Current Security Posture
- Rising attacks. Nearly four in five respondents’ organizations were affected by a successful cyberattack in 2016, with a full third being breached six or more times in the span of a year (page 6).
- Optimism reigns. More than a third of respondents consider it unlikely their organization will be the victim of a successful cyberattack in 2017 (page 7).
- Mobile devices weakest tech component. For the fourth consecutive year, mobile devices are perceived as IT security’s weakest link, closely followed by other end-user computing devices (page 8).
- Developing secure apps weakest process. Secure application development and testing is the security process organizations struggle with the most, followed by user awareness training (page 9).
- Failure to monitor privileged users. Only a third of respondents are confident their organization has made adequate investments to monitor the activities of privileged users (page 10).
- Patch management woes. Less than a third of respondents are confident their organization’s patch management program effectively mitigates the risk of exploit-based malware (page 11).
- Cyber insurance pulling its weight. Three-quarters of respondents rate their organization’s level of investment in cyber insurance as adequate (page 12).
Perceptions and Concerns
- Threats keeping us up at night. Malware, phishing, and insider threats give IT security the most headaches (page 13).
- Ransomware’s bite out of the budget. Six in 10 respondents said their organization was affected by ransomware in 2016, with a full third electing to pay the ransom to get their data back (page 14).
- Ransomware’s biggest nightmare. The potential for data loss is the greatest concern stemming from ransomware, while the potential for revenue loss trails the field (page 15).
- Microsoft leaving the door open? With two-thirds of respondents not fully satisfied with Microsoft’s security measures for Office 365, the door remains open for third-party security solutions (page 16).
- Employees still to blame. Low security awareness among employees continues to be the greatest inhibitor to defending against cyberthreats, followed closely by a shortage of skilled personnel and too much data for IT security teams to analyze (page 17).
Current and Future Investments
- Security budgets still rising. Despite stabilizing as a percentage of organizations’ overall IT budgets, nearly three-quarters of IT security budgets are expected to rise (again) in 2017 (pages 19 and 25).
- Must-have network security investments. Network deception solutions are the top-ranked network security technology planned for acquisition in 2017, followed by next-generation firewalls and user and entity behavior analytics (page 20).
- Shielding endpoints from cyberthreats. Containerization/micro-virtualization tops the rankings for both endpoint security and mobile security technologies that respondents plan to acquire in 2017 (pages 22 and 23).
- Application security testing gaining traction. Database firewalls may currently be the most widely deployed app/ data security technology, but application security testing tools top the most wanted list for 2017 (page 24).
Practices and Strategies
- NAC’s reign continues. Network access control (NAC) remains the top technology for reducing a network’s attack surface (page 26).
- Dumping security data. While 96% of respondents collect at least some full-packet network traffic data to support their security efforts, nearly three-quarters ditch it within four weeks (page 27).
- Leveraging CASBs to protect sensitive data. Preventing disclosure of sensitive data is the leading reason why organizations are deploying cloud access security brokers (page 30).
- Identity/credential thieves in crosshairs. Thwarting account hijacking is the top use case for organizations deploying user and entity behavior analytics, followed closely by detecting data exfiltration (page 29).
- Cybersecurity skills shortage crisis. An astounding nine out of 10 respondents indicated their organization is suffering from the global shortfall of skilled IT security personnel (page 31).