CompTIA Security Research Study Trends and Observations on Organizational Security. Carol Balkcom, Product Manager, Security+

Size: px
Start display at page:

Download "CompTIA Security Research Study Trends and Observations on Organizational Security. Carol Balkcom, Product Manager, Security+"

Transcription

1 CompTIA Security Research Study 2007 Trends and Observations on Organizational Security Carol Balkcom, Product Manager, Security+

2 Goals of this session To share some trends and observations related to security policy, training and spending over time To discuss with session participants (anonymously) the security policies in their organizations Are we making any headway?

3 About the annual CompTIA security research The CompTIA Security Research database is comprised of 5,692 responses. 639 in 2002 (Members = 50, n-members = 589) 896 in 2003 (Members = 74, n-members = 822) 489 in 2004 (Members = 101, n-members = 388) 574 in 2005 (Members = 20, n-members = 554) 1070 in 2006 (Members = 32, n-members = 1038) 2024 in 2007* (Members = 63, n-members = 1,961) This report is focused on 2007 data. Results are broken down by country, with US results supported by trending data from 2005 and 2006 where relevant. International results include Canada, UK and China and are not trended (this is the first year). Surveys were sent to CompTIA association members and 3rd party list sources representing professionals associated with IT Security. Surveys were fielded in January and February 2008 via the web. TNS designed the questionnaire with assistance from CompTIA. * 2007 represents total countries, including US, Canada, UK and China.

4 Objectives About the survey TNS and CompTIA jointly designed a Web-based questionnaire to concentrate on certain focus areas and issues surrounding IT security training and certification, including: Identify key trends associated with IT security Quantify current and future spending on IT security Assess the costs associated with IT security breaches Understand the causes of IT security breaches and the impact of those incidents Identify trends associated with information security training for remote/mobile employees Determine the impact and effectiveness of information security training and certifications Understand future security issues and challenges that organizations will face Develop comparisons across industries and company size

5 Respondent Profiles 2007: Role Within IT Organization Roles among respondents are widely distributed, with Managers and Administrators making up the bulk in all countries. However, Managers and Engineers tend to be more common among Chinese respondents, while Executives are more prevalent among Canadian respondents. Total * Manager 31% US Manager 30% Engineering 15% Engineering 13% Administrator 32% Canada Manager 28% Engineering 8% Executive 12% Director 10% Manager 30% Administrator 33% n = 2024 n = 1107 UK Manager 38% Executive 12% Director 12% China Director 8% Engineering 11% Administrator 31% n = 131 Executive 25% Administrator 36% Director 12% Administrator Executive 24% Executive 11% 7% n = 413 n = 373 Director 2% Engineering 29% Question: What is your role within the IT organization and with regard to IT and network security? * Represents respondents in this study only; does not reflect the universe of IT organizations within the 4 markets measured.

6 Respondent Profiles 2007: Organization 2007 Number of Employees In the US, respondents come from organizations of all sizes, though there is a slight skew toward mid-size companies of employees. Echoing revenue distribution, Canadian and UK respondents are heavily skewed toward small companies of less than 100 employees while Chinese respondents tend to be employed in mid-sized to large organizations of 100 to 9,999 employees. Total * US % 1,000-9,999 20% % 1,000-9,999 20% % Canada 10,000 or more 11% Don't know/ 1-99 refused 30% n = % n = % 1,000-9,999 9% UK % 1,000-9,999 14% % China 10,000 or more 14% Don't know/ refused 3% 1,000-9,999 30% % n = ,000 or more 10% Don't know/ refused 3% % 10,000 or more 10% Don't know/ refused 4% n = 320 n = % 10,000 or more 5% Don't know/ refused 1% Question: Number of employees at your entire organization. * Represents respondents in this study only; does not reflect the universe of IT organizations within the 4 markets measured.

7 Respondent Profiles: Organization US Trend In the US, more and more respondent organizations are investing in computer security with more dedicated funds than ever before. In fact, 95% of organizations allotted some amount of their IT budget to computer security in 2007, representing an 8% growth over Additionally, funds earmarked for computer security has been on an upswing since 2005, suggesting a greater reliance on technology and processes to keep security breaches at bay. Percentage of IT Budget Spent on Computer Security Percentage of IT Budget Spent on Computer Security by Year* 0 5% 3% 12% 5 21% 25% 35% 19% % 11% 9% 20% 21% 18% 18% % 39% 37% 13% % 3% 3% 0% 10% 20% 30% 40% 50% % of Responses Range of Responses: % 10% 20% 30% Question: What percentage of the IT budget is currently spent on computer security at your organization? * Means were calculated differently last year, so trended data differs from 2006 report.

8 IT Security Overview: Security Enforcement, US Results Nearly all US companies use firewalls, proxy servers and/or antivirus software to enforce security requirements, and this has remained consistent over time. Though much less popular, multi-factor authentification and penetration testing have experienced growing usage during the past year Firewalls/Proxy Servers 93% 94% 91% Antivirus software 92% 94% 96% Intrusion Detection Systems 50% 49% 43% Physical access control Multi-factor authentication 39% 36% US companies are top users of firewalls/ proxy servers 38% 32% 19% 29% Penetration Testing Other ne of the above 3% 1% 32% In China multifactor authentification is used more than in US (45%) 4% 0% 28% 1% n/a 25% 0% 20% 40% 60% 80% 100% Increased significantly compared to of Respondents = 1091 Decreased significantly compared to % 20% 40% 60% 80% 100%. of Respondents = % 20% 40% 60% 80% 100%. of Respondents = 574 Question: What technologies are being employed at your organization to enforce security requirements? (Check all that apply)

9 IT Security Overview: IT Security Policy, US Results In a positive trend, a growing proportion of organizations is putting into place comprehensive written IT security policies, most of which cover remote/mobile employees. Does your organization have a comprehensive written IT security policy in place? Does that written IT Security Policy include specific information that covers remote/mobile employees? Canadian companies less likely to have written policies (44%) Yes 66% % Yes 81% % Fewer UK companies cover remote employees in policy (73%) n = 1031* n = 673 Don't know 6% Yes 62% Yes 59% Yes 81% 38% 41% 14% n = 1005* n = 572 n = 617 Don't know 5% Question: Does your organization have a comprehensive written IT security policy in place? Question: Does that written IT Security Policy include specific information that covers remote/mobile employees? *Responses in 2006 and 2007 exclude don t know, which was not an option in 2005

10 IT Security Certification: Certification Requirements, US Results Required security certification for employees has significantly increased since 2006 and 2005, with about one-third of all organizations now requiring security certification for employees Yes; current/ new employees 18% Yes; new employees 6% Yes; current employees 8% 68% Yes; current/ new employees 15% Yes; new employees 6% Yes; current employees 5% 74% Yes; current/ new employees 10% Yes; new employees 2% Yes; current employees 2% 86%. of Respondents = 1015 Chinese organizations are much more likely to require certification (78%). of Respondents = of Respondents = 533 Question: Is IT security certification a requirement at your organization?

11 IT Security Training: n-it Staff Security Related Training, US Results n-it employees are often provided some security training, as over half of organizations offer it for new and/or current staff. However, only one-quarter of organizations offers it to everyone. Is information security training available for non-it employees at your organization? What percentage of non-it employees at your organization has had computer security-related training? Yes, for current and new non-it employees 30% Yes, for new non-it employees 8% Yes, for current non-it employees 16%. of Responses = % US is less likely than UK or China to offer training to non-it staff (UK=34% China = 8%) 100% - All the non-it employees at my org 26% 75-99% 14% 50-74% 15% 0% - non-it employees at my org 3%. of Responses = 551 Less than 25% 22% 25-49% 20% Questions added in 2007

12 IT Security Overview: Security Issues, US Results Spyware, the lack of user awareness, and the existence of viruses and worms are the most compelling security issues faced by US organizations. In a positive trend, a lack of security policy enforcement is affecting significantly fewer organizations compared to last year. However, denial of service has become a threat among significantly more organizations compared to Spyware Lack of user awareness Virus / Worm Authorized user abuse Remote access Browser-based attacks Wireless networking security Data theft Weak authentication practices Lack of enforcement of security policy Lack of written security policy Denial of Service Social engineering Use handheld devices for data transfer Change control tracking Voice over IP Other 2% 43% 43% 42% 41% 35% 31% 31% 30% 23% 23% 23% 22% 16% 53% 52% 51% Virus/ worm is the #1 issue in China and UK 55% 54% 49% 44% 40% 41% 39% 32% 31% 36% 33% 21% 24% 22% 23% 16% 3% n/a n/a n/a 1% 58% 64% 42% 47% 48% 39% 24% 27% 35% 31% 27% 22% 24% 0% 20% 40% 60% 80% 100% Increased significantly compared to of Respondents = 1100 Decreased significantly compared to % 20% 40% 60% 80% 100%. of Respondents = % 20% 40% 60% 80% 100%. of Respondents = 567 Question: In general, what types of security issues are currently being faced by your organization? (Check all that apply)

13 IT Security Breach: Severity Levels of Security Breaches, US Results Although the average number of security breaches hasn t budged in the past three years, breaches themselves have grown in severity, suggesting an amplified impact on organizations facing security violations Severity level of security breaches last 12 months Average Severity Level (0-10), t at All Severe to Very Severe Average Severity Level (0-10), t at All Severe to Very Severe Average Severity Level (0-10), t at All Severe to Very Severe. of Responses: 379. of Responses: 352. of Responses: 551 Question: Please rate the average severity level of all of your security breaches in the past 12 months. (Use a 0-10 scale where 0 is not at all severe and 10 is very severe.)

14 IT Security Breach: Severity Levels of Most Severe Breach, US Results by Industry The most severe security breaches experienced by US companies in the past year have been relatively moderate (average ratings are less than 6 on a 10-pt. severity scale), with the education sector reporting the least extreme violations. Total 5.79 Government IT Financial Manufacturing Education Average Severity Range of Responses: Question: Please rate the most severe security breach in the past 12 months. (Use a 0-10 scale where 0 is not at all severe and 10 is very severe.) Your answer must be <greater than or equal to the average severity level of all your security breaches in the past 12 months>.

15 IT Security Breach: Unintentional Internal, US Results Employees responsible for unintentional security breaches are dealt with in a variety of ways, most commonly by receiving additional training/retraining. Termination is the second most common response to unintentional breaches. Sample Verbatim Comments: Warning(s) - Written/Verbal 10% Fire them/ Termination 13% Training/Retraining 16% First - Warning; policies/ Second - Termination actions Review 8% 5% policies/actions 4% Other 27% Don't know/ t sure Refused/ Answer 4% 9%. of Mentions = 397 First-Training; Second-Warning; Third-Term 4% set policy. Training, system scans for possible breaches, interaction with security specialists at the control point. Disciplinary action up to and including termination of employee. Termination Retrain but eventually fire if no change in employees behavior. Retraining, warning, disciplinary action up to termination. Warning, probation, termination. Security Awareness training, 2nd, 3rd offenses = formal reprimand leading to possible termination. We attempt to set up new policies to make sure employees are aware of the proper procedures to take to make sure these mistakes do not happen again. Question: How does your organization address employees responsible for unintentional internal security breaches? In your response include any standard policies/action dealing with first, second or third offenses, such as retraining, warnings and terminations. *Question added in 2007

16 IT Security Training: n-it Staff with Computer Security Related Training, US Results by Company Size Smaller companies (1-99 employees) tend to provide security related training for all their staff while larger companies are less prone to doing so likely a reflection of higher costs associated with training more employees Employees Employees < 25% 21% 25-49% 11% 25-49% 30% 50-74% 14% ne 4% 50-74% 14% 75-99% 13% All non-it staff 36% 75-99% 14% < 25% 23% ne 1% All non-it staff 19% 1,000-9,999 Employees 10,000 or More Employees 50-74% 20% 75-99% 12% 25-49% 16% 50-74% 13% 25-49% 19% All non-it staff 26% < 25% 25% 75-99% 21% < 25% 20% Range of Responses: ne 3% ne 2% All non-it staff 23% Question: What percentage of non-it employees at your organization has had computer security training?

17 IT Security Breach: Severity Levels of Most Severe Breach, US Results by Company Size Smaller companies are less likely than larger ones to have very severe security breaches, possibly a result of their fewer connections to outside entities and their narrower reach. On the other hand, companies having between one-thousand and ten-thousand employees appear to be the most vulnerable to severe breaches. Total Employees Employees 1,000-9,999 Employees 10,000 or More Employees Average Severity Range of Responses: Question: Please rate the most severe security breach in the past 12 months. (Use a 0-10 scale where 0 is not at all severe and 10 is very severe.) Your answer must be <greater than or equal to the average severity level of all your security breaches in the past 12 months>.

18 IT Security: Training for Mobile/Remote Workers, US Results Most US organizations allow data access for remote/mobile employees, with the majority using encryption to secure data transmission via remote access. Trends have remained consistent since Allow Data Access for Remote/Mobile Employees* Encrypt Data Transmissions Via Remote Access** 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% ( ) =. of Responses 20% 21% 80% 79% 2007 (1014) Yes 2006 (1015) 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Access for remote employees is much less available in Canada (50%) and UK (52%) 14% 16% 86% 84% 2007 (807) Yes 2006 (791) *Question: **Question: Does your company allow data access for remote/mobile employees? Do you encrypt data transmissions via remote access?

19 IT Security: Awareness Training for Mobile/Remote Workers, US Results Half of organizations have implemented security awareness training/education to remote employees or are planning to in However, this means that half either haven t considered it or have no immediate plans to implement it. Yes, we have considered implementing security awareness training/education, but have no immediate plans to implement 16% 37% Yes, we have implemented security awareness training/education, we have not considered implementing security awareness training/education 34% Yes, we plan to implement 13% security awareness training/education during of Responses = 808 Chinese companies are much more likely to implement security awareness training in 2008 (42%) Question: Has your company considered, or implemented, its own security awareness training specifically for mobile/remote employees?

20 New York Daily News Tuesday Oct. 2 nd, 2007 Natalie Fishman takes great care to protect her personal information. Unfortunately, she's discovered the third parties she shares it with don't have the same interest in keeping it safe. Just recently, she received a letter from the city Financial Information Services Agency informing her about the loss of a laptop loaded with financial information on as many as 280,000 city retirees. Someone stole the computer in August from a consultant who took it to a restaurant.

21 In development: CompTIA Security Trustmark The CompTIA Security Trustmark accredits those Solution Providers who promote security business practices that invoke the trust of endusers. It is a baseline standard of security practices and competencies as agreed upon by the service and support industry. The CompTIA Security Trustmark requires Solution Providers to keep a comprehensive report of internal security processes and processes at customer sites. It also requires reports of their security level skills/certifications, security vendor product training/knowledge, and overall IT capabilities that relate to security practices.

22 IT Security: Reduction of Major Security Breaches Since Implementation of Security Awareness Training for Remote/Mobile Workers, US Results Organizations that offer security awareness training for remote/mobile employees overwhelmingly experience fewer major security breaches. Yes 88% All respondents in Canada and China believe the number of breaches have been reduced 12%. of Responses = 297 Question: Do you think the number of major security breaches in your organization have been reduced since your organization s security awareness training/education for remote/mobile employees? (A major security breach is one that causes real harm, has confidential information taken, or causes business interruption.)

23 Group Discussion: How does YOUR organization fit the statistics? Written policy General employee training Mobile devices

MIS5206-Section Protecting Information Assets-Exam 1

MIS5206-Section Protecting Information Assets-Exam 1 Your Name Date 1. Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances? a. Policies b. Standards c. Procedures d. Guidelines

More information

Training and Certifying Security Testers Beyond Penetration Testing

Training and Certifying Security Testers Beyond Penetration Testing Training and Certifying Security Testers Beyond Penetration Testing Randall W. Rice, CTAL (Full), CTAL-SEC Director, ASTQB Board of Directors www.astqb.org Most organizations do not know the true status

More information

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing WHITE PAPER Endpoint Security and the Case For Automated Sandboxing A World of Constant Threat We live in a world of constant threat. Every hour of every day in every country around the globe hackers are

More information

Building a Threat Intelligence Program

Building a Threat Intelligence Program WHITE PAPER Building a Threat Intelligence Program Research findings on best practices and impact www. Building a Threat Intelligence Program 2 Methodology FIELD DATES: March 30th - April 4th 2018 351

More information

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague Brmlab, hackerspace Prague Lightning talks, November 2016 in general in general WTF is an? in general WTF is an? Computer Security in general WTF is an? Computer Security Incident Response in general WTF

More information

Second International Barometer of Security in SMBs

Second International Barometer of Security in SMBs 1 2 Contents 1. Introduction. 3 2. Methodology.... 5 3. Details of the companies surveyed 6 4. Companies with security systems 10 5. Companies without security systems. 15 6. Infections and Internet threats.

More information

Privacy: Pre- and Post-Breach

Privacy: Pre- and Post-Breach Identity Theft Resource Center Jay Foley, Executive Director Presents: Privacy: Pre- and Post-Breach Aug 2007 Points of Discussion Current Breach Statistics Self Assessment Pre-Breach During Breach Post-Breach

More information

Cybersecurity Survey Results

Cybersecurity Survey Results Cybersecurity Survey Results 4 November 2015 DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.

More information

Cybersecurity 2016 Survey Summary Report of Survey Results

Cybersecurity 2016 Survey Summary Report of Survey Results Introduction In 2016, the International City/County Management Association (ICMA), in partnership with the University of Maryland, Baltimore County (UMBC), conducted a survey to better understand local

More information

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief 5 Trends That Will Impact Your IT Planning in 2012 Layered Security Executive Brief a QuinStreet Excutive Brief. 2011 Layered Security Many of the IT trends that your organization will tackle in 2012 aren

More information

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable? Introduction Controlling Information Systems When computer systems fail to work as required, firms that depend heavily on them experience a serious loss of business function. M7011 Peter Lo 2005 1 M7011

More information

TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management

More information

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN Perimeter Defenses Enterprises need to take their security strategy beyond stacking up layers of perimeter defenses to building up predictive

More information

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues 1 Managing the Security Function Chapter 11 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Top Management Support Top-Management security awareness briefing (emphasis on brief)

More information

AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI)

AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for an automated penetration testing product and demonstrate

More information

Imperva Incapsula Survey: What DDoS Attacks Really Cost Businesses

Imperva Incapsula Survey: What DDoS Attacks Really Cost Businesses Survey Imperva Incapsula Survey: What DDoS Attacks Really Cost Businesses BY: TIM MATTHEWS 2016, Imperva, Inc. All rights reserved. Imperva and the Imperva logo are trademarks of Imperva, Inc. Contents

More information

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY: October Sponsored by Introduction Mobile devices cause ongoing concern for IT teams responsible for information security. Sensitive corporate information is easily transported outside of managed environments,

More information

The Center for Internet Security

The Center for Internet Security The Center for Internet Security The CIS Security Metrics Service July 1 2008 Organizations struggle to make cost-effective security investment decisions; information security professionals lack widely

More information

# ROLE DESCRIPTION / BENEFIT ISSUES / RISKS

# ROLE DESCRIPTION / BENEFIT ISSUES / RISKS As SharePoint has proliferated across the landscape there has been a phase shift in how organizational information is kept secure. In one aspect, business assets are more secure employing a formally built

More information

GOVERNMENT IT: FOCUSING ON 5 TECHNOLOGY PRIORITIES

GOVERNMENT IT: FOCUSING ON 5 TECHNOLOGY PRIORITIES GOVERNMENT IT: FOCUSING ON 5 TECHNOLOGY PRIORITIES INSIGHTS FROM PUBLIC SECTOR IT LEADERS DISCOVER NEW POSSIBILITIES. New network technology is breaking down barriers in government offices, allowing for

More information

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology

More information

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group Presentation Objectives Introductions Cyber security context Cyber security in the maritime sector Developing cybersecurity

More information

Information Security Controls Policy

Information Security Controls Policy Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January

More information

Security Management Models And Practices Feb 5, 2008

Security Management Models And Practices Feb 5, 2008 TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related

More information

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center What to expect from today: The ugly truth about planning Why you need a plan that works Where

More information

U.S. State of Cybercrime

U.S. State of Cybercrime EXCLUSIVE RESEARCH FROM EXECUTIVE SUMMARY 2017 U.S. State of Cybercrime IDG Communications, Inc. 2017 U.S. State of Cybercrime TODAY S CYBERCRIMES ARE BECOMING MORE TARGETED AND BUILT FOR MAXIMUM IMPACT,

More information

THE IMPACT ON UK BUSINESS

THE IMPACT ON UK BUSINESS HI-TECH CRIME: THE IMPACT ON UK BUSINESS A National Crime Squad multi-agency initiative Contents Introduction 1 Objectives 2 Methodology 3 Key findings 6 The Threat of Hi-Tech Crime 7 Amount of Crime Taking

More information

2017 RIMS CYBER SURVEY

2017 RIMS CYBER SURVEY 2017 RIMS CYBER SURVEY This report marks the third year that RIMS has surveyed its membership about cyber risks and transfer practices. This is, of course, a topic that only continues to captivate the

More information

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Cybercrime Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Organizations can prevent cybercrime from occurring through the proper use of personnel, resources,

More information

Phishing Activity Trends Report March, 2005

Phishing Activity Trends Report March, 2005 Phishing Activity Trends Report March, 2005 Phishing is a form of online identity theft that uses spoofed emails designed to lure recipients to fraudulent websites which attempt to trick them into divulging

More information

Phishing Activity Trends Report August, 2006

Phishing Activity Trends Report August, 2006 Phishing Activity Trends Report, 26 Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account

More information

Jeff Wilbur VP Marketing Iconix

Jeff Wilbur VP Marketing Iconix 2016 Data Protection & Breach Readiness Guide February 3, 2016 Craig Spiezle Executive Director & President Online Trust Alliance Jeff Wilbur VP Marketing Iconix 1 Who is OTA? Mission to enhance online

More information

Security in a Converging IT/OT World

Security in a Converging IT/OT World Security in a Converging IT/OT World Introduction Around the winter solstice, darkness comes early to the citizens of Ukraine. On December 23, 2015, it came a little earlier than normal. In mid-afternoon,

More information

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner MOBILE SECURITY 2017 SPOTLIGHT REPORT Group Partner Information Security PRESENTED BY OVERVIEW Security and privacy risks are on the rise with the proliferation of mobile devices and their increasing use

More information

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco Increasing Digital Traffic Creates a Greater Attack Surface Global IP Traffic

More information

PROFESSIONAL DEVELOPMENT CORPORATE SURVEY SUMMARY RESEARCH REPORT

PROFESSIONAL DEVELOPMENT CORPORATE SURVEY SUMMARY RESEARCH REPORT PROFESSIONAL DEVELOPMENT CORPORATE SURVEY SUMMARY RESEARCH REPORT 2004 Published by The British Computer Society and InfoBasis Limited For further information, contact: Donald Taylor Strategic Alliances

More information

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities

More information

Wireless Handheld Device Security

Wireless Handheld Device Security Wireless Handheld Device Security Tom Olzak March 2005 The world of business communication is changing. More employees are carrying electronic information in wireless handheld devices than ever before.

More information

Cyber Criminal Methods & Prevention Techniques. By

Cyber Criminal Methods & Prevention Techniques. By Cyber Criminal Methods & Prevention Techniques By Larry.Boettger@Berbee.com Meeting Agenda Trends Attacker Motives and Methods Areas of Concern Typical Assessment Findings ISO-17799 & NIST Typical Remediation

More information

Security Survey Executive Summary October 2008

Security Survey Executive Summary October 2008 A government technology Executive Survey Summary: HP Security Survey Executive Summary October 2008 Produced by: In Partnership With: Introduction Information is paramount to the survival of government

More information

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation ALTITUDE DOESN T MAKE YOU SAFE Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation CYBER SECURITY IS THE GREATEST THREAT TO EVERY COMPANY IN THE WORLD. IBM CEO GINNI ROMETTY SD

More information

2017 U.S. State of Cybercrime.

2017 U.S. State of Cybercrime. 2017 U.S. State of Cybercrime www.csoonline.com Purpose and Methodology SURVEY SAMPLE TOTAL RESPONDENTS 510 executives at U.S. businesses, law enforcement services and government agencies SURVEY METHOD

More information

Driving Global Resilience

Driving Global Resilience Driving Global Resilience Steve Mellish FBCI Chairman, The Business Continuity Institute Monday December 2nd, 2013 Business & IT Resilience Summit New Delhi, India Chairman of the Business Continuity Institute

More information

Internet Security Threat Report Volume XIII. Patrick Martin Senior Product Manager Symantec Security Response October, 2008

Internet Security Threat Report Volume XIII. Patrick Martin Senior Product Manager Symantec Security Response October, 2008 Internet Security Threat Report Volume XIII Patrick Martin Senior Product Manager Symantec Security Response October, 2008 Agenda 1 ISTR XIII Important Facts 2 ISTR XIII Key Messages 3 ISTR XIII Key Facts

More information

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE 2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE February 2014 Sponsored by: 2014 Network Security & Cyber Risk Management:

More information

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016 Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey CyberMaryland Conference 2017 Bob Andersen, Sr. Manager Federal Sales Engineering robert.andersen@solarwinds.com

More information

The Eight Rules of Security

The Eight Rules of Security The Eight Rules of Security The components of every security decision. Understanding and applying these rules builds a foundation for creating strong and formal practices through which we can make intelligent

More information

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank NJ Bankers Association Annual Convention May 19, 2017 Presented by: Jeremy Burris, Principal, S.R. Snodgrass,

More information

Information Technology General Control Review

Information Technology General Control Review Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor

More information

Background FAST FACTS

Background FAST FACTS Background Terra Verde was founded in 2008 by cybersecurity, risk and compliance executives. The founders believed that the market needed a company that was focused on using security, risk and compliance

More information

mhealth SECURITY: STATS AND SOLUTIONS

mhealth SECURITY: STATS AND SOLUTIONS mhealth SECURITY: STATS AND SOLUTIONS www.eset.com WHAT IS mhealth? mhealth (also written as m-health) is an abbreviation for mobile health, a term used for the practice of medicine and public health supported

More information

GLOBAL ENCRYPTION TRENDS STUDY

GLOBAL ENCRYPTION TRENDS STUDY GLOBAL ENCRYPTION TRENDS STUDY April 2017 EXECUTIVE SUMMARY EXECUTIVE SUMMARY Ponemon Institute is pleased to present the findings of the 2017 Global Encryption Trends Study, sponsored by Thales e-security.

More information

Phishing Activity Trends

Phishing Activity Trends Phishing Activity Trends Report for the Month of, 27 Summarization of Report Findings The number of phishing reports received rose to 24,853 in, an increase of over 1, from February but still more than

More information

Risky Business. How Secure is Your Dealership s Information? By Robert Gibbs

Risky Business. How Secure is Your Dealership s Information? By Robert Gibbs I S S U E P A P E Risky Business By Robert Gibbs R 2 0 0 8 Risky Business Remember when information security meant locking your file cabinets at night? Unfortunately, those days are long gone. With the

More information

The Information Security Guideline for SMEs in Korea

The Information Security Guideline for SMEs in Korea The Information Security Guideline for SMEs in Korea Ho-Seong Kim Mi-Hyun Ahn Gang Shin Lee Jae-il Lee Abstract To address current difficulties of SMEs that are reluctant to invest in information security

More information

Management Update: Information Security Risk Best Practices

Management Update: Information Security Risk Best Practices IGG-07022003-01 R. Witty Article 2 July 2003 Management Update: Information Security Risk Best Practices The growing focus on managing information security risk is challenging most enterprises to determine

More information

FROM TACTIC TO STRATEGY:

FROM TACTIC TO STRATEGY: FROM TACTIC TO STRATEGY: The CDW-G 2011 Cloud Computing Tracking Poll 2011 CDW Government LLC TABLE OF CONTENTS Introduction 3 Key findings 4 Planning for the cloud 16 Methodology and demographics 19 Appendix

More information

Defending Our Digital Density.

Defending Our Digital Density. New Jersey Cybersecurity & Communications Integration Cell Defending Our Digital Density. @NJCybersecurity www.cyber.nj.gov NJCCIC@cyber.nj.gov The New Jersey Cybersecurity & Communications Integration

More information

Outbound and Data Loss Prevention in Today s Enterprise

Outbound  and Data Loss Prevention in Today s Enterprise Outbound Email and Data Loss Prevention in Today s Enterprise Results from Proofpoint s seventh annual survey on outbound messaging and content security issues, fielded by Osterman Research during June

More information

THE CYBERSECURITY LITERACY CONFIDENCE GAP

THE CYBERSECURITY LITERACY CONFIDENCE GAP CONFIDENCE: SECURED WHITE PAPER THE CYBERSECURITY LITERACY CONFIDENCE GAP ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE Despite the fact that most organizations are more aware of cybersecurity risks

More information

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:

More information

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

IT Security in a Meaningful Use Era C&SO HIMSS Meeting CSOHIMSS 2011 Slide 1 October 21, 2011 October 21, 2011 IT Security in a Meaningful Use Era C&SO HIMSS Meeting Presented by: Mac McMillan CEO CynergisTek, Inc. Chair, HIMSS Privacy & Security Task Force

More information

IP Risk Assessment & Loss Prevention By Priya Kanduri Happiest Minds, Security Services Practice

IP Risk Assessment & Loss Prevention By Priya Kanduri Happiest Minds, Security Services Practice IP Risk Assessment & Loss Prevention By Priya Kanduri Happiest Minds, Security Services Practice IP Risk Assessment & Loss Prevention Often when organizations are expanding rapidly, they do not give sufficient

More information

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats. IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats. Enhancing cost to serve and pricing maturity Keeping up with quickly evolving ` Internet threats

More information

Cyber Security. June 2015

Cyber Security. June 2015 Cyber Security June 2015 Table of contents Section Pages Introduction and methodology 3 Key findings 4 Respondent profile 5-9 Cyber security practices 10-25 Resources for monitoring cyber security events

More information

Must Have Items for Your Cybersecurity or IT Budget in 2018

Must Have Items for Your Cybersecurity or IT Budget in 2018 Must Have Items for Your Cybersecurity or IT Budget in 2018 CBAO Regional Meeting Dan Desko (Senior Manager, IT Risk Advisory) Matt Dunn (Senior Security Analyst, IT Risk Advisory) Who is Schneider Downs?

More information

The data quality trends report

The data quality trends report Report The 2015 email data quality trends report How organizations today are managing and using email Table of contents: Summary...1 Research methodology...1 Key findings...2 Email collection and database

More information

Position Description IT Auditor

Position Description IT Auditor Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership

More information

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually SALARY $49.72 - $72.54 Hourly $3,977.88 - $5,803.27 Biweekly $8,618.75 - $12,573.75 Monthly $103,425.00 - $150,885.00 Annually ISSUE DATE: 03/21/18 THE POSITION DIRECTOR OF CYBER SECURITY OPEN TO THE PUBLIC

More information

Global Security Consulting Services, compliancy and risk asessment services

Global Security Consulting Services, compliancy and risk asessment services Global Security Consulting Services, compliancy and risk asessment services Introduced by Nadine Dereza Presented by Suheil Shahryar Director of Global Security Consulting Today s Business Environment

More information

2016 APNIC Survey Results Asia Pacific Network Information Centre

2016 APNIC Survey Results Asia Pacific Network Information Centre 2016 APNIC Survey Results Asia Pacific Network Information Centre Conducted and prepared by Survey Matters. Agenda Survey Process and Methodology 3 Participation and Service Satisfaction 6 Respondents

More information

KNOWLEDGE GAPS: AI AND MACHINE LEARNING IN CYBERSECURITY. Perspectives from U.S. and Japanese IT Professionals

KNOWLEDGE GAPS: AI AND MACHINE LEARNING IN CYBERSECURITY. Perspectives from U.S. and Japanese IT Professionals KNOWLEDGE GAPS: AI AND MACHINE LEARNING IN CYBERSECURITY Perspectives from U.S. and ese IT Professionals Executive Summary The use of artificial intelligence (AI) and machine learning (ML) in cybersecurity

More information

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.

More information

As Enterprise Mobility Usage Escalates, So Does Security Risk

As Enterprise Mobility Usage Escalates, So Does Security Risk YOUR SECURITY. CONNECTED WHITE PAPER As Enterprise Mobility Usage Escalates, So Does Security Risk Even as more organizations embrace the use of mobile devices by employees and customers to access services

More information

Nebraska CERT Conference

Nebraska CERT Conference Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant Agenda Security Methodology Security Enabled Business Framework methodology

More information

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect CLIENT ALERT January 25, 2017 Angelo A. Stio III stioa@pepperlaw.com Sharon R. Klein kleins@pepperlaw.com Christopher P. Soper soperc@pepperlaw.com

More information

Information Security Management System

Information Security Management System Information Security Management System Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net

More information

Monthly Cyber Threat Briefing

Monthly Cyber Threat Briefing Monthly Cyber Threat Briefing January 2016 1 Presenters David Link, PM Risk and Vulnerability Assessments, NCATS Ed Cabrera: VP Cybersecurity Strategy, Trend Micro Jason Trost: VP Threat Research, ThreatStream

More information

Phishing Activity Trends Report August, 2005

Phishing Activity Trends Report August, 2005 Phishing Activity Trends Report August, 25 Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial

More information

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power

More information

CYBERSECURITY PREPAREDNESS AND RESPONSE

CYBERSECURITY PREPAREDNESS AND RESPONSE A MIDDLE MARKET RISK MANAGEMENT PERSPECTIVE Sponsored by THE HARTFORD by Josh Bradford, Senior Editor, Specialty Editorial TABLE OF CONTENTS Survey Overview Pg. 1 Key Findings Pg. 2 Cyber Risk: A Self-Assessment

More information

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements A Forrester Consulting Thought Leadership Paper Commissioned By Oracle Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

More information

KSI/KAI Cyber Security Policy / Procedures For Registered Reps

KSI/KAI Cyber Security Policy / Procedures For Registered Reps KSI/KAI Cyber Security Policy / Procedures For Registered Reps Password Protection 1) All electronic devices used in any way for KSI/KAI business must be password protected. 2) Passwords, where applicable,

More information

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government

More information

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient? Canada Highlights Cybersecurity: Do you know which protective measures will make your company cyber resilient? 21 st Global Information Security Survey 2018 2019 1 Canada highlights According to the EY

More information

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet SYMANTEC ENTERPRISE SECURITY Symantec Internet Security Threat Report September 00 Power and Energy Industry Data Sheet An important note about these statistics The statistics discussed in this document

More information

Keys to a more secure data environment

Keys to a more secure data environment Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting

More information

Chapter 12. Information Security Management

Chapter 12. Information Security Management Chapter 12 Information Security Management We Have to Design It for Privacy... and Security. Tension between Maggie and Ajit regarding terminology to use with Dr. Flores. Overly technical communication

More information

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Cyber fraud and its impact on the NHS: How organisations can manage the risk Cyber fraud and its impact on the NHS: How organisations can manage the risk Chair: Ann Utley, Preparation Programme Manager, NHS Providers Arno Franken, Cyber Specialist, RSM Sheila Pancholi, Partner,

More information

KEY FINDINGS INTERACTIVE GUIDE. Uncovering Hidden Threats within Encrypted Traffic

KEY FINDINGS INTERACTIVE GUIDE. Uncovering Hidden Threats within Encrypted Traffic KEY FINDINGS INTERACTIVE GUIDE Uncovering Hidden Threats within Encrypted Traffic Introduction In a study commissioned by A10 Networks, Ponemon surveyed 1,023 IT and IT security practitioners in North

More information

Practical Guide to Securing the SDLC

Practical Guide to Securing the SDLC Practical Guide to Securing the SDLC Branko Ninkovic Dragonfly Technologies Founder Agenda Understanding the Threats Software versus Security Goals Secure Coding and Testing A Proactive Approach to Secure

More information

Phishing Activity Trends Report January, 2005

Phishing Activity Trends Report January, 2005 Phishing Activity Trends Report January, 2005 Phishing is a form of online identity theft that uses spoofed emails designed to lure recipients to fraudulent web sites which attempt to trick them into divulging

More information

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Today s cyber threat landscape is evolving at a rate that is extremely aggressive, Preparing for a Bad Day The importance of public-private partnerships in keeping our institutions safe and secure Thomas J. Harrington Today s cyber threat landscape is evolving at a rate that is extremely

More information

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report. 2019 SIEM REPORT INTRODUCTION Security Information and Event Management (SIEM) is a powerful technology that allows security operations teams to collect, correlate and analyze log data from a variety of

More information

United Automotive Electronic Systems Co., Ltd Relies on McAfee for Comprehensive Security

United Automotive Electronic Systems Co., Ltd Relies on McAfee for Comprehensive Security United Automotive Electronic Systems Co., Ltd Relies on McAfee for Comprehensive Security Global Venture chooses McAfee for Complex Security Landscape UAES Customer Profile Joint venture of the United

More information

Bill Wear. VirtualVault Product Manager. Internet Banking Case Study

Bill Wear. VirtualVault Product Manager. Internet Banking Case Study Bill Wear VirtualVault Product Manager Internet Banking Case Study Business Problem? A Swedish bank wants an Internet Branch. Make the security barrier high enough...... but not TOO high. And by the way,

More information

Combating Cyber Risk in the Supply Chain

Combating Cyber Risk in the Supply Chain SESSION ID: CIN-W10 Combating Cyber Risk in the Supply Chain Ashok Sankar Senior Director Cyber Strategy Raytheon Websense @ashoksankar Introduction The velocity of data breaches is accelerating at an

More information