTERSSawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430Sunrise, FL 33323Tel: +1.954.368.9990
126750 0 1 EN
CONCLUSION
As organizations embark on their digital transformation journey, they need to rethink their business and operating models to maintain their competitive advantage. Digital transformation means businesses are embracing technologies such as the cloud, Internet of Things, big data analytics, which all increase the cybersecurity risk level and make the business environment more complex to protect.
To succeed in their digital transformation efforts, board members must make cybersecurity a strategic issue, within their broader risk management strategy, rather than a simple IT investment. And IT leaders must rethink their cybersecurity approach with a view to the following: extend visibility across the entire attack surface, control network access, segment the network to minimize potential data loss, shorten the windows for time to detection and mitigation, deliver robust performance, and automate security intelligence and management. All those aspects must be addressed to allow the organization take full advantage of its digital transformation.
RESEARCH METHODOLOGY
The Fortinet Global Enterprise Security Survey was commissioned by Fortinet and conducted in July and August 2017 by Loudhouse, an independent research consultancy headquartered in London. 1,801 IT decision makers with responsibility for cybersecurity completed an online survey on the changing attitudes towards cybersecurity in business. Respondents were sourced from 16 countries (US, Canada, France, UK, Germany, Spain, Italy, Middle East, South Africa, Poland, Korea, Australia, Singapore, India, Hong Kong, Indonesia) across a variety of sectors and industries.
ABOUT FORTINET
Fortinet (NASDAQ: FTNT) secures the largest enterprise, service provider, and government organizations around the world. Fortinet empowers its customers with intelligent, seamless protection across the expanding attack surface and the power to take on ever-increasing performance requirements of the borderless network - today and into the future. Only the Fortinet Security Fabric architecture can deliver security without compromise to address the most critical security challenges, whether in networked, application, cloud, or mobile environments. Fortinet ranks #1 in the most security appliances shipped worldwide and more than
320,000 customers trust Fortinet to protect their businesses. Learn more at http://www.fortinet.com, the Fortinet Blog, or FortiGuard
Labs.
Related Documents
