Headquarters888-732-9406
Security Operations Center 888-732-9407

Survey of Security and Data Breach Trends for 2012

Executive Summary

FishNet Security is the No. 1 provider of information security solutions that combine technology, services, support and training. Since 1996, the company has enabled clients to manage risk, meet compliance requirements and reduce costs while maximizing security effectiveness and operational efficiency. FishNet Security is committed to information security excellence and has a track record of delivering quality solutions to over 5,000 clients nationwide.

Key concerns for organizations in 2012:

  • Where do we stand compared to our peers?
  • What security issues should we be concerned about?
  • Which products are “must-haves” versus “nice-to-have”?

The goal of FishNet Security’s Survey of Security and Data Breach Trends for 2012 was to help answer these questions. Over 400 customers, partners and prospects responded to the survey.

 


 

Key Findings

Data Breaches Expected to Rise

The majority of respondents (97%) stated that the number of data breaches will increase; only 3 percent stated that the number of breaches would decrease.

Top Three Threat Sources

Executives and security practitioners believe that the top three computing sources that present the greatest threats to information security today are Mobile Computing (35%), Social Networks (27%) and Cloud Computing Platforms (18%).

Cloud Computing Moving Up the Risk Ladder

While 31 percent of respondents believe Mobile Computing will remain the top threat area for the next two years, 28 percent believe that over this same two-year period Cloud Computing will replace Social Networks as the second-riskiest computing environment.

Mobile Computing is a Growing Concern in Data Breaches

Nearly a third of respondents (30%) expect Mobile Computing to increase the most among all data breach sources this year. Organized Cybercriminal Hackers (25%) came in second, while Accidental Exposure of Data (19%) came in third.

Contractor/Partner Data Breaches are a Decreasing Concern

Many respondents (29%) believe Contractor/Partner breaches will decrease more than several other reasons for data breaches in 2012, including Accidental Exposure (27%) and Insider Theft (25%).

Staff Training Crucial in 2012 Threat Defense Plans

When asked which security service they would invest most heavily in this year, 34 percent stated it would be in Training Services.

Technology Infrastructure Purchasing in 2012 Focusing on Enterprise Security

Purchasing priorities for 2012 include 11 primary products, with the top three being Firewalls (20%), Anti-Virus (18%) and Anti-Malware (12%).

 


 

Survey Question #1

Do you think that the number of data breaches will increase or decrease in 2012?

Summary

When asked if the number of data breaches would increase or decrease in 2012, the majority of respondents (97%) stated that they believe the number of data breaches will increase; only 3 percent stated that the number of breaches would decrease.

Respondents also provided the following feedback statements relative to 2012 security concerns:

  • BYOD (Bring Your Own Device) is going to be a top priority for hackers and security experts.
  • Hackers are getting increasingly creative and exploiting vulnerabilities.
  • The reduction of breaches will occur as NFC, Chip/Pin and swipe are implemented.
  • Sophistication and impact will dramatically increase.
  • 2011 was a pretty busy year for data breaches; I think 2012 will be flat overall in this regard.

 

 


 

Survey Question #2

What type of data breaches do you think will increase the most in 2012?

Summary

Nearly a third of respondents (30%) believe mobile data breaches will increase the most of all data breaches in 2012. Cybercriminal activity is the second-most anticipated data breach threat at 25 percent.

Breach Types Defined:

  • Insider Theft: Data stolen by someone inside the company
  • Mobile Data: Data from a stolen or lost laptop, thumb drive, mobile phone, etc.
  • Contractor/Partner: Data stolen or lost by a third party
  • Organized Cybercriminal Hackers: Data stolen by someone outside of the company
  • Accidental Exposure: Data exposed due to an inadvertent Internet/Web posting, email or access control error

Respondents also identified other data breach types and other concerns by offering these statements:

  • Loss due to mis-configured technology
  • Mobile BYOD in the enterprise will lead to more breaches from that threat vector.
  • Mobile technology is still openly unsecured; cybercriminal hackers/crackers are growing, and people are very unaware of minimum good security usage practices, besides being too open-minded on utilization of cyber technology.
  • Organized cybercriminals are getting more organized and making a ton of money from their nefarious activities.
  • Social Engineering
  • The impact of poorly conceived/provisioned BYOD environments

 


 

Survey Question #3

Which type of data breaches do you think will decrease the most in 2012?

Summary

Nearly a third of respondents (29%) believe that Contractor/Partner data breaches will decrease the most in 2012 among the five survey choices given, while 27% of respondents believe Accidental Exposure and 25% view Insider Theft will decrease the most this year. These three categories comprise 81% of the top-five threat choices in the survey.

Breach Types Defined:

  • Insider Theft: Data stolen by someone inside the company
  • Mobile Data: Data from a stolen or lost laptop, thumb drive, mobile phone, etc.
  • Contractor/Partner: Data stolen or lost by a third party
  • Organized Cybercriminal Hackers: Data stolen by someone outside of the company
  • Accidental Exposure: Data exposed due to an inadvertent Internet/Web posting, email or access control error.

Respondents had the following additional comments:

  • Data left on devices not properly disposed.
  • Don’t expect to see any significant change.
  • Hard to say. All of these should still remain a concern.
  • Hopefully, users and IT professionals are getting smarter about this.
  • I believe that the majority of the data breaches will either stay the same or go up.
  • I don’t anticipate decreases in any type of data breach.
  • I don’t really think there will be a significant decrease in any of them.
  • I don’t think any (of these choices) will decrease except by proportion, with others increasing.
  • There will not be any specific decrease of these types of breaches.
  • They will likely all increase.

 


 

Survey Question #4 and #5

(#4) Which of the following areas do you believe presents the greatest security threat to your organization today? (#5) And in 2 years?

Summary - Question #4:

Many respondents (35%) believe that Mobile Computing represents the greatest security threat to their organizations today. In second place, 27% of respondents believe Social Networks is the greatest threat. Cloud Computer (18%) and Wireless Infrastructure (16%) round out the final four concerns of the choices offered in the survey.

Summary – Question #5:

Regarding what respondents believe will be the greatest security threat in two years, 31% of respondents believe Mobile Computing will be the No. 1 issue, while 28% believe Cloud Computing will be the second major concern. Social Networks is the third-leading concern in two years, coming in at 23%. So, the respondents believe that Cloud Computing will overtake Social Networks as a major security threat within two years from when the survey was taken (January 2012).

Respondents also identified the following security areas of concern with these comments:

  • Accidental Exposure
  • BYOD is going to create the most significant threat in 2012.
  • BYOD and the decentralization of system access
  • Compromised customer computers
  • Core infrastructure
  • Email and Internet surfing I think are the greatest threats.
  • Phishing
  • Physical security of data
  • Uneducated users
  • Web browser exploits and lack of OS/browser patching

 


 

Survey Question #6

What IT solutions will your organization purchase in 2012?

Summary

Firewalls are the No. 1 IT solution that 20% of respondents expect their organizations to purchase in 2012. Next, 18% of the respondents expect Anti-Virus solutions to be purchased, while 14% view Anti-Malware as the leading solution to be bought. Rounding out the top five solutions is a tie between Authentication and DLP solutions – both at 12%.

 

Respondents also identified the following areas of purchase areas:

  • Anti-fraud/detection, GRC
  • DAM
  • DSM
  • E-Discovery
  • FDE, encrypted removable devices like Flash drives, possibly MDM
  • FDE, mobile encryption, maintenance and increased licensing
  • FIM
  • IDS/IPS
  • ISO 27001 certification, Wireless IPS and Malware analysis software.
  • Mobile Device Management
  • Multi Factor Authentication (MFA)
  • Open Source solutions, which I will not purchase” i.e., Pandora SIEM
  • Renew or evaluate alternatives to existing solutions
  • Smartphone device management for a variety of phones
  • Storage
  • White listing
  • Wireless Network Manager

 


 

Survey Question #7

What security services do you plan to invest in during 2012?

Summary

 

Of the security services targeted for investment in 2012, 34% of the respondents expect Security Training Services to be the main area. Security Consulting Services (26%), Mobile Security Services (24%) and Managed Security Services (16%) round out the top four areas.

 

 

 

Respondents also identified the following areas of purchase areas:

  • Build in-house strategies for the items above.
  • I am specifically looking for employee/customer awareness web-based training, with tracking & reporting features.
  • Increased education of security
  • Penetration Testing


Survey Question #8

What industry are you in?

Summary

The Financial Services industry was represented the most of any industry in the survey (at 23%). Other industries leading the way were Healthcare (14%) and Government (14%). High-Tech was represented by 11% of the survey takers.


Survey Question #9

What is your title?

Summary

Most of the survey respondents (58%) were Security Administrators. Other leading job titles were Vice Presidents of Security (7%) and Chief Information Security Officers (CISOs) (7%). After that, there were a wide array of job titles in the IT/security/network areas represented.