f-secure b2b security report...
TRANSCRIPT
F-SECURE B2B SECURITY REPORT 2015
Cyber Security Awareness and Implementation
Table of Contents
1. Executive summary 3
2. Introduction 4
3. Advanced cyber threats 5
3.1 Anyone can be a target 53.2 The advanced cyber threat is very well known 63.3 Managing security will be a priority 63.4 Complexity is increasing 7
3.4.1 Partners are important influencers and decision makers 73.5 Preparedness for cyber risks remains quite low 8
4. Protecting company data still at the core 9
4.1 Security is about data 94.2 Depending on country, security is either about business or technology 9
4.2.1 Implications by language use 10
5. Awareness increases, but behavior does not always follow 11
5.1 Network and cyber security is a priority 115.2 Behavior does not reflect awareness 125.3 BYOD increases complexity, but mobile security is still not a priority 12
5.3.1 The Wi-Fi challenge 135.3.2 Implementation of mobile security lagging 13
5.4 Price still a key decision making criteria 14
6. Conclusion 15
7. Study methods and survey coverage 16
8. Sources 17
1. Executive summary
Awareness of security and cyber security is strong in European
companies. In most cases, awareness is also reflected in attitudes.
However, awareness and attitudes is not always apparent in the
behavior of the respondents.
For most companies, getting the basics right is still the first priority.
Ensuring smooth IT operations and performance without disruptions,
as well as antivirus protection and protecting against other malware,
are still the top two priorities. But, to achieve this in today’s world,
companies need to focus on different aspects of IT security.
Protecting company data is naturally the next step, and is one way to
ensure smooth operations. Multichannel security is still something
that is not a topic on everyone’s agenda, but awareness is increasing.
In our research, IT decision makers clearly confirm that protecting
the confidentiality of their company data (personnel data, customer
data, intellectual property, and financial data) is a security priority
for their company.
Most respondents agree that cyber threats are something that
every company needs to be wary of. However, this knowledge does
not translate very widely into concrete actions – the more advanced
protection methods and tools are still not widely used, even
amongst bigger companies.
3
Cyberattacks are becoming more and more frequent, and continue to be a source of headaches for businesses. Criminals and corporate saboteurs are developing more sophisticated infrastructure and better tools to use against companies. And nations and governments are beginning to turn their cyberattack capabilities toward businesses for intelligence-gathering purposes. Considerations such as these highlight the significance of cyberattacks as a legitimate risk facing companies.
The significance of these threats is easy to measure. The sheer number of cyberattacks increased by 48% from 2013 to 2014, and the AV-Test Institute currently registers over 390,000 new pieces of malware every day.
But it’s more difficult to appreciate the havoc these threats can inflict on unprepared businesses. The costs are at an all-time high, and a study from the Ponemon institute found that 65% of respondents are experiencing more advanced persistent threats/targeted attacks than ever before.
Protecting company data is becoming an increasingly essential and significant cyber security issue for organizations. For example, Forrester has predicted that in 2015, privacy will become a competitive differentiator. In a 2014 study from TRUSTe, 60% of UK consumers said that they are more concerned about online privacy than the year before.
2. Introduction
Mobile threats are not yet one of the biggest issues facing companies, even if the number of mobile malware families is rising. A recent report from Verizon states that mobile breaches have been few and far between over the years. And according to a presentation given at the Gartner Security and Risk Management Summit 2015, when it comes to mobile security, data loss is the main threat for businesses as opposed to mobile malware.
This report sheds some light on how businesses view the current online threat landscape in relation to their own practices and security posture. It is based on an online survey conducted in spring 2015, which collected data from 1780 participants in eight European countries. It asked a broad range of questions designed to elicit insights regarding the way these companies approach security, but the key takeaway discussed in the following pages focuses on how companies are adjusting to a threat landscape populated by increasingly sophisticated threats. The study found that while many companies appreciate the security challenges facing them, many of them are unaware of how to meet these challenges using their current approach to security. Furthermore, the study finds that companies are mainly concerned with data protection rather than a more holistic approach to cyber security. While this is unsurprising given the current discussions on the new data protection regulations being ushered in within Europe, it does indicate that the emphasis on data protection has yet to translate into businesses adopting comprehensive cyber security solutions designed to prevent data breaches.
4
3.1 Anyone can be a target
The study found that there is a general awareness of cyber risks. 94.3% of respondents believe that any company of any size and industry can be a target for cyberattacks.
Overall, there seems to be some common agreement on the risks posed by cyber threats. Naturally, awareness is higher in larger companies. But when comparing how many respondents agree (at least to a certain degree) about the risks, there are no significant differences. Almost all respondents see that cyberattacks can target anyone, big or small, regardless of industry.
It is quite natural to have this level of agreement, as no one could escape the growing number of news stories covering security breaches, online scams, and other types of cyberattacks.
3. Advanced cyber threats
Companies have noticed the increase in advanced cyber threats, and understand that any company can now be a target. This is reflected in the
fact that company decision makers believe that the management of security will become more of a priority in the future. They recognize the increasingly
complex security challenges ahead of them, and look for partners to keep them up to date with risks and ways to handle security.
49,5%
56,5%59,3% 57,7%
42,4%
7,2%
0,9% 0,5% 0,0% 0,7%
37,3%
5,7%
36,8%
3,9%
38,0%
3,6%
Strongly Agree
1-24
Somewhat Agree
25-199
Somewhat Disagree
200-499
I believe that any company of any size and industry can be a target to cyberattacks.
55%39%
5% 1%
94,3%Strongly Agree
Somewhat Agree
Somewhat Disagree
Strongly Disagree
Strongly Disagree
+500
5
3.2 The advanced cyber threat is very well known
The respondents in our survey are clearly aware of this trend of increasing cyber threats. Protecting against inbound cyberattacks aimed at stealing financial information, protecting against inbound cyberattacks aimed at stealing intellectual property, protecting against targeted cyberattacks aimed at sabotaging the company, and protecting against inbound cyberattacks aimed at stealing employee or customer data are all among the top priorities of companies.
However, all respondents agree that the two most important priorities are to ensure smooth IT operations and performance without disruptions, and providing antivirus protection and protecting against other malware.
There is little difference between companies of different sizes, or between respondents in IT/non-IT roles. However, there is some variation between countries about which of the four types of cyberattack risks they see as most significant. Concerns about the risk of attacks against employee or customer data seem to be most common in many countries..
Current security priorities
1. Ensuring smooth IT operations and performance without disruptions
2. Antivirus protection and protecting against other malware
3. Protecting against inbound cyberattacks aimed at stealing financial information
4. Protecting against inbound cyberattacks aimed at stealing intellectual property
5. Protecting against inbound cyberattacks aimed at sabotaging the company
6. Protecting against inbound cyberattacks aimed at stealing employee or customer data
The study also clearly shows that IT professionals are fully aware that getting the basics right is a starting point that cannot be overlooked. The first priority, “Ensuring smooth IT operations and performance without disruptions”, is of course what IT departments are for, so it is no wonder it stays number one on the list or priorities. However, it is the importance of data protection that comes out most clearly in the survey.
3.3 Managing security will be a priority
Another clear sign of the companies understanding the increasing cyber threats is the fact that 89.2% believe that managing security will become more of a priority in the next 12 months. Bigger companies tend to agree a bit more with this, but there is no significant difference in opinions.
1%10%
Strongly Agree
Somewhat Agree
Somewhat Disagree
Strongly Disagree
I believe that managing security will become more of a priority in the next 12 months. 89,2%
42%
47%
6
3.4 Complexity is increasing
Due to the increasing amount of threats in general, and the increasing amount of devices and solutions to manage, IT security is becoming more complex. This increases the need for partners and other experts to support companies in managing security.
With over 70% of respondents agreeing with the need for more help from partners, this is a clear opportunity for IT service companies.
3.4.1 Partners are important influencers and decision makers
The role of IT service providers in providing security information is very clear, with about 40% of all respondents mentioning it as one of their three main sources of information.
Mid-sized companies are most likely to trust IT service providers to keep them up to date, and less likely to trust colleagues and peers. Smaller companies will use the security solution providers’ websites as their primary source of information.
The three most likely channels to get information about business security related topics
How will your company make the decision concerning your next Business IT Security Solution provider?
The partner also plays a large role in the actual decision making. Even though few companies outsource the whole decision making process to a partner, over a third will make their decision based on the recommendations of a partner or reseller. Of the smaller mid-sized companies, almost half would either base the decision on their partner’s recommendation, or let the partner make the decision on their behalf.
The expanding number of endpoints, combined with the increasing sophistication of malware and cyberattacks, clearly emphasize the importance of the security partner, both as a source of information and as an influencer.
4%
25%
Strongly Agree
Somewhat Agree
Somewhat Disagree
Strongly Disagree
I believe that IT security is becoming too diversified and complex to be handled completely in-house, and will need more support from specialist security partners.
19%
52%
Total population
Number of employees
1-24 25-199 200-499 500+
My IT Services Provider
40,3% 34,5% 45,0% 48,1% 38,8%
Security solution providers websites
37,8% 40,5% 38,3% 34,2% 36,7%
Colleagues & Peers
34,1% 34,5% 34,9% 29,9% 34,8%
Total population
Number of employees
1-24 25-199 200-499 500+
We will make the decision in house
54,0% 55,9% 48,4% 55,4% 55,6%
We will make the decision in house based on recommenda-tions from our IT partner/reseller
37,4% 32,8% 44,0% 38,1% 36,4%
Our IT partner/reseller will make the decision
3,0% 3,0% 3,2% 3,0% 2,8%
I don't know 5,6% 8,3% 4,4% 3,5% 5,2%
71%
7
Even through the threat seems to be known, and there is some general agreement about cyber threats targeting any company, there is still only sporadic adoption of advanced tools to fight cyberattacks.
Very understandably, the bigger companies are better equipped to handle advanced cyber threats, but even the largest companies have an implementation percentage of below 50% for more advanced tools.
Based on the results of the survey, it is clear that the risk of advanced cyber threats is known, and there is general agreement on their increasing complexity. However, real-life preparedness is still lagging behind awareness. This might be an opportunity for IT security partners to take a more active role in educating end customers, but also in actively promoting safe practices and the right tools to keep pace and fight the increasing amount of vulnerabilities and threats.
Content security
End-point forensics
End-point detection / intrusion detection
0% 10% 30%20% 40% 45% 50%5% 25%15% 35%
1-2425-199200-499500-19992000+
3.5 Preparedness for cyber risks remains quite low
Cyber security tools in use
8
4.1 Security is about data
The survey confirms that IT decision makers feel data protection is an essential element of security. 92.6% of all respondents believe that protecting the confidentiality of their company data (personnel data, customer data, intellectual property, and financial data) is an important security priority for their company.
4. Protecting company data still at the core
Protecting company data is, as already reported in chapter 3.2, a core element of cyber security and among the key priorities for companies. The protection of data is seen as either a business topic, or a security topic, depending on the
country. This attitude is reflected in the language use in those countries.
Protecting the confidentiality of our company data (personnel data, customer data, intellectual property, and financial data) is a security priority for my company.
Protecting the confidentiality of our company data (personnel data, customer data, intellectual property,
and financial data) is a security priority for my company.
There is also no significant difference in opinions on this question between different sizes of companies, or between companies operating in different industries.
This awareness of the importance of protecting data is also reflected in security priorities. Protecting the company against targeted attacks aimed at stealing any kind of information are the next priorities after security basics. (See chapter 3.2)
It looks like it is the protection of data that drives security efforts, which is natural since data can be a path to obtaining other assets (such as money). Alternatively, the loss of data can have severe effects on the reputation of a company, and even result in financial losses.
4.2 Depending on country, security is either about business or technology
It is easy to see that, on a geographical level, there are some clear differences on how important the protection of company data seems to be. Data protection is high on the agenda in Poland, making it appear that Polish respondents value data more than other European respondents. In Brazil and India, this figure is even bigger: 79.3% for Brazil, and 75.5% for India.1%
34,5%
48,8%56,3%
71,6%
48,8%
6%
Strongly Agree
France UK
Strongly agree
Germany Poland Nordics
Somewhat Agree
Somewhat Disagree
Strongly Disagree
51%42%
92,6%
9
4.2.1 Implications by language use
Different attitudes are also reflected in language. All terms that include “data” are highly visible in the Polish results, where data protection is high on the agenda.
Top “data” related terms in the Top 10 terminology list for IT security
France
Germany
UK
Poland
Nordics
Data loss preventionData privacy
Cyber security
Data confidentialityData protectionData security0%
0%
10%
10%
20%
20%
40%
40%
60%
60%
30%
30%
50%
50%
70%
70%
80%
80% In all countries, the buzzword of today, “cyber security”, still has quite a way to go to actually reach a prominent position in the minds of IT decision makers.
10
When looking at data protection and how important it is, the survey results paint a very similar picture across countries and companies. However, the way companies talk about data security differs from country to country. Based on the data, it appears that some countries look at security as a technical topic (France, Germany), while others see it more as a business topic (Poland).
5.1 Network and cyber security is a priority
83.5% of respondents say that security is a priority for them, and that they spend time informing themselves. There are no significant differences between countries, but respondents in smaller companies are less likely to agree. The bigger the company, the more consideration is given to network and cyber security. This is natural given the fact that IT specialists, and other focused IT or security roles, were only found in larger companies.
5. Awareness increases, but behavior does not
always follow
When looking at the survey results according to priorities, cyber security and network security are clearly significant. However, the behavior of companies
does not entirely reflect the awareness of different issues. The solutions in use are still pretty basic, and even patch management is largely overlooked.
The gap between understanding and real-life actions becomes even clearer when looking into mobile security. Everyone knows that the increase of mobile device usage is huge, and most respondents agreed that the increasing amount of devices in use is making security management more complex. But this is not
reflected in the resources dedicated to managing those devices.
As other results of the study show, the importance of partners as a source of information speaks to the opportunity for knowledgeable partners and suppliers to gain trust by showing expertise, and informing customers about threats and best practices.
Network & cyber security is a priority for me. I regularly spend time informing myself.
25,6%
36,4% 36,4%40,3%
44,8%
24,7%
47,2%
10,8%14,7%
52,8%50,5%
8,0%4,9%
1,7% 0,0% 1,2%
Strongly Agree
1-24
Somewhat Agree
25-199
Somewhat Disagree
200-499
Strongly Disagree
+500
11
3%
11%Strongly Agree
Somewhat Agree
Somewhat Disagree
Strongly Disagree
35%
51%
5.2 Behavior does not reflect awareness
Even though network and cyber security, and protecting company data, are the top priorities when it comes to attitudes, this is not apparent when looking at behavior. Network firewalls are the most basic type of security measure available to companies. They are also widely used, with 73.8% of respondents saying their companies use firewalls. However, less than half of respondents say their companies
use VPNs, even though connecting to the Internet without a VPN is a clear security risk. And only one in four respondents said their companies use patch management, even though that is an effective and straightforward way to disrupt most cyberattacks.
So the path from awareness and understanding to concrete action seems to be pretty long. One could basically equate it with natural divisions between “forerunners”, “followers”, and “slow implementers”.
Business IT security solutions currently in use in your company
5.3 BYOD increases complexity, but mobile security is still not a priority
Our respondents agree that implementing security is becoming more complicated with the increasing number of employee-owned devices in use. They also believe that IT security is becoming so diversified and complex that it is increasingly difficult to handle it completely in-house. Instead, they require more support from specialist security partners.
Regardless of the growing awareness of BYOD security challenges, ensuring the security of an increasingly diverse number of devices was selected as one of the least important priorities by survey respondents, and ranked lower than taking care of security basics, targeted attacks, cloud security, the security of data storage, and others. Everybody seems to be aware of the risks, but very few have seen the consequences in real life. This means there has not been a sense of urgency for implementing BYOD and mobile security solutions. This will probably change if a large security incident is reported by the mainstream media.
The development of ‘bring your own device’ is making implementing security more complex
The results are nearly identical when asking specifically about mobile security. For most respondents, ensuring security on mobile devices is not yet a top priority. But it does seem to gain a bit more attention when described as a future goal, as respondents ranked it slightly higher as a future priority.
5,8%
1,5%
35,9%
14,2%
26,8%
31,0%
43,5%
47,3%
61,5%
73,8%
59,7%
I do not know any of the solutions we use
None of these
Content security
End-point forensics
Patch management
Gateway security
Web filtering
Email filtering & security
Network firewall
Server security
End-point detection / intrusion detection
86%
12
5.3.1 The Wi-Fi challenge
Using unsecured public Wi-Fi networks can be a security risk, and the study found that this is widely understood by companies.
Attitudes toward Wi-Fi security vary quite a bit from country to country. In the Nordics, only 73% of respondents agreed
that Wi-Fi was a considerable security risk, compared to over 85% of respondents in France and Poland, and nearly the same amount in both Germany and the UK. This is quite interesting when considered in relation to the reputation of the Nordics as being active users of mobile technologies.
5.3.2 Implementation of mobile security lagging
In spite of knowledge about cyber threats and a focus on data protection, very few respondents are taking steps to secure their fleets of mobile devices.
30,3%
39,3%
52,8%
45,3%
35,6%
26,3%
30,8%
39,0% 39,6%
27,0% 26,8%
39,3%35,5%
33,6% 32,4%
40,0%
27,8%
37,3%42,4%
47,0%42,8%
46,7%
12,3%14,8%
12,8% 12,0%
21,8%
2,5% 1,8% 3,0% 2,8%5,2%
55,0% 55,8%
26,4%
Strongly Agree
France
France
Somewhat Agree
Germany
Germany
Somewhat Disagree
UK
UK
Strongly Disagree
Poland
Poland
Nordics
Nordics
Unsecured public Wi-Fi networks used by employees on the go pose a considerable security risk to companies.
Solutions in use by country
VPN Device management / mobile device management
Mobile security for tablets & phones
13
When looking at solution adoption based on company size, it is natural to see the connection between company size and security solutions, as larger companies adopt mobile security and device management solutions at higher rates The relationship is similar for VPNs, device management/mobile device management, and mobile security for tablets and phones. However, even in the biggest companies, these tools are not particularly widespread.
German companies seem to be the most active in addressing Wi-Fi security challenges with VPNs, even though German companies were not the most concerned about Wi-Fi security. German companies also seem most likely to implement mobile security solutions for tablets and phones, but device management was most common in the UK and Poland.
5.4 Price still a key decision making criteria
Competitive price, high quality user experience, and good test results by independent testing organizations are the most important selection criteria for respondents when searching for security solutions. Competitive price is the number one criteria, although large companies (those with over 2000 employees) deviated from this trend, with respondents ranking it 4th instead of 1st.
The importance of competitive pricing is further emphasized by the respondents’ opinions on free security solutions. It is quite shocking to see how many participants still trust free security solutions considering how they value security. This finding was quite consistent among different company sizes and different countries. About 62% of the very smallest companies, and about 73% of the +500 companies, agree that they would not trust a free security solution.
The results of the survey show us a clear picture. Whereas awareness and attitudes have changed and indicate a strong level of understanding about cyber threats, this is not reflected in behavior. There are shortcomings in nearly all areas, but the gap is largest in regards to mobile and Wi-Fi security.
Even though companies agree that security is becoming more complex due to the increasing number of devices, and that insecure Wi-Fi networks pose serious security risks, the usage of mobile device management, VPNs, and mobile security solutions remain (for the most part) under 50%. Price continues to dominate buying decisions rather than genuine security needs.
Solutions in use by company size
VPN Device management / mobile device management
Mobile security for tablets & phones
25,4%
40,8%
47,2%
55,9%
22,0%
28,7%
35,9%40,0%
23,9%
29,2%
35,1%
42,3%1-24
25-199
200-499
+500
5%
27%
Strongly Agree
Somewhat Agree
Somewhat Disagree
Strongly Disagree
29%
39%
I would never trust a free security solution to ensure my company’s IT security.68%
14
Advanced cyber security, and the need for data protection, are common priorities for most companies that participated in the study. Data protection remains at the core of many cyber security objectives.
While awareness of cyber security is strong in all the countries and companies included in the survey, shifting that awareness into concrete actions is still something that seems lacking.
It is likely that the increase in awareness will have a gradual impact on behavior. Even if decisions are driven primarily by price, the quality of user experience and good test results are also important points. And in our view, this will lead to fewer companies trusting free security solutions as their needs become more complex.
And there’s more reasons to believe that behavior will change in the future.
Advanced cyber threats are gaining more attention in the media. F-Secure’s recent white paper on The Dukes and their cyber espionage techniques exposed the mechanisms one group has been using to attack other countries for the last seven years. And we all remember the Ashley Madison scandal, as well as the Sony breach
F-Secure Chief Research Officer Mikko Hyppönen states in F-Secure’s Threat Report H2/2014 that it is important to understand that different kinds of organizations are targeted by different kinds of attackers acting on different motives. The good news is that not every organization is targeted by every attacker, so understanding attacker attribution is critical for cyber defense strategies.
6. Conclusion
According to F-Secure’s most recent Threat Report, vulnerability-based attacks are on the rise. This conclusion is backed by the recent Verizon Data Breach Investigations Report, which found that 99.9% of exploited vulnerabilities were compromised more than a year after the vulnerabilities were published. Keeping software up to date could stop up to 80% of attacks, which would greatly improve many companies’ ability to disrupt cyberattacks.
The cost of data breaches is at an all-time-high, and will only continue to grow. With the increasing amount and variety of malware, the chances of being attacked are increasing. And according to the Ponemon 2015 Cost of Data Breach study, the average cost of a data breach for a company has increased to $3.79 million.
One more point to consider is that the legislation in many countries is currently changing, and will put much more emphasis on the importance of data protection. For European companies, compliance with the upcoming legislation is a question of being ahead of the changes to gain a competitive edge or avoid the legal consequences associated with non-compliance. Other aspects to consider in the changing business environment include the digitalization of business, the numerous reports of data breaches, and data being sold on dark web marketplaces.
15
The study was performed in the spring 2015 as an online survey. It was originally conducted in France, Germany, the UK, Poland, and the Nordics (Finland, Sweden, Norway and Denmark). The same study was conducted at a later date in the US, Brazil, and India. In this report, we focus on the European results.
The respondents were all IT decision makers in various roles and in different sized companies. The audience was mainly male: 67.5% of European repliers were male, and about 60% were between 30 and 49 years of age. The study looked into who the decision makers are and where they are in the organization, as well as their attitudes, behaviors and language.
7. Study methods and survey coverage
Nordics 330Dk, Fi, No, Sw
UK 400
France 400
Poland 250Germany 400
IT Manager 16,9%
IT Administrator/Specialist 20,8%
Network Security Manager 1,9%
Network Security Administrator 4,1%
IT Director 8,0%
Network Security Director 1,8%
Information Security Manager 4,2%
Chief Technical Officer 8,0%
IT Engineer/Programmer 12,0%
Chief Financial Officer 2,7%
Finance Director 2,1%
Managing Director/General Manager 6,2%
Chief Executive officer 2,1%
Owner/Founder 9,3%
Respondents by company size
1-24 25-199 200-499 500-1999 2000+
469 407 231 353 320
26% 23% 13% 20% 18%
16
8. Sources
F-Secure B2B online survey 2015
The Dukes, whitepaper, F-Secure
F-Secure Labs Threat Report H2/2014
Forrester.com
TRUSTe privacy research
HP: The hidden dangers of inadequate patching
Verizon Data Investigations Report
PwC Global State of Information Security Survey 2015
AV-Test.org
Ponemon 2015 State of Endpoint Risk survey
Ponemon 2015 Cost of Data Breach study
Mobile Security Threats and Trends2015, Gartner Security and Risk Management Summit
GOV.UK
17
SWITCH ON FREEDOM
F-Secure is a European pioneer in cyber security and data protection. We have been helping businesses solve security
challenges for over 25 years.
Our award-winning solutions go far beyond traditional anti-malware. We offer modern, best-in-class endpoint protection,
security management, and network security solutions. Developed in close cooperation with industry partners and
international security authorities, our solutions garner global awards from leading independent experts.
Together with our network of over 200 operators and thousands of IT service partners, we are able serve millions of private and
business customers locally, worldwide.
This is F-Secure
www.f-secure.com