What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage

(1)

Ponemon Institute© Research Report

Independently conducted by Ponemon Institute

LLC

June 2015

What You Don’t Know Will Hurt You: A

Study of the Risk from Application

(2)

Ponemon Institute©: Private & Confidential Report Page 2

What You Don’t Know Will Hurt You:

A Study of the Risk from Application Access and Usage

Ponemon Institute, May 2015

Part 1. Introduction

Abused application access and data misusage have been the cause of the majority of data breaches, as well as costly fines and litigation. Consider the case of the Morgan Stanley financial advisor who accessed a financial application and downloaded account data on 10 percent of their wealth management clients (~350,000 people). Or, an AT&T call center employee who accessed sensitive customer data without adequate authorization and exposed customer names and Social Security numbers (~280,000 people).

Companies and their employees are becoming increasingly dependent upon applications to achieve business goals and increase productivity. However, the proliferation of applications is creating a serious security risk because identifying users’ risky behavior and non-compliance with policies can be nearly impossible. The typical organization now collects and stores a vast amount of customer data. In addition, the large number of employees accessing applications makes it difficult for organizations to keep track of exactly “who’s doing what”.

Historically, companies have identified these types of risks through audits and assessments of application access and usage logs. This manual process is resource intensive. It requires significant staff time to correlate and review logs due to the large volume of users and activity. In addition, each application logs user actions differently and at varying levels of granularity with many applications not producing logs at all. These logs typically contain hundreds or thousands of discrete events in obscure technical language. As a consequence, organizations that rely upon logs from applications and devices find it nearly impossible to determine what a user actually did. Ponemon Institute is pleased to present What You Don’t Know Will Hurt You: A Study of the Risk

from Application Access and Usage, sponsored by ObserveIT. The purpose of this study is to

examine application access and usage and how it has created a major security problem for organizations. In the context of this research, application access and usage includes both application admins who provide entitlements within core applications and general business users who leverage applications on a daily basis to perform key tasks for their jobs.

The study surveyed 610 U.S. IT and IT security practitioners. The majority of respondents are very familiar (27 percent) or familiar (48 percent) with their organization’s approach to monitoring application users. Seventy-nine percent have responsibility for detecting and/or investigating instances of suspicious user activities within the organization.

The study reveals why this issue is a growing and unaddressed risk:

§ Audits and formal assessments reveal deficiencies in monitoring application access and usage, according to 71 percent of respondents.

§ Only eight percent of respondents say their organizations have deployed commercial auditing and monitoring solutions for application access and usage.

§ Application users are most likely to cause a security breach because of negligence. § Monitoring is mainly done by ad hoc or manual systems (36 percent of respondents) or

homegrown that focuses on privileged users (20 percent of respondents).

§ Current monitoring capabilities are unable to detect unusual behavior and 45 percent of respondents give them very low marks.

(3)

Part 2. Key Findings

In this section, we provide a detailed analysis of the research findings. The complete audited findings are presented in the appendix of this report. We have organized the findings according to the following three topics:

§ A needle in a haystack: detecting application access abuse and negligence § The connection between risky application behavior and security breaches § On-premise vs. the cloud environment and application user risk

A needle in a haystack: detecting the abuse of application access and data misusage Is risky application access and usage being overlooked, ignored and not receiving the priority it deserves?Figure 1 shows many respondents do not agree or are unsure that it is difficult to detect user abuse and, as a result, it puts application security at risk. While 54 percent of respondents admit it is difficult to identify application user activities that are illegal or

inappropriate in real time, 45 percent of respondents do not agree (19 percent of respondents) or unsure (26 percent of respondents).

Similarly, the majority of respondents (54 percent) say it is difficult to separate application user abuse from external attacker activity. However, 46 percent of respondents do not agree (18 percent) or unsure (28 percent) this is the situation in their organizations. With respect to the monitoring of application usage, 49 percent of respondents do not agree (20 percent) or are unsure (29 percent) that the frontend is as secure as backend data storage infrastructures. Similarly, the majority of respondents (54 percent) say it is difficult to separate application user abuse from external attacker activity. However, 46 percent of respondents do not agree (18 percent) or unsure (28 percent) this is the situation in their organizations.

Figure 1. Is it difficult to detect application user negligence and abuse?

29% 28% 26% 20% 18% 19% 50% 54% 54% 0% 10% 20% 30% 40% 50% 60% Application usage (frontend) is not as monitored

or secured as backend data storage infrastructures It is difficult to separate application user abuse from external attacker activity It is difficult to identify application user activities that are illegal or inappropriate in real time

(4)

Business users are often not as security conscious as IT administrators and as a result put confidential and sensitive data at risk. User-based threats of most concern are users

making mistakes (44 percent) or turning malicious (31 percent). Only 25 percent are concerned with users being targeted by attackers.

Business users are typically less careful about using complex passwords, protecting the

confidentiality of their passwords, and being aware of social engineering techniques. As a result they are an easy target for phishing scams and other attackers. Fifty-one percent of respondents say companies are facing the increasing use of phishing tactics to obtain users’ access

credentials.

Figure 2. What user-based threats concern your organization the most?

25% 31%

44%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% User being targeted by attackers

User turning malicious User making mistakes (i.e., negligence)

(5)

Problems in identifying negligent behavior are putting organizations at risk. Figure 3

reveals that log collection and analysis is not effective in identifying application users who misuse sensitive or confidential information, according to 52 percent of respondents. However, there is uncertainty about the ability to use log collection and analysis (30 percent of respondents). Moreover, organizations are not able to capture the actions taken by application users from login to logout.

Figure 3. Detecting negligent behavior is difficult

30% 28% 19% 21% 49% 52% 0% 10% 20% 30% 40% 50% 60% Log collection and analysis is not effective in

identifying application users who misuse sensitive or confidential information Our organization is unable to capture the actions taken by application user from login to logout

(6)

The connection between risky application user behavior and security breaches

Companies are experiencing at least one serious security breach per month. On average,

companies in this study had nine security breaches in the past year. As shown in Figure 4, most of these breaches were discovered by audit or assessment (66 percent of respondents),

accidental discovery (55 percent of respondents) or notification by partner or third party. Only 33 percent of respondents say they are detected through automated monitoring or by use of forensic methods and tools (26 percent of respondents).

Figure 4. How security breaches are discovered

More than one response permitted

10% 15% 26% 33% 39% 50% 55% 66% 0% 10% 20% 30% 40% 50% 60% 70% Other

Notification by law enforcement Use of forensic methods and tools Detection through automated monitoring Detection through manual monitoring Notification by partner or other third party Accidental discovery Audit or assessment

(7)

How many security incidents are linked to privileged users, application users and/or third parties because of negligence, malice or stolen credentials by outside attackers?

According to the findings, application users are mostly responsible for user-based threats caused by negligence and attackers (71 percent and 42 percent of respondents, respectively) and privileged users are mostly responsible for threats involving malice (52 percent), as shown in Figure 5.

Figure 5. Who caused the security breach?

Applications used in customer support and in the C-suite put organizations at risk.

According to Figure 6, the business functions that pose the greatest user-based threats are customer support (18 percent), executive management (17 percent) and sales force operations (14 percent). The most risky are: newly hired employees (34 percent) employees rated as poor performers (23 percent) and those who work from remote locations (17 percent).

Figure 6. Which business function poses the greatest user-based threats?

Only one response permitted 18% 52% 34% 71% 38% 42% 11% _10% 24% 0% 10% 20% 30% 40% 50% 60% 70% 80%

User-based threats caused by

negligence User-based threats caused by malice User-based threats targeted by attackers Privileged users Application users Third parties

1% 4% 5% 6% 7% 8% 9% 11% 14% 17% 18% 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% Other

Research & development Data center operations Logistics & procurement Legal & compliance Finance & accounting Corporate IT Marketing & communications Sales force operations Executive management Customer support

(8)

Companies are more likely to have systems to measure and monitor privilege users than application users. Forty-eight percent of respondents say systems are in place to measure and

monitor privilege users and 34 percent say they will be deployed in the next six months,

according to Figure 7. In contrast, only 8 percent of respondents have such systems in place for application users and 36 percent plan to in the next six months. Twenty-one percent of

respondents have no plan to deploy.

Currently, 14 percent of respondents say systems to measure and monitor third parties are deployed and 22 percent will be deployed in the next six months. However, 40 percent of respondents say they have no plan to deploy.

Figure 7. What systems are in place to monitor all users?

48% 8% 14% 34% 36% 22% 10% 35% 23% 8% 21% 40% 0% 10% 20% 30% 40% 50% 60%

Systems to measure and

monitor privilege users Systems to measure and monitor application users Systems to measure and monitor third parties Presently deployed Plan to deploy within the next 6 months Plan to deploy in more than 6 months No plan to deploy

(9)

Monitoring is mainly done by manual or homegrown systems and focus on privileged users. Figure 8 reveals that most monitoring is ad hoc or manual (36 percent) followed by a

homegrown system that mainly focuses on privileged users (20 percent). Only 25 percent use a commercial system that focuses on privileged users (12 percent) or focuses on privileged and application users (13 percent).

It is far more difficult to manually track the activities of thousands, or tens of thousands of business users, as opposed to a few dozen administrators. To be effective a comprehensive, automated monitoring system would help detect abusive or negligent behavior.

Figure 8. How does your organization monitor users?

2% 12% 13% 17% 20% 36% 0% 5% 10% 15% 20% 25% 30% 35% 40% Other

Commercial system that mainly focuses on privileged users Commercial system that focuses on both privileged and application users Homegrown system that focuses on both privileged and application users Homegrown system that mainly focuses on privileged users Ad hoc or manual system

(10)

Monitoring capabilities to detect unusual behavior receive low marks. As shown in Figure 9,

45 percent of respondents say the capability to detect flag unusual employee/user behavior as very low (1 to 2 on a scale of 1 =low to 5 = high). As discussed above, only 13 percent of respondents have a commercial system that focuses not only on privileged but application users as well.

Figure 9. How would you rate the ability of your organization’s user monitoring capabilities and ability to pinpoint unusual or atypical employee/user behavior?

On a scale of 1 = low capability to 5 = high capability, with an average rating of 2.7.

15% 30% _29% 19% 6% 0% 5% 10% 15% 20% 25% 30% 35% 1 Low 2 3 4 5 High

(11)

Audits reveal a deficiency or failure in organizations’ controls over application users. In

the past 24 months, 42 percent of respondents say their organization conducted a compliance audit or formal assessment of its ability to identify and contain application user threats.

Seventy-one percent of respondents say the audit findings revealed a deficiency in controls over application users. As shown in Figure 10, the reasons for the audit failure include such

vulnerabilities in applications users practices as insufficient governance, monitoring and control processes (33 percent) and insufficient employee/user training and awareness (26 percent). As a result, most respondents (67 percent) say the auditors are putting pressure on their organization to monitor application usage.

Figure 10. What are the main reasons for an audit failure?

12% 12% 17% 26% 33% 0% 5% 10% 15% 20% 25% 30% 35% Lack of enabling security technologies

Insufficient resources Lack of in-house security personnel Insufficient employee/user training and awareness Insufficient governance, monitoring and control processes

(12)

On-premise vs. the cloud environment and application user risk

Remote or home offices and when offices are closed are the most difficult scenarios to monitor application users’ activities. Twenty-eight percent of respondents, remote or home

offices or when business is closed present the greatest monitoring challenges, according to Figure 11.

Figure 11. Where is it most difficult to monitor user abuse?

Another concern is the ability of users to access mission critical applications in the on-premise IT environment, as shown in Figure 12. The most accessible are: workforce productivity and management applications (66 percent), financial and accounting systems (50 percent) and enterprise resource planning applications (32 percent).

Figure 12. Seven mission critical on-premise apps that cause security risks

Percentage yes response given

5% 18% 20% 28% 28% 0% 5% 10% 15% 20% 25% 30% Other During travel Workplace, during normal hours Remote or home office Workplace, during off hours

17% 18% 30% 32% 50% 66% 74% 0% 10% 20% 30% 40% 50% 60% 70% 80% Human resource management apps

Customer relationship management Call center apps Enterprise resource planning apps Financial & accounting systems Workforce productivity & management apps eCommerce & Internet apps

(13)

In the cloud environment, respondents are concerned that application users have access to workforce productivity and management applications (68 percent) and financial and accounting systems (48 percent), according to Figure 13.

Figure 13. Seven mission critical apps in the cloud that cause security risks

Percentage yes response given

Where are companies most effective in identifying and containing application-based threats for mission critical applications? According to Figure 14, respondents have the most

confidence in detecting and containing threats in financial and accounting systems applications (72 percent), enterprise resource planning applications (69 percent) and human resource management applications (56 percent). The apps that end users have greatest access to are those that respondents have the least confidence in identifying and containing threats.

Figure 14. Can your organization identify and contain threats in the following mission critical applications? 16% 18% 28% 32% 48% 68% 75% 0% 10% 20% 30% 40% 50% 60% 70% 80% Human resource management apps

Customer relationship management Enterprise resource planning apps Call center apps Financial & accounting systems Workforce productivity & management apps eCommerce & Internet apps

30% 38% 45% 50% 56% 69% 72% 0% 10% 20% 30% 40% 50% 60% 70% 80% Workforce productivity & management apps

eCommerce & Internet apps Call center apps Customer relationship management Human resource management apps Enterprise resource planning apps Financial & accounting systems

(14)

Can companies identify and contain risky behavior through existing infrastructure monitoring? Organizations are most confident about identifying security risks in the following

practices: viewing, copying, pasting or printing data from business critical applications (74 percent), visiting websites prohibited by company policy (68 percent), negligence with thumb drives and emailing sensitive and confidential information (Figure 15).

Figure 15. What risky behavior can your company identify and contain through monitoring? 36% 41% 42% 45% 49% 56% 59% 63% 68% 74% 0% 10% 20% 30% 40% 50% 60% 70% 80% Using uncommon applications

Social engineering Copying files to public cloud Remote access (leapfrogging) Shadow IT: cloud storage/backing-up, screen

capture, transferring files Visiting WiFi hotspots Emailing sensitive and confidential information Negligence with thumb drives Visiting websites prohibited by company policy Viewing, copying, pasting or printing data from business critical applications

(15)

Risky user behavior in the cloud is difficult to detect. As shown in Figure 16, in the cloud

(SaaS) environment, companies are not confident they can identify the following risky behaviors: shadow IT: cloud storage/back-u, screen capture, transferring files (18 percent); viewing, copying, pasting or printing data from business critical applications (17 percent); negligence thumb drives (17 percent); remote access (leapfrogging) (17 percent); and using uncommon applications (17 percent).

Figure 16. What risky behavior can your company identify and contain in the cloud?

Despite a lack of confidence in detecting risky behavior, more mission critical applications will be moved to the cloud. On average, 36 percent of their organization’s mission critical

applications are in the cloud today and 46 percent of their organization’s mission critical applications will be located in the cloud in the next 12 months, as shown in Figure 17.

Figure 17. Mission critical applications in the cloud today and in 12 months

15% 15% 15% 16% 16% 17% 17% 17% 17% 18% 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% Copying files to public cloud

Social engineering Visiting WiFi hotspots Visiting websites prohibited by company policy Emailing sensitive and confidential information Negligence with thumb drives Using uncommon applications Remote access (leapfrogging) Viewing, copying, pasting or printing data from business critical applications Shadow IT: cloud storage/backing-up, screen

capture, transferring files

16% 27% 28% 26% 3% 10% 18% 27% 30% 15% 0% 5% 10% 15% 20% 25% 30% 35% Less than 10% 10% to 25% 26% to 50% 51% to 75% 76% to 100% Mission critical applications located in the cloud (SaaS)

(16)

Part 3. Methods

The sampling frame is composed of 18,520 IT and IT security practitioners located in the United States. As shown in Table 1, 664 respondents completed the survey. Screening removed 54 surveys. The final sample was 610 surveys (or a 3.3 percent response rate).

Table 1. Sample response Freq Pct%

Total sampling frame 18,520 100%

Total returns 664 3.6%

Rejected or screened surveys 54 0.3%

Final sample 610 3.3%

Pie Chart 1 reports the current position or organizational level of the respondents. Half of respondents reported their current position as supervisory or above.

Pie Chart 1. Current position or organizational level

Pie Chart 2 identifies the primary person the respondent or their supervisor reports to. Twenty-six percent of respondents report to the chief information officer and 20 percent report to the chief information security officer.

Pie Chart 2. The primary person you or your supervisor reports to

2% 2% 11% 17% 18% 39% 7% 3% 1% Senior Executive Vice President Director Manager Supervisor Technician/analyst Staff Contractor Other 26% 20% 13% 9% 7% 7% 6% 5% 3% 3%

Chief Information Officer

Chief Information Security Officer Chief Technology Officer

Chief Risk Officer General Counsel Compliance Officer Chief Security Officer Chief Financial Officer CEO/Executive Committee Other

(17)

Pie Chart 3 reports the primary industry sector of respondents’ organizations. This chart identifies financial services (22 percent) as the largest segment, followed by health & pharmaceuticals (11 percent) and public sector (11 percent).

Pie Chart 3. Primary industry sector

According to Pie Chart 4, the majority of respondents (73 percent) are from organizations with a global headcount of 1,000 or more employees.

Pie Chart 4. Worldwide headcount of the organization

22% 11% 11% 10% 9% 6% 6% 6% 5% 5% 3% 5% Financial services Health & pharmaceuticals Public sector

Services Retail

Technology & software Energy & utilities Industrial Hospitality

Consumer products Entertainment & media Other 13% 14% 33% 17% 15% 8% Less than 500 500 to 1,000 1,001 to 5,000 5,001 to 10,000 10,001 to 50,000 50,000+

(18)

Part 4. Caveats

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

Non-response bias: The current findings are based on a sample of survey returns. We sent

surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not

participate are substantially different in terms of underlying beliefs from those who completed the instrument.

Sampling frame bias: The accuracy is based on contact information and the degree to which the

list is representative of individuals who are IT or IT security practitioners located in the United States. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a specified time period.

Self-reported results: The quality of survey research is based on the integrity of confidential

responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses.

(19)

Appendix: Detailed Survey Results

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in March 2015.

Survey response Pct%

Sampling frame 100%

Total returns 3.6%

Rejected or screened surveys 0.3%

Final sample 3.3%

S1. How familiar are you with your organization’s approach to monitoring application

users? Pct% Very familiar 27% Familiar 48% Somewhat familiar 24% No knowledge (Stop) 0% Total 100%

S2. Do you have any responsibility for detecting and/or investigating instances of

suspicious user activities within your organization? Pct%

Yes, full responsibility 27%

Yes, some responsibility 52%

Yes, minimum responsibility 22%

No responsibility (Stop) 0%

Total 100%

S3. What best describes your role in your organization? Please check only one choice. Pct%

IT operations 19%

IT security operations 19%

Data center management 14%

Incident response team 10%

Systems administration 8% Forensics 7% Application development 7% Database administration 4% IT compliance 3% IT audit 2% Cloud administrator 2% Network engineering 2%

Identity & access management 1%

Other (please specify) 1%

None of the above (Stop) 0%

Total 100%

Part 1. Attributions The following statements relate to application user-based risks.

Please rate each statement using the scale provided below each item.

Q1. Application users represent an increasing security risk for my organization. Pct%

Strongly agree 18% Agree 33% Unsure 28% Disagree 19% Strongly disagree 2% Total 100%

(20)

Ponemon Institute©: Private & Confidential Report Page 20 Q2. It is difficult to separate application user abuse from external attacker activity. Pct%

Q3. It is difficult to identify application user activities that are illegal or inappropriate in

real time. Pct% Strongly agree 19% Agree 35% Unsure 26% Disagree 15% Strongly disagree 4% Total 100%

Q4. Our security operations team recognizes that application users present a greater

risk to the organization than privileged users. Pct%

Q5. Our C-level executives recognize that application users present a greater risk to the

organization than privileged users. Pct%

Q6. Attackers are increasing the use of phishing tactics to obtain application users’

access credentials. Pct% Strongly agree 19% Agree 32% Unsure 28% Disagree 17% Strongly disagree 4% Total 100%

Q7. Log collection and analysis is not effective in identifying application users who

misuse sensitive or confidential information. Pct%

(21)

Q8. Our organization is unable to capture the actions taken by application user from login to logout. Pct% Strongly agree 17% Agree 35% Unsure 28% Disagree 17% Strongly disagree 4% Total 100%

Q9. Application usage (frontend) is not as monitored or secured as backend data

storage infrastructures. Pct% Strongly agree 17% Agree 33% Unsure 29% Disagree 17% Strongly disagree 3% Total 100%

Part 2. Risky user behavior

Q10. How many separate security breaches did your organization experience over the

past 12 months? Pct% None (skip to Q14) 11% 1 to 2 15% 3 to 5 18% 6 to 10 17% 11 to 15 18% 16 to 25 19% More than 25 3% Total 100% Extrapolated value 9.32

Q11. How many of the above-mentioned security breaches were caused by privileged users, application users and/or third parties – because of negligence, malice or stolen credentials by outside attacker (e.g., from phishing, social engineering or malware infection)?

Q11a. User-based threats caused by negligence Pct%

Privileged users 18%

Application users 71%

Third parties 11%

Total 100%

Q11b. User-based threats caused by malice Pct%

Third parties 10%

Total 100%

Q11c. User-based threats targeted by attackers Pct%

Third parties 24%

(22)

Ponemon Institute©: Private & Confidential Report Page 22 Q12a. Do you have systems to measure and monitor privilege users? Pct%

Presently deployed 48%

Plan to deploy within the next 6 months 34%

Plan to deploy in more than 6 months 10%

No plan to deploy 8%

Total 100%

Q12b. Do you have systems to measure and monitor application users? Pct%

Total 100%

Q12c. Do you have systems to measure and monitor third parties? Pct%

Total 100%

Q13. How were the security breaches discovered? Please select all that apply. Pct%

Accidental discovery 55%

Audit or assessment 66%

Notification by partner or other third party 50%

Detection through manual monitoring 39%

Use of forensic methods and tools 26%

Detection through automated monitoring 33%

Notification by law enforcement 15%

Other 10%

Total

Q14. What user-based threat concerns your organization the most? Pct%

User making mistakes (i.e., negligence) 44%

User turning malicious 31%

User being targeted by attackers 25%

Total 100%

Q15a. In the past 24 months, did your organization conduct a compliance audit or

formal assessment of its ability to identify and contain application user threats? Pct%

Yes 42%

No 58%

Total 100%

Q15b. If yes, did audit findings reveal a deficiency (failure) in your organization’s

controls over application users? Pct%

Yes 71%

No 29%

Total 100%

Q15c. If yes, are auditors putting pressure on your organization to monitor application

usage? Pct%

Yes 67%

No 33%

(23)

Q15d. If yes, what was the main reason for the audit failure? Pct% Insufficient governance, monitoring and control processes 33% Insufficient employee/user training and awareness 26%

Lack of in-house security personnel 17%

Lack of enabling security technologies 12%

Insufficient resources 12%

Other 0%

Total 100%

Q16. Which business function poses the greatest user-based threats within your

organization? Please select only 1. Pct%

Customer support 18%

Executive management 17%

Sales force operations 14%

Marketing & communications 11%

Corporate IT 9%

Finance & accounting 8%

Legal & compliance 7%

Logistics & procurement 6%

Data center operations 5%

Research & development 4%

Other 1%

Total 100%

Q17. From a security risk perspective, what employee status are you most concerned

about? Pct%

Newly hired employees 34%

Employees who are rated as poor performers 23%

Employees who work from remote locations 17%

Employees who gave two weeks notice of termination 12%

Employees who work irregular shifts 10%

Employees who are pending a layoff 4%

Total 100%

Q18. What best describes your organization’s current user monitoring capabilities? Pct%

Ad hoc or manual system 36%

Homegrown system that mainly focuses on privileged users 20% Homegrown system that focuses on both privileged and application users 17% Commercial system that mainly focuses on privileged users 12% Commercial system that focuses on both privileged and application users 13%

Other 2%

Total 100%

Q19. Using the following 5-point scale, please rate your organization’s user monitoring

capabilities and ability to pinpoint unusual or atypical employee/user behavior? Pct%

1 low 15% 2 30% 3 29% 4 19% 5 high 6% Total 100% Extrapolated value 2.70

(24)

Ponemon Institute©: Private & Confidential Report Page 24 Q20. Where is it most difficult to monitor application users’ activities? Pct%

Remote or home office 28%

Workplace, during off hours 28%

Workplace, during normal hours 20%

During travel 18%

Other 5%

Total 100%

Q21. Following are employee behaviors that may give rise to security risks within your organization. Is your organization’s existing infrastructure monitoring able to identify and mostly contain each risky behavior in the on-premise IT environment? Percentage

Yes response given. _Pct%

Viewing, copying, pasting or printing data from business critical applications 74% Visiting websites prohibited by company policy 68%

Negligence with thumb drives 63%

Emailing sensitive and confidential information 59%

Visiting WiFi hotspots 56%

Shadow IT: cloud storage/backing-up, screen capture, transferring files 49%

Remote access (leapfrogging) 45%

Social engineering 41%

Copying files to public cloud 42%

Using uncommon applications 36%

Q22. Following are employee behaviors that may give rise to security risks within your organization. Is your organization’s existing infrastructure monitoring able to identify and mostly contain each risky behavior in the cloud (SaaS) environment? Percentage

Yes response given. Pct%

Viewing, copying, pasting or printing data from business critical applications 17% Visiting websites prohibited by company policy 16%

Negligence with thumb drives 17%

Emailing sensitive and confidential information 16%

Visiting WiFi hotspots 15%

Shadow IT: cloud storage/backing-up, screen capture, transferring files 18%

Remote access (leapfrogging) 17%

Social engineering 15%

Copying files to public cloud 15%

Using uncommon applications 17%

Q23. Following are 7 mission critical applications located on-premise that may give rise to security risks within your organization because of application-based threats. Please select whether most ordinary users in your organization are able to access each mission critical application in the on-premise IT environment. Percentage Yes response

given. Pct%

Financial & accounting systems 50%

Workforce productivity & management apps 66%

Call center apps 30%

Customer relationship management 18%

Enterprise resource planning apps 32%

Human resource management apps 17%

(25)

Q24. Following are 7 mission critical applications located in the cloud that may give rise to security risks within your organization because of application-based threats. Please select whether most ordinary users in your organization are able to access each

mission critical application in the cloud environment. Percentage Yes response given. Pct%

eCommerce & Internet apps 75%

Q25. What applications listed below does your organization plan to move from

on-premises to the cloud? Pct%

Q26. What applications listed below does your organization plan to move from the

cloud to on-premise? Pct%

Q27a. Today, what percent of your organization’s mission critical applications are

located in the cloud (SaaS)? Pct%

Less than 10% 16% 10% to 25% 27% 26% to 50% 28% 51% to 75% 26% 76% to 100% 3% Total 100% Extrapolated value 36%

Q27b. Looking ahead 12 months from now, what percent of your organization’s mission

critical applications will be located in the cloud (SaaS)? Pct%

Less than 10% 10% 10% to 25% 18% 26% to 50% 27% 51% to 75% 30% 76% to 100% 15% Total 100% Extrapolated value 46%

(26)

Ponemon Institute©: Private & Confidential Report Page 26 Q28. Is your organization’s existing infrastructure monitoring effective at identifying and

containing application-based threats for each mission critical application listed below?

Percentage Yes response given. Pct%

Part 4. Respondents’ characteristics

D1. What organizational level best describes your current position? Pct%

Senior Executive 2% Vice President 2% Director 11% Manager 17% Supervisor 18% Technician/analyst 39% Staff 7% Contractor 3% Other 1% Total 100%

D2. Check the primary person or office you or your leader reports to within the

organization. Pct%

Chief Information Officer 26%

Chief Information Security Officer 20%

Chief Technology Officer 13%

Chief Risk Officer 9%

General Counsel 7%

Compliance Officer 7%

Chief Security Officer 6%

Chief Financial Officer 5%

CEO/Executive Committee 3%

Human Resources VP 2%

Other 1%

(27)

D3. What best describes the respondent company’s industry sector? Pct%

Financial services 22%

Health & pharmaceuticals 11%

Public sector 11%

Retail 9%

Services 10%

Industrial 6%

Technology & software 6%

Consumer products 5%

Energy & utilities 6%

Hospitality 5%

Entertainment & media 3%

Education & research 1%

Communications 1%

Transportation 1%

Agriculture & food services 1%

Defense & aerospace 1%

Other 0%

Total 100%

D4. What is the worldwide headcount of your organization? Pct%

Less than 500 13% 500 to 1,000 14% 1,001 to 5,000 33% 5,001 to 10,000 17% 10,001 to 50,000 15% 50,000+ 8% Total 100% Extrapolated value 11,198

Please contact research@ponemon.org or call us at 800.877.3118 if you have any questions.

Ponemon Institute

Advancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsible

information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive

information about people and organizations.

As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.