CompTIAs

th 11

Annual

Information Security Trends

Most Companies Expect to Maintain High Focus on Security

Significantly Higher Priority 37% 28% 44% 51% 17% 18% 2%

Moderately Higher Priority

No Change

2 Years from Now Forecast

Compared to 2 Years Ago

Moderately or Significantly Lower Priority

3%

Source: CompTIAs 11th Annual Information Security Trends study Base: 500 U.S. IT and business executives (aka end users) responsible for security

Assessing the Cybersecurity Landscape

Security Concern
Moderate Concern
38% 42% 45% 46% 49% 42% 42%

Change in Trend
No Change / Less Critical Today
52% 53% 62% 70% 61% 72% 76%

Security Threats
Malware (e.g. viruses, worms, trojans, botnets, etc.) Hacking (e.g. DoS attack, APT, etc.) Social engineering/Phishing Data loss/leakage Understanding security risks of emerging areas, i.e. cloud, mobile, social Physical security threats (e.g. theft of a device) Intentional abuse by insiders, i.e. staff, contractors Lack/inadequate enforcement of company security policy Lack of budget/support for investing in security Human error among IT staff Human error among general staff

Serious Concern
53% 44% 37% 35% 32% 28% 26%

More Critical Today

48% 47% 38% 30% 39% 28% 24%

45%
42% 47% 55%

23%
23% 22% 21%

77%
76% 80% 76%

23%
24% 20% 24%

Source: CompTIAs 11th Annual Information Security Trends study Base: 500 U.S. end users responsible for security

Security Defenses in Use

Data Loss Prevention
Large Firms Medium Firms Small Firms 43% 39% 51% 40% 35% 44% 37% 32% 41% 34% 22% 40% 71% 54% 55% 61%

Identity and Access Management

Formal risk assessment

Security Information and Event Management

Enterprise Security Intelligence

External Vulnerability Assessments

25% 28%
Source: CompTIAs 11th Annual Information Security Trends study Base: 500 U.S. end users responsible for security

Human Element a Major Part of Security Risk

Factors in Security Breaches
Human Error

Top Human Error Sources

42% End user failure to follow policies and procedures IT staff failure to follow policies and procedures

55% 45%
Technology Error

41%

39%

Lack of security expertise with website/applications

Lack of security expertise with IT infrastructure

38%

Source: CompTIAs 11th Annual Information Security Trends study Base: 320 end users experiencing security breaches/244 end users with human error issues

Change in Security Approach Over Past Two Years

51%
36%
View of Drastic/Moderate Change by Job Function
70% Business Function

13%

69% IT Function 44% Executives

Drastic amount of change

Moderate No amount of change/small change amount of change

Source: CompTIAs 11th Annual Information Security Trends study Base: 500 U.S. IT and business executives (aka end users) responsible for security

Formal Risk Analysis Not a Part of Security Planning for Most Companies
Planning to Use 33%
41%

Currently Using

No plans/Not familiar

26%

Source: CompTIAs 11th Annual Information Security Trends study Base: 500 U.S. end users responsible for security

Balancing Risk and Security

Reasons to Mitigate Security Risk
67% Nature of emerging threats 56% Result of security evaluation 50% New business model/offerings

66%

Reasons to Accept More Security Risk

66% Desire to use new technology
63% Changing security landscape 53% Potential business benefits

18%

17%

Too Much Appropriate Security Balance Too Stringent Risk

Source: CompTIAs 11th Annual Information Security Trends study Base: 500 U.S. IT and business executives (aka end users) responsible for security

Rating of Workforce Security Mindset

44%

48%

8%
Advanced Understand Policies and Try to Stay Compliant
Basic Unfamiliar with Some Details but Generally Aware

Low Priority More Focused on Work Tasks and Less on Security

Source: CompTIAs 10th Annual Information Security Trends study Base: 306 end users experiencing security breaches over past year

Changes on the Technology Landscape Affecting Security

Rise of social networking Cloud Computing Availability of easy-to-use hacking tools Interconnectivity of devices/systems Sophistication of security threats Growing organization of hackers Volume of security threats Consumerization of IT 33%
Source: CompTIAs 11th Annual Information Security Trends study Base: 500 U.S. IT and business executives (aka end users) responsible for security

52% 51% 49% 48%

47% 47%
39%

Review of Cloud Provider Security

Amount of Review Done by End Users Areas Reviewed by End Users

Identity and access management

BC/DR plans of cloud provider Data integrity assurances
40% 29% 14%

Data encryption at rest and in transit Data and backup retention policies Regulatory compliance of provider
Heavy

Little/None/ Moderate Dont Know

Credentials held by provider Geographic location of data centers

Source: CompTIAs 11th Annual Information Security Trends study Base: 435 end users with cloud solutions

17% say it depends on situation

Mobile Security Incidents Within Businesses

Lost/stolen device

2013 2012
28% 19% 26% 19% 24%

39% 38%

Mobile malware

Employees disabling security features

Mobile phishing attack

20%
23% 25%

Violation of policy on corporate data

None of the above

31% 34%
Source: CompTIAs 11th Annual Information Security Trends study Base: 500 U.S. end users responsible for security

The Growing Threat of Data Loss

Experiencing Data Loss in the Past Year Types of Data Lost

55%
19% 50% 25% 6% Dont Know No Yes
Probably Definitely

Corporate financial data

Data about employees Intellectual property

43% 42%

28%
22%

Customer data
Believe data was lost, but not sure which data

Source: CompTIAs 11th Annual Information Security Trends study Base: 500 end users/190 end users experiencing data loss

Want to know more? As the voice of the IT industry, CompTIA has hundreds of tools, market intelligence reports and business training programs to help IT organizations grow through education, certification, advocacy and philanthropy. Check it out at www.comptia.org.
Want to know about our research on the IT workforce? Visit http://www.comptia.org/research/it-workforce.aspx.

comptia.org