Professional Documents
Culture Documents
User-Centric Risk
Sponsored by Lumension
Independently conducted by Ponemon Institute LLC
Publication Date: January 2015
Page 1
networks followed by advanced persistent threats (APT)/targeted attacks (65 percent) and
rootkits (65 percent). The biggest increase is in zero day attacks, APTs and spear phishing.
Certain applications increase vulnerabilities and IT risk. Causing the most problems in
managing endpoint risk are the following applications: Adobe (e.g. Acrobat, Flash Player, Reader)
(62 percent of respondents), Oracle Java JRE (54 percent of respondents) and third-party cloudbased productivity apps (e.g. WinZip, VLC, VMware and VNC).
Mobile devices, such as smart phones, have seen the greatest rise in potential IT security
risk in the IT environment. Eighty percent of respondents say smart phones are a concern
followed by vulnerabilities in third party applications (69 percent), mobile remote employees (42
percent) and the negligent insider risk.
Governance and control processes are the biggest gaps in stopping attacks on endpoints.
On average, 28 percent of attacks on an organizations endpoints cannot be realistically stopped
with enabling technologies, processes and in-house expertise. Seventy percent of respondents
agree that their organizations endpoint security policies are difficult to enforce.
How will organizations deal with increased endpoint risk? The research also reveals these
three predictions for 2015:
1. Virtually all organizations will evolve toward a more detect and respond orientation
from one that is focused on prevention. In addition, according to 70 percent of
respondents, their organizations are using or plan to use within the next two years the use of
big data to enhance endpoint and database security.
2. Threat intelligence increases in importance. Sixty-four percent of respondents say they
have added or plan to add a threat intelligence component to their companies security stack.
3. The endpoint becomes a security sensor. In other words, where state or context data
collected at the endpoint is used to determine if it has been or is being compromised.
Page 2
78%
51%
66%
65%
60%
45%
33%
32%
45%
38%
16%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
FY 2014
FY 2013
Page 3
Malware targets mobile endpoints. Seventy-one percent of respondents say in the past 24
months managing endpoint risk has become very difficult. In fact, 75 percent of respondents (an
increase from 68 percent in last years study) believe their mobile endpoints have been the target
of malware over the past 12 months, as shown in Figure 2.
Figure 2. Mobile endpoints have been the target of malware over the past 12 months
80%
75%
68%
70%
60%
50%
40%
30%
22%
18%
20%
7%
10%
10%
0%
Yes
No
FY 2014
Unsure
FY 2013
Page 4
Employees use of mobile devices and commercial cloud increase endpoint risk
significantly. Respondents report use of commercial cloud applications (73 percent), BYOD (68
percent), and employees who operate from home offices and offsite locations (63 percent) have
significantly increased endpoint risk, as shown in Figure 3.
In fact, 68 percent of respondents say their IT department cannot keep up with employee demand
for greater support and better mobile device connectivity and 70 percent say their endpoint
security policies are difficult to enforce. Only 33 percent of respondents agree that their approach
to endpoint security takes into account the Internet of Things (IoT), which means that most
companies represented in this study are not addressing the potential endpoint risk created by IoT.
Figure 3. Factors contributing to endpoint security risk
Strongly agree and agree response combined
73%
70%
68%
68%
63%
33%
0%
FY 2014
Page 5
70%
60%
59%
55%
54%
53%
47%
50%
40%
30%
20%
10%
0%
FY 2014
FY 2013
FY 2012
FY 2011
FY 2010
Malware incidents are increasing in severity. Figure 5 shows the change in the severity of
malware experienced in 2014. As can be seen, half of respondents believe severity of malware
infections have significantly increased over the past year. In sharp contrast, only 24 percent of
respondents believe malware severity has decreased or stayed the same.
Figure 5. Change in the severity of malware incidents over the past year
Significantly increased
50%
Increased
19%
16%
Decreased
8%
Unsure
7%
0%
10%
20%
30%
40%
50%
60%
Page 6
80%
78%
50%
65%
63%
Rootkits
55%
48%
Spear phishing
46%
Clickjacking
Zero day attacks
Botnet attacks
Spyware
38%
46%
32%
35%
56%
35%
48%
SQL injection
31%
31%
30%
32%
DDoS*
Exploit of existing software vulnerability greater
than 3 months old
29%
24%
27%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
FY 2014
Page 7
Applications increase endpoint risk. Applications causing the most problems in minimizing
malware risks are Adobe (e.g. Acrobat, Flash Player, Reader) (62 percent of respondents),
Oracle Java JRE (54 percent of respondents) and cloud-based productivity apps (e.g. WinZip,
VLC, VMware and VNC). As shown in Figure 7, the risk of Oracle Java JRE and uncontrolled use
of private cloud storage has increased significantly. In contrast, other third party apps and
Microsoft OS/Applications have decreased in perceived malware risk.
Figure 7. Trends in applications that increase IT risk
Applications that respondents believe are prone to malware infection
Five responses permitted
62%
Adobe
55%
54%
17%
46%
50%
43%
15%
40%
75%
34%
Microsoft OS/Applications
47%
33%
Apple apps
23%
29%
25%
Apple/Mac OS
0%
FY 2014
10%
20%
30%
40%
50%
60%
70%
80%
Page 8
Mobile devices such as smart phones have seen the greatest rise in potential IT security
risk in the IT environment. Figure 8 reveals that 80 percent of respondents say smart phones
are a concern followed by vulnerabilities in commercial third party applications (69 percent),
mobile remote employees (42 percent) and the negligent insider risk.
Figure 8. Trends in potential security risks within the IT environment
Areas and issues that cause significant IT security risks according to respondents
Five responses permitted
80%
51%
69%
59%
42%
48%
Mobile/remote employees
41%
42%
Our PC desktop/laptop
38%
43%
35%
28%
32%
35%
30%
15%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
FY 2014
Page 9
67%
49%
45%
18%
2%
0%
Page 10
40%
40%
35%
32%
30%
25%
25%
21%
20%
19%
15%
15%
13% 13%
11%
11%
10%
5%
0%
Network
Data
Application
Endpoint
Human
Page 11
Governance and control processes are the biggest gaps in stopping attacks on endpoints.
On average, respondents believe 72 percent of attacks on an organizations endpoints can be
realistically stopped with enabling technologies, processes and in-house expertise.
According to Figure 11, the biggest gap in being able to mitigate these attacks is a lack of
governance and control processes, which would include training and awareness programs for
employees and enforcement of endpoint security policies. Seventy percent of respondents agree
that their organizations endpoint security policies are difficult to enforce.
Figure 11. The one biggest gap in the ability to stop attacks to endpoints
50%
29%
21%
0%
10%
20%
30%
40%
50%
60%
Page 12
71%
70%
79%
39%
21%
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
FY 2013
Page 13
What trends will organizations deploy to deal with endpoint risk? Virtually all organizations
(95 percent of respondents) will evolve toward a more detect and respond orientation from one
that is focused on prevention. Seventy percent of respondents say their organizations are using
or planning to use in two years or more the use of big data to enhance endpoint security, as
shown in Figure 13. Sixty-four percent of respondents say they have added or plan to add a
threat intelligence component to its security stack.
Figure 13. Use of threat intelligence, detect and respond and big data over the next 24
months or longer
33%
Yes, doing it now
44%
11%
22%
30%
41%
9%
21%
18%
36%
No
5%
30%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Threat Intelligence
Big data
Page 14
Another popular trend is the notion of the endpoint as a security sensor. In other words, where
state or context data collected at the endpoint is used to determine if it has been or is being
compromised. Figure 14 reveals that 46 percent or respondents say this is something their
organizations are doing it now or are planning to introduce (19 percent + 18 percent + 9 percent).
Of lesser importance is the need to develop an offensive security capability (i.e. discover who is
behind an attack and then counterattack). Fifty percent of respondents are pursuing now or
planning to pursue offensive security capability. Forty-five percent say their organizations are
1
currently using or planning to use System Center Configuration Manager (SCCM). In another
finding, 43 percent of respondents say their organization has updated their security policies and
tactical plans to keep pace with the emergence of destructive malware such as CryptoLocker and
Shamoon.
Figure 14. Use of endpoint device as security sensor, SCCM and offensive security tactics
over the next 24 months or more
Yes, doing it now
6%
9%
19%
18%
21%
18%
18%
23%
45%
No
Never heard of it
4%
0%
Security sensor
9%
10%
SCCM
51%
50%
20%
30%
40%
50%
60%
Offensive security
Officially called System Center Configuration Manager, or simply ConfigMgr, SCCM is a systems
management software product by Microsoft for managing large groups of computers running Windows,
Windows Embedded, Mac OS X, Linux or UNIX, as well as various mobile operating systems such as
Windows Phone, Symbian, iOS and Android. SCCM provides remote control, patch management, software
distribution, operating system deployment, network access protection and hardware and software inventory.
Page 15
Part 3. Methods
A sampling frame composed of 18,664 IT and IT security practitioners located in the United
States and are involved in endpoint security were selected for participation in this survey. As
shown in the Table 1, 902 respondents completed the survey. Screening removed 199 surveys.
The final sample was 703 surveys (or a 3.8 percent response rate).
Table 1. Sample response
Total sampling frame
Total returns
Rejected and screened surveys
Final sample
Freq
18,664
902
199
703
Pct%
100.0%
4.8%
1.1%
3.8%
Pie chart 1 reports the current position or organizational level of respondents. By design, 58
percent of respondents reported their current position is at or above the supervisory level.
Pie Chart 1. Current position or organizational level
7%
3% 3%
17%
Director
Manager
Supervisor
Technician
29%
Staff
24%
Contractor
Other
17%
According to Pie Chart 2, more than half of the respondents (53 percent) report to the chief
information officer. Another 25 percent responded they report to the chief information security
officer.
Pie Chart 2. Primary Person respondent or IT security leader reports to
2%2%
3%2%
13%
Compliance Officer
General Counsel
Chief Security Officer
25%
Other
Page 16
Pie Chart 3 reports the primary industry classification of respondents organizations. This chart
identifies financial services (19 percent) as the largest segment, followed by health and
pharmaceuticals (11 percent) and public sector (11 percent).
Pie Chart 3. Primary industry classification
3% 3%1%
3%
3%
19%
4%
5%
5%
11%
5%
11%
8%
9%
10%
Financial Services
Health & pharmaceuticals
Public services
Retail
Services
Technology & software
Consumer products
Energy & utilities
Industrial
Education & research
Communications
Entertainment & media
Hospitality
Transportation
Defense & aerospace
According to Pie Chart 4, 74 percent of the respondents are from organizations with a global
headcount of over 1,000 employees.
Pie Chart 4. Worldwide headcount of the organization
5%
9%
16%
30%
23%
Page 17
Part 4. Caveats
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most web-based surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable returned
responses. Despite non-response tests, it is always possible that individuals who did not
participate are substantially different in terms of underlying beliefs from those who completed the
instrument.
Sampling-frame bias: The accuracy is based on contact information and the degree to which the
list is representative of individuals who are IT or IT security practitioners. We also acknowledge
that the results may be biased by external events such as media coverage. We also acknowledge
bias caused by compensating subjects to complete this research within a holdout period.
Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated into
the survey process, there is always the possibility that a subject did not provide a truthful
response.
Page 18
FY 2014
18,664
199
703
3.8%
FY 2013
19,001
218
676
3.6%
FY 2012
17,744
252
671
3.8%
FY 2011
18,988
223
688
3.6%
FY 2010
11,890
218
564
4.7%
Part 1. Screening
S1. What best describes your level of
involvement in endpoint security within your
organization?
None (stop)
Low (stop)
Moderate
Significant
Very significant
Total
FY 2014
0%
0%
10%
54%
36%
100%
FY 2013
0%
0%
11%
55%
34%
100%
FY 2012
0%
0%
9%
54%
33%
100%
FY 2011
0%
0%
10%
50%
33%
100%
FY 2010
0%
0%
11%
56%
28%
100%
FY 2014
0%
100%
100%
FY 2013
0%
100%
100%
FY 2012
1%
96%
97%
FY 2011
1%
95%
96%
FY 2010
1%
96%
97%
FY 2014
26%
21%
9%
8%
32%
4%
FY 2013
24%
23%
10%
10%
29%
5%
FY 2012
24%
23%
11%
9%
27%
5%
FY 2011
21%
23%
13%
9%
29%
5%
FY 2010
24%
23%
11%
9%
27%
5%
0%
100%
0%
100%
0%
100%
0%
100%
0%
100%
FY 2014
15%
19%
21%
34%
11%
100%
FY 2013
16%
16%
28%
30%
10%
100%
FY 2012
14%
19%
33%
26%
8%
100%
Page 19
FY 2014
38%
30%
17%
10%
5%
100%
FY 2014
41%
32%
14%
8%
5%
100%
FY 2014
35%
28%
17%
15%
5%
100%
FY 2014
36%
32%
13%
12%
7%
100%
FY 2014
15%
18%
33%
23%
11%
100%
Page 20
FY 2014
39%
31%
15%
10%
5%
100%
FY 2014
69%
31%
100%
FY 2013
71%
29%
100%
FY 2014
FY 2013
45%
32%
65%
60%
45%
33%
68%
51%
66%
38%
16%
5%
13%
78%
1%
424%
0%
192%
FY 2014
68%
32%
100%
FY 2013
65%
35%
100%
Page 21
FY 2014
23%
18%
67%
49%
45%
2%
204%
FY 2014
42%
46%
28%
39%
26%
19%
1%
201%
FY 2014
55%
15%
30%
100%
FY 2014
44%
56%
100%
FY 2014
26%
74%
100%
Page 22
FY 2014
12%
33%
40%
10%
2%
3%
100%
FY 2013
10%
33%
43%
11%
3%
0%
100%
FY 2014
20%
33%
28%
10%
6%
3%
100%
FY 2013
22%
35%
25%
11%
5%
2%
100%
FY 2014
40
15
21
13
11
100
FY 2014
32
19
25
13
11
100
Page 23
FY 2014
39%
15%
26%
9%
1%
10%
100%
2%
12%
100%
FY 2012
37%
18%
22%
FY 2011
31%
22%
25%
FY 2010
26%
21%
25%
8%
8%
9%
15%
100%
14%
100%
17%
98%
FY 2014
50%
19%
16%
4%
4%
0%
7%
100%
FY 2014
2%
0%
2%
6%
5%
13%
15%
13%
13%
31%
100%
72%
FY 2014
29%
21%
50%
100%
FY 2013
44%
15%
19%
8%
Page 24
FY 2014
46%
FY 2013
36%
FY 2012
31%
FY 2011
29%
FY 2010
30%
30%
35%
28%
33%
30%
24%
31%
35%
35%
46%
65%
26%
28%
40%
49%
46%
67%
80%
26%
29%
45%
55%
43%
65%
86%
31%
32%
49%
56%
37%
63%
89%
26%
35%
57%
64%
25%
57%
92%
29%
80%
74%
79%
83%
75%
65%
55%
59%
48%
54%
36%
3%
544%
4%
592%
41%
5%
587%
33%
6%
577%
FY 2014
75%
18%
7%
100%
FY 2013
68%
22%
10%
100%
13%
504%
Page 25
FY 2014
17%
6%
9%
FY 2013
17%
7%
8%
FY 2012
19%
6%
8%
FY 2011
29%
12%
10%
FY 2010*
32%
14%
11%
69%
38%
66%
43%
67%
45%
56%
41%
45%
44%
80%
75%
73%
48%
9%
29%
35%
39%
42%
10%
12%
30%
41%
12%
15%
40%
10%
15%
44%
14%
16%
43%
11%
28%
33%
32%
36%
41%
43%
18%
10%
42%
35%
22%
500%
9%
45%
31%
28%
500%
19%
53%
25%
36%
500%
28%
49%
29%
39%
499%
20%
44%
FY 2013
44%
35%
3%
4%
3%
11%
100%
FY 2012
40%
35%
3%
5%
3%
14%
100%
299%
FY 2014
10%
11%
26%
35%
15%
3%
100%
FY 2014
33%
26%
15%
9%
5%
12%
100%
Page 26
FY 2014
12%
27%
20%
13%
8%
20%
100%
FY 2014
8%
15%
22%
5%
1%
49%
100%
FY 2014
38%
33%
23%
6%
0%
0%
100%
FY 2013
38%
32%
18%
7%
2%
3%
100%
FY 2012
32%
31%
20%
6%
5%
6%
100%
FY 2014
34%
29%
33%
62%
54%
FY 2013
37%
30%
29%
60%
20%
FY 2012
44%
30%
28%
55%
15%
FY 2011
49%
24%
20%
50%
22%
FY 2010
57%
15%
14%
54%
10%
16%
3%
3%
6%
2%
46%
50%
55%
47%
46%
40%
56%
69%
82%
95%
43%
15%
18%
2%
377%
0%
300%
0%
299%
1%
299%
4%
298%
Page 27
FY 2014
42%
FY 2013
38%
FY 2012
35%
FY 2011
33%
47%
11%
100%
49%
13%
100%
48%
17%
100%
46%
21%
100%
FY 2014
14%
19%
41%
21%
5%
100%
7.03
FY 2013
16%
23%
38%
18%
5%
100%
6.69
FY 2012
19%
21%
41%
13%
6%
100%
6.35
FY 2011
18%
23%
39%
10%
10%
100%
6.12
FY 2010
FY 2014
12%
23%
43%
17%
5%
100%
6.81
FY 2013
14%
25%
38%
14%
9%
100%
6.52
FY 2012
19%
25%
35%
11%
10%
100%
6.01
FY 2011
23%
29%
30%
9%
9%
100%
5.48
FY 2010
Page 28
FY 2014
19%
18%
9%
45%
9%
100%
FY 2014
33%
22%
9%
36%
100%
FY 2014
44%
30%
21%
5%
0%
100%
FY 2014
6%
21%
18%
51%
4%
100%
Page 29
FY 2014
43%
53%
4%
100%
FY 2014
11%
41%
18%
30%
100%
FY 2014
9%
18%
23%
50%
100%
FY 2014
1%
1%
17%
24%
17%
29%
7%
3%
1%
100%
FY 2013
1%
2%
18%
25%
19%
25%
8%
2%
0%
100%
FY 2012
0%
2%
19%
26%
19%
23%
7%
3%
1%
100%
FY 2011
1%
1%
22%
23%
18%
20%
10%
4%
1%
100%
FY 2010
2%
1%
23%
25%
19%
16%
9%
3%
2%
100%
Page 30
FY 2014
1%
1%
2%
53%
25%
3%
0%
2%
13%
0%
100%
FY 2013
0%
2%
1%
53%
25%
4%
0%
2%
12%
1%
100%
FY 2012
0%
1%
3%
54%
23%
6%
0%
4%
9%
0%
100%
FY 2011
0%
1%
2%
53%
23%
8%
0%
5%
8%
0%
100%
FY 2010
1%
2%
2%
50%
21%
9%
2%
6%
5%
2%
100%
FY 2014
0%
3%
5%
1%
4%
5%
3%
19%
11%
3%
5%
11%
10%
9%
8%
3%
100%
FY 2013
1%
2%
4%
1%
3%
5%
4%
21%
12%
3%
1%
12%
9%
11%
8%
3%
100%
FY 2012
2%
3%
3%
2%
5%
4%
3%
20%
12%
5%
5%
10%
9%
8%
7%
2%
100%
FY 2011
1%
5%
2%
3%
6%
3%
4%
18%
10%
4%
4%
12%
8%
9%
8%
3%
100%
FY 2010
2%
4%
3%
3%
5%
2%
3%
19%
11%
4%
5%
13%
7%
8%
6%
5%
100%
FY 2014
100%
65%
70%
31%
54%
39%
5%
FY 2013
100%
63%
72%
28%
55%
36%
6%
FY 2012
100%
65%
71%
26%
50%
32%
5%
FY 2011
100%
69%
70%
23%
45%
31%
7%
FY 2010
100%
63%
68%
19%
41%
29%
8%
FY 2014
9%
17%
23%
30%
16%
5%
100%
17,340
FY 2013
8%
15%
20%
34%
20%
3%
100%
18,125
FY 2012
7%
16%
21%
33%
19%
4%
100%
18,268
FY 2011
5%
16%
22%
31%
21%
5%
100%
19,750
FY 2010
6%
13%
19%
32%
21%
9%
100%
22,832
Page 31
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict
data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or company identifiable information in our business research). Furthermore, we
have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.
Page 32