International Trends in Cybersecurity April 2016 REMINDER: The complete International Trends in Cybersecurity report and 12 country snapshots can be viewed free of charge at CompTIA.org (with simple registration)
International Trends in CybersecurityApril 2016
REMINDER: The complete International Trends in Cybersecurity report and 12 country snapshots can be viewed free of charge at CompTIA.org (with simple registration)
The Importance of IT Security Continues to Grow
NET Lower No Change Moderately Higher
Significantly Higher
6%
18%
49%
27%
3%
18%
43%
35%
Today
Two Years From Now
79%NET of businesses
expect IT security to become a higher priority over the next two years
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
NET Higher: Significantly Higher + Moderately HigherNET Lower: Significantly Lower + Moderately Lower
International Summary
Satisfaction With Current Security Level
Maturing Economies
Mature Economies
International Summary
20%
28%
23%
56%
53%
54%
25%
20%
23%
NET Satisfactory
77%
72%
80%
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
CompletelySatisfactory
MostlySatisfactory
Adequate/Unsatisfactory
NET Satisfactory: Completely + Mostly SatisfactoryAdequate/Unsatisfactory: Simply Adequate + Mostly Unsatisfactory + Completely Unsatisfactory
Note: see slide 18 for which countries are categorized in Mature Economies vs. Maturing Economies.
Top Drivers for Changing IT Security Approach
1. Change in IT operations (e.g. cloud, mobility)2. Reports of security breaches at other firms3. Internal security breach or incident4. Change in business operations or client base5. Knowledge gained from training or certification
International Summary
1. Change in IT operations (e.g. cloud, mobility)2. Reports of security breaches at other firms3. Internal security breach or incident4. Knowledge gained from training or certification5. Change in business operations or client base
Mature Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
Maturing Economies1. Change in IT operations (e.g. cloud, mobility)2. Change in business operations or client base3. Internal security breach or incident4. Knowledge gained from training or certification5. Reports of security breaches at other firms
Top Factors Impacting IT Security Practices
Volume of security threats
Greater availability of hacking tools
Sophistication of security threats
More reliance on Internet applications
Greater tech interconnectivity
Growing organization of hackers
Rise of social networking
38%
40%
41%
45%
46%
46%
49%
32%
32%
37%
39%
37%
39%
39%
36%
37%
39%
42%
42%
43%
45%
International Summary
Mature Economies
Maturing Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
Top IT Security Concerns
1. Malware (e.g. viruses, worms, trojans)2. Hacking (e.g. DoS attack)3. Data loss/leakage4. Physical security threats (e.g. device theft)5. Privacy concerns6. Social engineering/Phishing7. Intentional abuse by insiders (e.g. staff)8. Understanding security risks of emerging
areas9. Regulatory compliance10. Human error among general staff
Top Serious Concerns Greatest Growth in Concern (More Critical Today vs. Two Years Ago)
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
International Summary
1. Data loss/leakage2. Malware (e.g. viruses, worms, trojans)3. Hacking (e.g. DoS attack)4. Social engineering/Phishing5. Understanding security risks of emerging
areas6. Privacy concerns7. Physical security threats (e.g. device theft)8. Intentional abuse by insiders (e.g. staff)9. Regulatory compliance10. Human error among general staff
Mobile Security Incidents
None of the above
Violation of policy on corporate data
Employees disabling security features
Mobile phishing attack
Mobile malware
Lost device
18%
31%
33%
34%
40%
40%
31%
26%
20%
22%
22%
32%
24%
28%
28%
29%
32%
37%
International Summary
Mature Economies
Maturing Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
76% of organizations overall self-report experiencing at least one of these mobile security events
Top 5 Concerns Over Mobile Security Threats
1. Open WiFi networks2. Mobile-specific viruses or malware3. USB flash drives4. Theft or loss of corporate devices5. Unauthorized apps
International Summary
1. Theft or loss of corporate devices2. Open WiFi networks3. Mobile-specific viruses or malware4. Unauthorized apps5. Social media
Mature Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
Maturing Economies
1. Open WiFi networks2. USB flash drives3. Mobile-specific viruses or malware4. Theft or loss of corporate devices5. Unauthorized apps
Experiences With Data Loss
No/Don't know
Yes, probably
Yes, definitely
28%
38%
34%
51%
29%
20%
41%
35%
24%
International Summary Mature Economies Maturing Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509 and n=850 who had a loss
Many are aware of their company experiencing some type of loss of confidential data through carelessness or negligence in the past 12 months
Types of Data Lost
• Employee data• Financial data• Customer records• Intellectual property
Top Areas Where Managers Plan to
Improve DLP
• Spyware prevention• Consumer app restriction• Mobile file encryption• BYOD restriction• Device safety policy
enforcement/creation
Self-Reported Occurrence of Security Breaches
None 1-10 breaches > 10 breaches
27%
64%
9%
35%
58%
7%
22%
69%
9%
International Summary
Mature Economies
Maturing Economies
Over the past 12 months
61%of all firms
experienced at least one serious
breach
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
73%of all firms
experienced at least one breach
Human Element a Major Part of Security Risk
42%
58%
Technology error
Human error
International Summary
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,200 who had a security incident in the past 12 months
Top Human Error Sources
42% General carelessness
37% Failure to get up to speed on new threats
37% Lack of expertise with websites and applications
37% End user failure to follow policies and procedures
36% Lack of expertise with networks, servers and other
infrastructure
34% IT staff failure to follow policies and procedures
Human Error Becoming More of a Factor in Security Breaches and Incidents
NET technology error more of a factor
No change in the allocation
NET human error more of a _x000d_factor in security breaches
13%
19%
68%
13%
30%
57%
13%
23%
64%
International Summary Mature Economies Maturing Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,200 who had a security breach in the past 12 months
NET More of a factor: Significantly More + Moderately More
23%of organizations where human error is now significantly
more of a factor
Human error is significantly more of a factor among firms in Maturing Economies (27%) vs. those in Mature Economies (18%) now compared to two years ago
Utilization of Security Assessments and Training Among Staff
None of the above
Ad hoc security experiments
Formal vulnerability assessments
Online course
Posted security policies
Random security audits
Ongoing security training program
New employee orientation
6%
30%
33%
34%
34%
41%
45%
43%
10%
18%
22%
26%
35%
30%
34%
43%
8%
25%
28%
31%
35%
36%
41%
43%
International Summary
Mature Economies
Maturing Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
92% of companies overall use at least one of these formats to assess or improve security knowledge among employees
Managers Value IT Security Certifications
80%
17%
3%
NET Valuable Neutral
NET Not that Valuable
International Summary
38% Very Valuable 68%
25%6%
NET Valuable Neutral NET Not that Valuable
Mature Economies
25% Very Valuable
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,246 managers/executives
NET Valuable: Very Valuable + ValuableNET Not that Valuable: Not that Valuable + Not at all Valuable
Maturing Economies
49% Very Valuable
89%
10%1%
99%NET Important to
managers in Maturing Economies (72% very
important)
The Importance of Testing After IT Security Training
Not that Important
Somewhat Important
Very Important4%
34%
63%
7%
42%
51%
1%
27%
72%International Summary
Mature Economies
Maturing Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,246 managers/executives
96% NET of managers overall believe it is important (very + somewhat) to test after IT security training to confirm knowledge gains
93%NET Important to
managers in Mature Economies (51% very
important)
NET Important: Very Important + Somewhat Important
Security Awareness Levels Among Employees
39%
52%9%
Advanced Basic Low priority
International Summary
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
Top Potential Business Impacts of Deficiencies in Security
Awareness
39% Unaware of areas where company may be exposed
39% Incurred costs for (re)training current workforce
37% Loss of business as a result of security issues with
customer data
36% Failure to keep up with changes in regulatory environment
36% Unaware of new trends in security
Effectiveness of Security Training
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,392 firms using security training
- “Continual training on new threats.”
- “Regular retraining.”
- “More comprehensive and formalised training.”
- “Keep it up to date.”
- “Regular reviews.”
- “Mandatory training.”
- “More tests of employees’ security understanding.”
- “A more strict regime and more random security audits.”
- “Have a particular person assigned for the training.”
- “More investment in new tech.”
- “More hands-on simulations of real-world breaches.”
- “There should be very strict policies be enforce on proper
training. Proper budgets for training.”
- “Shorter training sessions but more of them.”
- “Tests must be done every three months. Continuous
training.”
Suggestions for Improving Training*
*Sampling of international comments representing common themes
Interna-tional
SummaryMature
EconomiesMaturing
EconomiesNET Effective (Extremely + Fairly Effective)
73% 70% 76%
Extremely Effective 23% 22% 25%
Fairly Effective 50% 48% 51%
Moderately Effective 22% 26% 20%
Slightly Effective 4% 4% 3%
Not at all Effective 0% 1% 0%
About This ResearchCompTIA’s 2016 International Trends in Cybersecurity was conducted to collect and share information on behaviors, techniques, and opportunities associated with information technology (IT) security across several countries. The objectives of this research include:• Evaluate and track changes in IT security practices, policies, threats, breaches, etc. over time • Identify drivers and inhibitors among IT decision makers when evaluating security tech• Gain insights into the security issues associated with emerging tech (e.g. cloud computing, mobile solutions)• Track trends in IT security training and education The data for this study was collected via a quantitative online survey conducted January 21 to February 18, 2016 among 1,509 IT and business executives directly involved in setting or executing IT security policies and processes within their organizations. See the Appendix for Respondent Profile details such as industry, company size, and job role. The 12 countries covered in this study include: Australia (n=125); Brazil (n=126); Canada (n=125); Germany (n=125); India (n=131); Japan (n=125); Malaysia (n=125); Mexico (n=126): South Africa (n=125); Thailand (n=125); United Arab Emirates (n=126); United Kingdom (n=125).
Maturing Economies: Brazil, India, Malaysia, Mexico, South Africa, Thailand, UAE (n=884). Mature Economies: Australia, Canada, Germany, Japan, UK, (n=625).
Surveys were localized and translated to allow respondents to participate in their native language. Additionally, precautions were taken to minimize misinterpretations of questions. However, research has shown, cultural differences exist and can affect responses to certain question types, such as 5-point satisfaction rating questions. Viewers of this report should keep that in mind when comparing results across countries.
The margin of sampling error at 95% confidence for aggregate results is +/- 2.5 percentage points. Sampling error is larger for subgroups of the data. As with any survey, sampling error is only one source of possible error. While non-sampling error cannot be accurately calculated, precautionary steps were taken in all phases of the survey design, collection and processing of the data to minimize its influence. Note: because data collection occurred via an online survey, in countries where Internet penetration is lower among businesses, the non-sampling error could be higher.
More information and all country snapshots are available at CompTIA.org/internationalsecurity. CompTIA is responsible for all content contained in this report. Any questions regarding the study should be directed to CompTIA Research & Market Intelligence staff at [email protected].
CompTIA is a member of the Marketing Research Association (MRA) and adheres to the MRA’s Code of Market Research Ethics and Standards.
Thank You
Copyright (c) 2016 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
REMINDER: The complete International Trends in Cybersecurity report and 12 country snapshots can be viewed free of charge at CompTIA.org (with simple registration)