2016 State of Endpoint Risk Final 2

2016 State of the Endpoint Report

Sponsored by CounterTack Independently conducted by Ponemon Institute LLC Publication Date: April 2016

Ponemon Institute© Research Report

2016 State of the Endpoint Report Ponemon Institute, April 2016

Part 1. Introduction

Ponemon Institute is pleased to present the results of the 2016 State of the Endpoint Report sponsored by CounterTack. This annual study is conducted by Ponemon Institute to understand trends and changes in endpoint risk in organizations. An endpoint can include servers, desktops, laptops, smartphones, and even printers, ATMs and PoS devices.1 We surveyed 694 US IT and IT security practitioners who are involved in endpoint security in a variety of organizations.

As shown in Figure 1, IT practitioners report that the Figure 1. How has the severity of malware attacks severity of malware attacks increased? Significantly increased and increased responses combined experienced by their companies has increased dramatically since the study was conducted in 2011. Not only do these attacks have very negative consequences for organizations, 56 percent of respondents say these attacks have become stealthier and more difficult to detect.

It should come as no surprise that organizations are facing a big challenge today in keeping proprietary data and IP from ending up in the hands of criminals. There have been enough high profile breaches across all industries during the past few years to send shock waves through boardrooms. Some enterprises have heeded the warnings and have strengthened their security architecture and some have not. From TJX in 2007, Adobe, Google and JPMorgan in 2010 and Target in 2013, these “bellwether” industry breaches that exposed common security shortcomings in networks could very well be overshadowed by a bigger and more devastating breach in 2016.

Today, in fact, ransomware attacks against targets such as hospitals are becoming commonplace. Organizations backing up their data seemingly have less to worry about than those that don’t. How long can an organization afford to be offline? It not only impacts office productivity but also business continuity and safety. If an organization pays a ransom, can the hackers be trusted to hand over the encrypted files? There are many questions to be asked and answered because of the latest rash of ransomware attacks. Where it leads is anyone’s guess.

Following are some of the most salient findings from the study:

Cyber attacks involving destructive malware will become a bigger problem for organizations. A growing trend in cyber attacks has been the unleashing of destructive malware such as Cryptolocker and Shamoon. Only 38 percent of respondents in this year’s study say they have a strategy to deal with destructive software. This is a decline from 43 percent of respondents in 2015.

1 Throughout the report we present trend data based on the fiscal year (FY) in which the report is published rather than the year the study commenced or fieldwork concluded.

Ponemon Institute© Research Report Page 1

Negligent employees (users) and the devices they use in the workplace continue to be the greatest source of endpoint risk. Eighty-one percent of respondents say the biggest challenge is minimizing the threat of negligent or careless employees who do not follow security policies, a slight increase from 78 percent of respondents in 2015. Since 2013, the percentage of respondents who say threats caused by malware infections that are stealthier and difficult to detect increased from 32 percent to 56 percent. The threat caused by the growing number of insecure mobile devices in the workplace increased from 33 percent to 50 percent.

Zero day and denial of service attacks do the most harm. For the first time, we asked respondents to identify the most serious types of incidents and compromises. The number one is a zero day attack, according to 71 percent of respondents followed by DDoS (68 percent of respondents). The majority of respondents also say the consequences of an exploit of existing software vulnerability greater than 3 months old (53 percent) and ransomware (51 percent) can be severe.

Malware targets mobile endpoints. Sixty percent of respondents say that in the past 24 months it has become more difficult to manage endpoint risk. Eighty percent of respondents (an increase from 68 percent in 2014) believe their mobile endpoints have been the target of malware over the past 12 months.

Laptops and smartphones pose the biggest endpoint threat. Forty-three percent of respondents say it is the laptop and 30 percent of respondents say smartphones are a significant threat to endpoint security. Respondents estimate that an average of one-third of all endpoints connected to their organization’s network is not secured.

Windows and Android are considered more susceptible to attack. Twenty-eight percent of respondents say Android and 23 percent of respondents say Windows are most vulnerable to a data breach or cyber attack. The least vulnerable is the Mac, according to 7 percent of respondents.

Employees’ use of mobile devices and commercial cloud applications continue to increase endpoint risk significantly. Similar to last year’s findings, respondents report the use of commercial cloud applications (72 percent), BYOD (69 percent), and employees who operate from home offices and offsite locations (62 percent) have significantly increased endpoint risk.

Organizations lack the resources to improve endpoint security. Since the 2013 study, organizations have struggled to have the necessary resources to minimize IT endpoint risk. Only 36 percent of respondents in this year’s study agree that they have ample budget and staff. As a consequence, 69 percent of respondents say their IT department cannot keep up with employee demand for greater support and better mobile device connectivity and 71 percent say their endpoint security policies are difficult to enforce.

Mobile devices such as smartphones have seen the greatest rise in potential IT security risk in the IT environment. Mobile devices, vulnerabilities in third party applications and malicious insider risks have increased significantly since the study was first conducted in 2011. Despite the risk of using mobile devices, 56 percent of respondents say their employees are allowed to use personal devices to connect to the network.

Endpoint security is becoming a more important priority. Sixty-one percent of respondents say endpoint security is becoming a more important part of their organizations’ overall IT security strategy. More organizations say their strategy focuses on securing the data and less on the device (60 percent of respondents in 2016 and 55 percent of respondents in 2015). Strategies focusing more on securing the device or both the device and data equally declined slightly. This shift in strategy is due to the belief of the majority of respondents (50 percent) that it is more important to secure the data.

Ponemon Institute© Research Report Page 2

More organizations tag, secure and manage data that resides on the device. There has been a slight increase in an endpoint strategy that includes tagging, securing and managing the data that resides on the public cloud. The percentage of organizations represented in this research that tag, secure and manage data on the device is virtually unchanged.

How will organizations deal with increased endpoint risk? The research also reveals these five predictions for 2016:

1. More organizations will evolve toward a more “detect and respond” orientation from one that is focused on prevention. Ninety-five percent of respondents (56 percent + 25 percent + 14 percent) said that their organization will evolve toward a more “detect and respond” orientation from one that is focused on prevention.

2. Threat intelligence continues to increase in importance. Seventy-seven percent of respondents (42 percent + 24 percent + 11 percent) say they have added or plan to add a threat intelligence component to its security stack.

3. The endpoint as a security sensor is becoming more of an option for organizations. Another popular trend is the notion of the endpoint as a security sensor. In other words, where state or context data collected at the endpoint is used to determine if it has been or is being compromised. Fifty-six percent of respondents say this is something their organizations are doing now or are planning to introduce (29 percent + 22 percent + 5 percent).

4. Offensive security capabilities are growing in adoption. Also important is the need to develop an offensive security capability (i.e., discover who is behind an attack and then counterattack). Sixty-four percent of respondents (14 + 26 + 24) are pursuing now or planning to pursue this in the near future.

5. A virtualization technology with embedded, real-time endpoint sensor is considered a positive investment to improve security posture. Sixty-four percent of respondents would have a significant impact or impact on an organization’s approach to achieve enhanced endpoint security.

Ponemon Institute© Research Report Page 3

Part 2. Key findings

In this section, we provide an analysis of the key findings. Several figures show comparable results captured since 2010. The complete, audited findings are presented in the appendix of this report. We have organized the report according to the following themes:

§ Employees are the greatest source of endpoint risk § The gaps in endpoint security § How organizations minimize endpoint risk § Predictions for endpoint security in 2016

Employees are the greatest source of endpoint risk

Negligent employees (users) and the devices they use in the workplace continue to be the greatest source of endpoint risk. Figure 2 reveals certain threats to endpoint security that are increasing significantly. Eighty-one percent of respondents say the biggest challenge is minimizing the threat of negligent or careless employees who do not follow security policies, a slight increase from 78 percent of respondents in 2015.

Since 2013, the percentage of respondents who say that threats caused by malware infections that are stealthier and more difficult to detect increased from 32 percent to 56 percent. The threat caused by the growing number of insecure mobile devices in the workplace increased from 33 percent to 50 percent.

Figure 2. What are the biggest threats to endpoint security in your organization? Five choices permitted

Negligent or careless employees who do not 81% 78% follow security policies*

The number of employees and others using 61% multiple mobile devices in the workplace has 65% increased 60% Employees’ use of commercial cloud applications 56% 66% in the workplace*

There are more personal devices connected to 56% 68% the network (BYOD) 51%

Malware infections are more stealthy and difficult 56% 45% to detect 32%

The number of insecure mobile devices used in 50% 45% the workplace has increased significantly 33%

Attacker lateral movement once a gap in 42% protection is compromised*

Unknown or previously unseen threats in my 37% environment that are difficult to detect with legacy endpoint technology* 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% * Response not available for all years

FY 2016 FY 2015 FY 2014

Ponemon Institute© Research Report Page 4

Zero day and denial of service attacks do the most harm. For the first time, we asked respondents to identify the most serious types of incidents and compromises. According to Figure 3, the number one is a zero day attack, according to 71 percent of respondents followed by DDoS (68 percent of respondents). The majority of respondents also say the consequences of an exploit of existing software vulnerability greater than 3 months old (53 percent) and ransomware (51 percent) can be severe.

Figure 3. The most serious incidents or compromises More than one response permitted

Zero day attacks 71%

DDoS 68% Exploit of existing software vulnerability greater 53% than 3 months old Ransomware 51%

Web-borne malware attacks 47% Advanced persistent threats (APT) / targeted 46% attacks SQL injection 44%

Spear phishing 40% Exploit of existing software vulnerability less than 32% 3 months old Botnet attacks 29%

Clickjacking 27%

Rootkits 25%

Spyware 6%

Other 3%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Ponemon Institute© Research Report Page 5

Malware targets mobile endpoints. Sixty percent of respondents say that in the past 24 months it has become more difficult to manage endpoint risk. As shown in Figure 4, 80 percent of respondents (an increase from 68 percent in 2014) believe that their mobile endpoints have been the target of malware over the past 12 months.

Figure 4. Mobile endpoints have been the target of malware over the past 12 months

90% 80% 80% 75% 68% 70% 60% 50% 40%

30% 23% 22% 18% 20% 10% 7% 10% 5% 0% Yes No Unsure

FY 2016 FY 2015 FY 2014

Laptops and smartphones pose the biggest endpoint threat. As shown in Figure 5, 43 percent of respondents say it is the laptop and 30 percent of respondents say smartphones are a significant threat to endpoint security. Respondents estimate an average of one-third of all endpoints connected to their organizations’ network are not secured.

Figure 5. Which device poses the biggest endpoint threat to organizations?

50% 45% 43% 40% 35% 30% 30% 25% 19% 20% 15%

10% 6% 5% 2% 0% Laptops Smartphones Tablets USB memory Other sticks

Ponemon Institute© Research Report Page 6

Windows and Android are considered more susceptible to attack. As shown in Figure 6, 28 percent of respondents say Android and 23 percent of respondents say Windows are most vulnerable to a data breach or cyber attack. The least vulnerable is the Mac, according to 7 percent of respondents.

Figure 6. Which operating system is more susceptible to a data breach or cyber attack?

30% 28%

25% 23%

19% 20%

15% 12% 11% 10% 7%

0% Android Windows iOS Linux Firefox OS Mac

Figure 7. Factors contributing to endpoint security risk Strongly agree and agree responses combined

72% Commercial cloud applications has significantly increased endpoint risk 73%

69% Employee-owned mobile devices has significantly increased endpoint risk 68%

Employees operating from home offices and 62% other offsite locations have significantly increased endpoint risk 63%

56% 58% 60% 62% 64% 66% 68% 70% 72% 74%

FY 2016 FY 2015

Ponemon Institute© Research Report Page 7

The gaps in endpoint security

Organizations lack the resources to improve endpoint security. Since the 2013 study, organizations have struggled to have the necessary resources to minimize IT endpoint risk, as shown in Figure 8. Only 36 percent of respondents in this year’s study agree that they have ample budget and staff. As a consequence, 69 percent of respondents say their IT department cannot keep up with employee demand for greater support and better mobile device connectivity and 71 percent say their endpoint security policies are difficult to enforce.

Figure 8. Other factors contributing to endpoint risk Strongly agree and agree responses combined

Our endpoint security policies are difficult to 71% enforce 70%

Our IT department cannot keep up with 68% employee demand for greater support and better mobile device connectivity 68%

We have ample resources to minimize IT 36% endpoint risk 34%

0% 10% 20% 30% 40% 50% 60% 70% 80%

FY 2016 FY 2015

Ponemon Institute© Research Report Page 8

Mobile devices such as smartphones have seen the greatest rise in potential IT security risk in the IT environment. Figure 9 shows interesting trends since 2011 in areas and issues that cause significant IT security risks. Mobile devices, vulnerabilities in third party applications and malicious insider risks have increased significantly since the study was conducted in 2011. Despite the risk of using mobile devices, 56 percent of respondents say their employees are allowed to use personal devices to connect to the network.

Figure 9. Where are you seeing the greatest rise in potential IT security risk? Areas and issues that cause significant IT security risks according to respondents Five responses permitted

86% Mobile devices such as smartphones 57%

73% Across third party applications 61%

40% Mobile/remote employees 47%

40% Negligent insider risk 42%

38% Lack of system connectivity/visibility 30%

36% Malicious insider risk 19%

35% Our PC desktop/laptop 42%

30% Cloud computing providers 34%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

FY 2016 Five-year average (2011 to 2015)

Ponemon Institute© Research Report Page 9

How organizations minimize endpoint risk

As shown in Figure 10, more organizations say their strategy focuses on securing the data and less on the device (60 percent of respondents in 2016 and 55 percent of respondents in 2015). Strategies focusing more on securing the device or both the device and data equally declined slightly. This shift in strategy is due to the majority of respondents (50 percent) belief that it is more important to secure the data.

Figure 10. What best describes your endpoint security strategy?

Our endpoint strategy focuses more on securing 60% the data and less on the device 55%

Our endpoint strategy focuses equally on 27% securing the device and data 30%

Our endpoint strategy focuses more on securing 13% the device and less on the data 15%

0% 10% 20% 30% 40% 50% 60% 70%

FY 2016 FY 2015

Ponemon Institute© Research Report Page 10

A lack of governance and control processes are the biggest gaps in stopping attacks on endpoints. On average, respondents believe less than half (49 percent) of attacks on an organization’s endpoints can be realistically stopped with enabling technologies, processes and in-house expertise.

According to Figure 11, the biggest gap in being able to mitigate these attacks is a lack of governance and control processes, which would include training and awareness programs for employees and enforcement of endpoint security policies.

Figure 11. Why the ability to mitigate endpoint attacks is difficult

54% Lack of governance and control processes 50%

26% Lack of in-house expertise 29%

20% Lack of enabling technologies 21%

0% 10% 20% 30% 40% 50% 60%

FY 2016 FY 2015

More organizations have an integrated endpoint security suite. As shown in Figure 12, since 2012, more organizations represented in this research have adopted an integrated endpoint security suite (42 percent in 2016 versus an average of 37 percent since 2012), which includes vulnerability assessment, device control, anti-virus, anti-malware, patch management or other capabilities.

Figure 12. Does your organization have an integrated endpoint security suite? 48% 50% 46% 45% 42% 40% 37% 35% 30% 25% 20% 16% 15% 12% 10% 5% 0% Yes No, but our organization No expects to have an endpoint security suite within the next 12-24 months

FY 2016 Four year average (2012-2015)

Ponemon Institute© Research Report Page 11

More organizations tag, secure and manage data that resides on the device. There has been a slight increase, as shown in Figure 13, in the endpoint strategy that includes tagging, securing and managing data that resides on the public cloud. The percentage of organizations represented in this research that tag, secure and manage data that resides on the device is virtually unchanged.

Figure 13. Does your organization tag, secure and manage data that resides on the device and public cloud?

50% 43% 44% 45% 40% 35% 31% 30% 26% 25% 20% 15% 10% 5% 0% Data that resides on Data that resides on Data that resides on a Data that resides on a the device FY2016 the device FY2015 public cloud FY2016 public cloud FY2015 Yes response

According to Figure 14, the average number of software agents installed on each endpoint to perform management security and/or operations has ranged from 5 in 2010 to approximately 6 in this year’s study.

Figure 14. The average number of software agents installed on each endpoint

8.00 7.03 6.69 7.00 6.35 6.30 6.12 6.00 5.17 5.00

4.00

3.00

2.00

1.00 FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 * FY 2010 * Not a question in FY 2011

Ponemon Institute© Research Report Page 12

The average number of different or distinct software management user interfaces or consoles in the organizations represented in this research used to manage endpoint operations and security functions has ranged from approximately 5 to 6 in this year’s study as shown in Figure 15.

Figure 15. The average number of different or distinct software management user interfaces or consoles Extrapolated values

8.00 6.81 7.00 6.52 6.30 6.01 6.00 5.48 5.13 5.00

4.00

3.00

2.00

1.00 FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 * FY 2010 * Not a question in FY 2011

Ponemon Institute© Research Report Page 13

Predictions for 2016

Cyber attacks involving destructive malware will become a bigger problem for organizations. A growing trend in cyber attacks has been the unleashing of destructive malware such as Cryptolocker and Shamoon. As shown in Figure 16, only 38 percent of respondents in this year’s study say they have a strategy to deal with destructive software. This is a decline from 43 percent of respondents in 2015.

Figure 16. Does your organization have a strategy to deal with destructive malware?

60% 56% 53%

50% 43% 38% 40%

30%

20%

10% 6% 4%

0% Yes No Unsure

FY 2016 FY 2015

Ponemon Institute© Research Report Page 14

Which trends will organizations deploy to deal with endpoint risk? Ninety-five percent of respondents (56 percent + 25 percent + 14 percent) say that their organizations will evolve toward a more “detect and respond” orientation from one that is focused on prevention, as shown in Figure 17. Seventy-seven percent of respondents (42 percent + 24 percent + 11 percent) say they have added or plan to add a threat intelligence component to their security stack.

Figure 17. Use of threat intelligence (Panel A) and detect and detonate sensor (Panel B) over the next 24 months or longer

Panel A: Adoption of a threat intelligence orientation

45% 42% 40% 36% 33% 35% 30% 24% 23% 25% 22% 20% 11% 15% 9% 10% 5% 0% Doing it now Planning to do so in Planning to do so more No plan to do so the next 24 months than 24 months from now

FY 2016 FY 2015

Panel B: Adoption of a detect and detonate orientation

60% 56% 50% 44% 40% 30% 30% 25% 21% 20% 14% 10% 5% 5% 0% Doing it now Planning to do so in Planning to do so more No plan to do so the next 24 months than 24 months from now

FY 2016 FY 2015

Ponemon Institute© Research Report Page 15

Another popular trend is the notion of the endpoint as a security sensor. In other words, where state or context data collected at the endpoint is used to determine if it has been or is being compromised. Figure 18 reveals that 56 percent of respondents say this is something their organizations are doing now or are planning to introduce (29 percent + 22 percent + 5 percent).

Also important is the need to develop an offensive security capability (i.e., discover who is behind an attack and then counterattack). Sixty-four percent of respondents (14 percent + 26 percent + 24 percent) are pursuing now or planning to pursue an offensive security capability.

Figure 18. Use of endpoint device as security sensor (Panel A) and offensive security tactics (Panel B) over the next 24 months or more

Panel A: Deploying the endpoint as a security sensor

60% 54%

50% 44%

40% 29% 30% 22% 19% 18% 20% 9% 10% 5%

0% Doing it now Planning to do so in Planning to do so more No plan to do so the next 24 months than 24 months from now

FY 2016 FY 2015

Panel B: Deploying offensive security tatics

60% 50% 50%

40% 36% 26% 30% 24% 23% 18% 20% 14% 9% 10%

0% Doing it now Planning to do so in Planning to do so more No plan to do so the next 24 months than 24 months from now

FY 2016 FY 2015

Ponemon Institute© Research Report Page 16

A virtualization technology with embedded, real-time endpoint sensor is believed to have a positive impact on an organization’s security strategy. As shown in Figure 19, 64 percent of respondents would have a significant impact or impact on an organization’s approach to achieving enhanced endpoint security.

Figure 19. How would a virtualization technology with embedded, real-time endpoint sensor impact your security strategy?

35% 33% 31% 30% 25% 25%

20%

15% 11% 10%

0% Significant impact Impact No impact Unsure

Ponemon Institute© Research Report Page 17

Part 3. Methods

The sampling frame was composed of 18,590 IT and IT security practitioners involved in endpoint security in the United States. Fielding of the survey was concluded in March. As shown in Table 1, 878 respondents completed the survey. Screening removed 184 surveys. The final sample was 694 surveys (or a 3.7 percent response rate).

Table 1. Sample response Freq Pct% Total sampling frame 18,590 100.0% Total returns 878 4.7% Rejected and screened surveys 184 1.0% Final sample 694 3.7%

Pie chart 1 reports the respondents’ current positions or organizational levels. By design, 61 percent of the respondents stated that their current position is at or above the supervisory level.

Pie Chart 1. Current position or organizational level 3% 2% 6% 1% 18% Senior Executive Vice President Director

30% Manager Supervisor Technician 23% Staff Contractor

17%

According to Pie Chart 2 half of the respondents report to the chief information officer. Another 26 percent responded that they report to the chief information security officer.

Pie Chart 2. Primary Person to whom respondent or IT security leader reports 3% 2%2% 5% Chief Information Officer (CIO) 12% Chief Information Security Officer (CISO) Chief Risk Officer (CRO)

50% Compliance Officer General Counsel Chief Security Officer (CSO) Other 26%

Pie Chart 3 reports the primary industry classification of respondents’ organizations. This chart identifies financial services (18 percent) as the largest segment, followed by health and pharmaceuticals (10 percent) and public sector (10 percent).

Pie Chart 3. Primary industry classification 3% 2% 2% 4% 18% Financial services Health & pharmaceutical 4% Public services Retail 5% Services Technology & software 5% 10% Energy & utilities Industrial Consumer products 6% Education & research Entertainment & media 10% 6% Hospitality Communications Transportation 8% 9% Other 8%

According to Pie Chart 4, 75 percent of the respondents are from organizations with a global headcount of over 1,000 employees.

Pie Chart 4. Worldwide headcount of the organization 7% 9%

13% Less than 500 people 16% 500 to 1,000 people

1,001 to 5,000 people

5,001 to 25,000 people

25,001 to 75,000 people

29% More than 75,000 people 26%

Part 4. Caveats

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.

Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period.

Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.

Appendix: Detailed Survey Results

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in

Survey response FY 2016* FY 2015* FY 2014* FY 2013* FY 2012* FY 2011* Total sampling frame 18,590 18,664 19,001 17,744 18,988 11,890 Rejected and screened surveys 184 199 218 252 223 218 Final sample 694 703 676 671 688 564 Response rate 3.7% 3.8% 3.6% 3.8% 3.6% 4.7% *Date (year) of research publication

Part 1. Screening

S1. What best describes your level of involvement in endpoint security within your organization? FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 None (stop) 0% 0% 0% 0% 0% 0% Low (stop) 0% 0% 0% 0% 0% 0% Moderate 11% 10% 11% 9% 10% 11% Significant 57% 54% 55% 54% 50% 56% Very significant 32% 36% 34% 33% 33% 28% Total 100% 100% 100% 100% 100% 100%

S2. How many network-connected mobile devices does your organization support? FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 Less than 100 (stop) 0% 0% 0% 1% 1% 1% 100 or more connected devices 100% 100% 100% 96% 95% 96% Total 100% 100% 100% 97% 96% 97%

S3. What best describes your role within your organization’s IT department? FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 IT management 21% 26% 24% 24% 21% 24% IT operations 24% 21% 23% 23% 23% 23% Data administration 7% 9% 10% 11% 13% 11% IT compliance 10% 8% 10% 9% 9% 9% IT security 35% 32% 29% 27% 29% 27% Applications development 3% 4% 5% 5% 5% 5% I’m not involved in my organization’s 0% IT function (stop) 0% 0% 0% 0% 0% Total 100% 100% 100% 100% 100% 100%

Part 2: Attributions

Q1. We have ample resources to minimize IT endpoint risk throughout our organization. FY 2016 FY 2015 FY 2014 FY 2013 Strongly agree 14% 15% 16% 14% Agree 22% 19% 16% 19% Unsure 20% 21% 28% 33% Disagree 35% 34% 30% 26% Strongly disagree 9% 11% 10% 8% Total 100% 100% 100% 100%

Q2. The use of employee-owned mobile devices (a.k.a. BYOD) has significantly increased endpoint risk throughout or organization. FY 2016 FY 2015 Strongly agree 40% 38% Agree 29% 30% Unsure 18% 17% Disagree 9% 10% Strongly disagree 4% 5% Total 100% 100%

Q3. The use of commercial cloud applications (such as Dropbox, Box.net, GoogleDocs, etc.) has significantly increased endpoint risk throughout or organization. FY 2016 FY 2015 Strongly agree 39% 41% Agree 33% 32% Unsure 15% 14% Disagree 9% 8% Strongly disagree 4% 5% Total 100% 100%

Q4. Employees operating from home offices and other offsite locations (a.k.a. mobile workforce) have significantly increased endpoint risk throughout our organization. FY 2016 FY 2015 Strongly agree 30% 35% Agree 32% 28% Unsure 16% 17% Disagree 15% 15% Strongly disagree 7% 5% Total 100% 100%

Q5. Our IT department cannot keep up with employee demand for greater support and better mobile device connectivity. FY 2016 FY 2015 Strongly agree 35% 36% Agree 33% 32% Unsure 15% 13% Disagree 11% 12% Strongly disagree 6% 7% Total 100% 100%

Q6. Our endpoint security policies are difficult to enforce. FY 2016 FY 2015 Strongly agree 36% 39% Agree 35% 31% Unsure 16% 15% Disagree 9% 10% Strongly disagree 4% 5% Total 100% 100%

Q7. Our investment in signature- based endpoint security products does not yield a good return (ROI). FY 2016 FY 2015 Strongly agree 37% 39% Agree 33% 31% Unsure 16% 15% Disagree 9% 10% Strongly disagree 5% 5% Total 100% 100%

Part 3: General questions

Q8. Following are 5 areas of IT security risks. Please allocate the amount of spending earmarked for 12-month 12-month each risk listed in the table below. FY 2016 FY 2015 forecast forecast Use all 100 points in the table to allocate your response today and 12 months from now. Network 36 32 40 32 Application 16 20 15 19 Data 22 21 21 25 Endpoint 16 18 13 13 Human factor 10 9 11 11 Total points 100 100 100 100

Q9a. In the past 24 months, has it become more difficult to manage endpoint risk? FY 2016 FY 2015 FY 2014 Yes 60% 69% 71% No 40% 31% 29% Total 100% 100% 100%

Q9b. If yes, what are the top five (5) biggest threats to endpoint security in your organization? FY 2016 FY 2015 FY 2014 Malware infections are more stealthy and difficult to detect 56% 45% 32% The number of employees and others using multiple mobile devices in the workplace has increased 61% 65% 60% The number of insecure mobile devices used in the workplace has increased significantly 50% 45% 33% There are more personal devices connected to the network (BYOD) 56% 68% 51% Employees’ use of commercial cloud applications in the workplace* 56% 66% More employees are working offsite and using insecure WiFi connections 31% 38% 16% Negligent or careless employees who do not follow security policies* 81% 78% Unknown or previously unseen threats in my environment that are difficult to detect with legacy endpoint technology 37% Attacker lateral movement once a gap in protection is compromised 42%

Q10. In the past 24 months, has endpoint security become a more important priority of your organization’s overall IT security strategy? FY 2016 FY 2015 FY 2014 Yes 61% 68% 65% No 39% 32% 35% Total 100% 100% 100%

Q11. Which of the following statements best describes your endpoint security strategy? FY 2016 FY 2015 Our endpoint strategy focuses more on securing the data and less on the device. 60% 55% Our endpoint strategy focuses more on securing the device and less on the data. 13% 15% Our endpoint strategy focuses equally on securing the device and data. 27% 30% Total 100% 100%

Q12. Does your organization’s approach to endpoint security include the tagging, securing and management of data that resides on the device? FY 2016 FY 2015 Yes 43% 44% No 57% 56% Total 100% 100%

Q13. Does your organization’s approach to endpoint security include the tagging, securing and management of data that is accessed by the device, but resides on a public cloud? FY 2016 FY 2015 Yes 31% 26% No 69% 74% Total 100% 100%

Q14. How has the severity of malware incidents changed over the past year within your organization? FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 Significantly increased 56% 50% 44% 37% 31% 26% Increased 20% 19% 15% 18% 22% 21% Stayed the same 12% 16% 19% 22% 25% 25% Slight decrease* 6% 4% 8% Decreased* 2% 4% 8% 8% 9% Significantly decreased* 0% 0% 2% Unsure 4% 7% 12% 15% 14% 17% Total 100% 100% 100% 100% 100% 98% This response not available in all FY's

Q15. Which of these types of incidents or compromises cause the most severe consequence? Please check all that apply. FY 2016 Zero day attacks 71% DDoS 68% Exploit of existing software vulnerability greater than 3 months old 53% Ransomware 51% Web-borne malware attacks 47% Advanced persistent threats (APT) / targeted attacks 46% SQL injection 44% Spear phishing 40% Exploit of existing software vulnerability less than 3 months old 32% Botnet attacks 29% Clickjacking 27% Rootkits 25% Spyware 6% Other (please specify) 3% Total 542%

Q16. A growing trend in cyber attacks has been the unleashing of so-called “destructive malware” (such as Cryptolocker, Shamoon, etc.). Has your organization’s tactical plans and policies kept up with this development? FY 2016 FY 2015 Yes 38% 43% No 56% 53% Unsure 6% 4% Total 100% 100%

Q17. With your current enabling technologies, processes and in- house expertise, what percentage of attacks to your organization’s endpoints can be realistically stopped? FY 2016 None 10% 5% or less 12% 6% to 25% 2% 26% to 50% 19% 51% to 75% 13% 76% to 100% 30% Cannot determine 14% Total 100% Extrapolated value 49%

Q18. Where is the one biggest gap in your organization’s ability to stop attacks to endpoints? FY 2016 FY 2015 Lack of in-house expertise 26% 29% Lack of enabling technologies 20% 21% Lack of governance and control processes 54% 50% Total 100% 100%

Q19. Do you believe mobile endpoints have been the target of malware over the past 12 months? FY 2016 FY 2015 FY 2014 Yes 80% 75% 68% No 23% 18% 22% Unsure 5% 7% 10% Total 108% 100% 100%

Q2 0. Which device poses the biggest endpoint threat to organizations in 2016 (Please select only one response) FY 2016 Tablets 19% Laptops 43% Smartphones 30% USB memory sticks 6% Other 2% Total 100%

Q21. Which operating system is more susceptible to a data breach or cyber attack? (Please select only one response) FY 2016 Mac 7% Firefox OS 11% Linux 12% Android 28% iOS 19% Windows 23% Total 100%

Q22. What percentage of endpoint devices connected to your organization’s network is not secured? Please estimate FY 2016 Zero 8% Less than 10% 23% 10% to 25% 20% 26% to 50% 18% 51% to 75% 20% 76% to 100% 8% All 3% Total 100% Extrapolated value 33%

Q23. Are employees allowed to use personal devices to connect to your organization’s network? FY 2016 Yes 56% No 40% Unsure 4% Total 100%

Q24. Do you think it is more important to secure the device, its data or both (Please select only one response) FY 2016 Secure the device 18% Secure the data 50% Secure both the device and data 32% Total 100%

Q25. Where are you seeing the greatest rise of potential IT security risk within your IT environment? Please choose only your top five choices. FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011* Our server environment 15% 17% 17% 19% 29% 32% Our data centers 5% 6% 7% 6% 12% 14% Within operating systems (vulnerabilities) 9% 9% 8% 8% 10% 11% Across third party application(vulnerabilities) 73% 69% 66% 67% 56% 45% Our PC desktop/laptop 35% 38% 43% 45% 41% 44% Mobile devices such as smartphones (Blackberry, iPhone, IPad, Android) 86% 80% 75% 73% 48% 9% Removable media (USB sticks) and/or media (CDs, DVDs) 27% 29% 35% 39% 42% 10% Network infrastructure environment (gateway to endpoint) 11% 12% 12% 10% 14% 11% Malicious insider risk 36% 30% 15% 15% 16% Negligent insider risk 40% 41% 40% 44% 43% Negligent third party risk (partner, vendors, customers, etc.) 27% 28% 33% Cloud computing infrastructure and providers 30% 32% 36% 41% 43% 18% Virtual computing environments (servers, endpoints) 10% 10% 9% 19% 28% 20% Mobile/remote employees 40% 42% 45% 53% 49% 44% Lack of system connectivity/visibility 38% 35% 31% 25% 29% Lack of organizational alignment 18% 22% 28% 36% 39% Total 500% 500% 500% 500% 499% 299% * Top 3 choices in the 2011 survey

Q26. Does your organization have an integrated endpoint security suite (vulnerability assessment, device control, anti-virus, anti-malware, patch management or other capabilities)? FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 Yes 42% 42% 38% 35% 33% No, but our organization expects to have an endpoint security suite within the next 12-24 months 46% 47% 49% 48% 46% No 12% 11% 13% 17% 21% Total 100% 100% 100% 100% 100%

Q27. Approximately how many software agents does your organization typically have installed on each endpoint to perform management, security and/or other operations? Please provide your best estimate. FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 1 to 2 16% 14% 16% 19% 18% 3 to 5 29% 19% 23% 21% 23% 6 to 10 34% 41% 38% 41% 39% More than 10 15% 21% 18% 13% 10% Cannot determine 6% 5% 5% 6% 10% Total 100% 100% 100% 100% 100%

Q28. On a typical day, how many different or distinct software management user interfaces or consoles does your organization use to manage endpoint operations and security functions? Please provide your best estimate. FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 1 to 2 11% 12% 14% 19% 23% 3 to 5 33% 23% 25% 25% 29% 6 to 10 39% 43% 38% 35% 30% More than 10 11% 17% 14% 11% 9% Cannot determine 6% 5% 9% 10% 9% Total 100% 100% 100% 100% 100% Extrapolated value 6.30 6.81 6.52 6.01 5.48

Part 4. Predictions & Trends Q29. The notion of the endpoint as a security sensor – that is, where state or context data collected at the endpoint is used to determine if it has been or is being compromised – is gaining in popularity. Is this something your organization is doing or planning to do? FY 2016 FY 2015 Yes, doing it now 29% 19% Yes, planning to do so in the next 24 months 22% 18% Yes, planning to do so more than 24 months from now 5% 9% No 40% 45% Never heard of it 4% 9% Total 100% 100%

Q30. Has your organization added or plan to add, a threat intelligence component to its security stack? FY 2016 FY 2015 Yes, doing it now 42% 33% Yes, planning to do so in the next 24 months 24% 22% Yes, planning to do so more than 24 months from now 11% 9% No 23% 36% Total 100% 100%

Q31. Traditional endpoint defense has focused on prevention, but there is a growing movement towards a so-called “detect and detonate” orientation. Is your organization moving towards this? FY 2016 FY 2015 Yes, doing it now 56% 44% Yes, planning to do so in the next 24 months 25% 30% Yes, planning to do so more than 24 months from now 14% 21% No 5% 5% Never heard of it 0% 0% Total 100% 100%

Q32. The cyber security community has been discussing the need to develop an offensive security capability (i.e., discover who is behind an attack and then counterattack). Is this something your organization is or will be pursuing? FY 2016 FY 2015 Yes, pursuing now 14% 9% Yes, planning to pursue in the next 24 months 26% 18% Yes, planning to pursue more than 24 months from now 24% 23% No 36% 50% Total 100% 100%

Q33. If you leveraged a highly virtualized environment, how would a virtualization technology with embedded, real-time endpoint sensor impact your security strategy? FY 2016 Significant impact 33% Impact 31% No impact 25% Unsure 11% Total 100%

D1. What organizational level best describes your current position? FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 Senior Executive 2% 1% 1% 0% 1% 2% Vice President 1% 1% 2% 2% 1% 1% Director 18% 17% 18% 19% 22% 23% Manager 23% 24% 25% 26% 23% 25% Supervisor 17% 17% 19% 19% 18% 19% Technician 30% 29% 25% 23% 20% 16% Staff 6% 7% 8% 7% 10% 9% Contractor 3% 3% 2% 3% 4% 3% Other 0% 1% 0% 1% 1% 2% Total 100% 100% 100% 100% 100% 100%

D2. Check the Primary Person you or your IT security leader reports to within the organization. FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 CEO/Executive Committee 1% 1% 0% 0% 0% 1% Chief Financial Officer (CFO) 1% 1% 2% 1% 1% 2% General Counsel 2% 2% 1% 3% 2% 2% Chief Information Officer (CIO) 50% 53% 53% 54% 53% 50% Chief Information Security Officer (CISO) 26% 25% 25% 23% 23% 21% Compliance Officer 5% 3% 4% 6% 8% 9% Human Resources VP 0% 0% 0% 0% 0% 2% Chief Security Officer (CSO) 2% 2% 2% 4% 5% 6% Chief Risk Officer (CRO) 12% 13% 12% 9% 8% 5% Other 1% 0% 1% 0% 0% 2% Total 100% 100% 100% 100% 100% 100%

D3. What industry best describes your organization’s primary industry focus? FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 Agriculture & food services 1% 0% 1% 2% 1% 2% Communications 3% 3% 2% 3% 5% 4% Consumer products 5% 5% 4% 3% 2% 3% Defense & aerospace 1% 1% 1% 2% 3% 3% Education & research 5% 4% 3% 5% 6% 5% Energy & utilities 6% 5% 5% 4% 3% 2% Entertainment & media 4% 3% 4% 3% 4% 3% Financial services 18% 19% 21% 20% 18% 19% Health & pharmaceutical 10% 11% 12% 12% 10% 11% Hospitality 4% 3% 3% 5% 4% 4% Industrial 6% 5% 1% 5% 4% 5% Public services 10% 11% 12% 10% 12% 13% Retail 9% 10% 9% 9% 8% 7% Services 8% 9% 11% 8% 9% 8% Technology & software 8% 8% 8% 7% 8% 6% Transportation 2% 3% 3% 2% 3% 5% Total 100% 100% 100% 100% 100% 100%

D4. Where are your employees located? Check all that apply. FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 United States 100% 100% 100% 100% 100% 100% Canada 64% 65% 63% 65% 69% 63% Europe 71% 70% 72% 71% 70% 68% Middle East & Africa 38% 36% 34% 31% 30% 27% Asia-Pacific 56% 54% 55% 50% 45% 41% Latin America (including Mexico) 41% 39% 36% 32% 31% 29% Total 370% 364% 360% 349% 345% 328%

D5. What is the worldwide headcount of your organization? FY 2016 FY 2015 FY 2014 FY 2013 FY 2012 FY 2011 Less than 500 people 9% 9% 8% 7% 5% 6% 500 to 1,000 people 16% 17% 15% 16% 16% 13% 1,001 to 5,000 people 26% 23% 20% 21% 22% 19% 5,001 to 25,000 people 29% 30% 34% 33% 31% 32% 25,001 to 75,000 people 13% 16% 20% 19% 21% 21% More than 75,000 people 7% 5% 3% 4% 5% 9% Total 100% 100% 100% 100% 100% 100% Extrapolated value 17,386 17,340 18,125 18,268 19,750 22,832

Ponemon Institute Advancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.