Ponemon Institute is pleased to present the findings of Global Trends in Identity Governance & Access Management, sponsored by Micro Focus. The purpose of this study is to understand companies’ ability to protect access to sensitive and confidential information and what they believe is necessary to improve the protection. All participants in this study are involved in providing end users access to information resources in their organizations. Some of the trends discussed in the report are:

1. Employees are frustrated with access rights processes, and IT security is considered a bottleneck.

2. Responding to requests for access is considered slow.

3. Control over access management is decentralized.

4. Certain technologies are considered an important part of meeting identity governance and access management requirements.

5. A single-factor authentication approach is no longer effective.

6. Integration of machine learning within identity governance solutions is critical (64 percent of respondents).

7. The most difficult access policies to implement are those for enforcing access policies in a consistent fashion across all information resources in the organization.

8. End users have more access than they should.

9. Migration to Mobile First and mobile platforms has affected access management approaches.

10. New threats created by disruptive technologies will reduce organizations’ ability to mitigate governance and access management risks.

11. The ability to manage access in the Internet of Things (IoT) is a concern.

12. Effective identity governance and access management across the enterprise is achievable.

We hope you will read our latest report on this topic.

Sincerely,

Dr. Larry Ponemon 
 

By Dr. Larry Ponemon

Big Data Cybersecurity Analytics, conducted by Ponemon Institute and sponsored by Cloudera, provides more evidence that the use of big data analytics is very important to ensuring a strong cybersecurity posture. Dr. Larry Ponemon and Rocky DeStefano, Cloudera’s cybersecurity subject matter expert, will participate in a webinar on October 11 to discuss key findings from the research.

Following are key findings from the research.

• Organizations are 2.25X more likely to identify a security incident within hours or minutes when they are a heavy user of big data cybersecurity analytics.

• Eighty-one percent of respondents say demand for big data for cybersecurity analytics has significantly increased over the past 12 months.

• Heavy users of big data analytics have a higher level of confidence in their ability to detect cyber incidents than light users.   With respect to 11 common cyber threats, the biggest gaps between heavy and light users concern the organization’s ability to detect advanced malware/ransomware, compromised devices (e.g., credential theft), zero day attacks and malicious insiders.  The smallest gaps in detection between heavy and light users concern denial of services, web-based attacks and spear phishing/social engineering.

• Companies represented in this research are allocating an average of $14.50 million to IT security in fiscal year 2016 and an average of $2.32 million (16 percent) of this budget is allocated to analytics tools.

We hope you will join us for a unique perspective on the state of big data cybersecurity analytics.

Register here.  
 

We are pleased to announce the release of the 2016 Cost of Data Breach Study: The Impact of Business Continuity Management (BCM), in partnership with IBM.  This year we studied how organizations are using BCM in 12 different countries, 383 companies across 16 industries.

According to the research, BCM programs can reduce the per capita cost of data breach, the mean time to identify and contain a data breach and the likelihood of experiencing such an incident over the next two years. 

http://go.cyphort.com/Ponemon-Report-Page.html

Forty-seven percent of respondents say their organization had a material security breach that involved an attack that compromised the networks or enterprise systems. This attack could have been external (i.e. hacker), internal (i.e. malicious insider) or both. Most respondents (65 percent) say threat intelligence could have prevented or minimized the consequences of the attack.

Following are key research takeaways:

Threat intelligence is essential for a strong security posture. Seventy-five percent of respondents, who are familiar and involved in their company’s cyber threat intelligence activities or process, believe gathering and using threat intelligence is essential to a strong security posture.

Potential liability and lack of trust in sources of intelligence, keep some organizations from participating. Organizations that only partially participate cite potential liability of sharing (62 percent of respondents) and lack of trust in the sources of intelligence (60 percent of respondents). However, more respondents believe there is a benefit to exchanging threat intelligence.

Organizations rely upon peers and security vendors for threat intelligence. Sixty-five percent of respondents say they engage in informal peer-to-peer exchange of information or through a vendor threat exchange service (45 percent of respondents). IT vendors and peers are also considered to provide the most actionable information. Law enforcement or government officials are not often used as a source for threat intelligence.

Threat intelligence needs to be timely and easy to prioritize. Sixty-six percent of respondents who are only somewhat or not satisfied with current approaches say it is because the information is not timely and 46 percent complain the information is not categorized according to threat type or attacker.

Organizations are moving to a centralized program controlled by a dedicated team.  A huge barrier to effective collaboration in the exchange of threat intelligence is the existence of silos. Centralizing control over the exchange of threat intelligence is becoming more prevalent and might address the silo problem.

We hope you will download the full report.

Warmest regards,

 Dr. Larry Ponemon

Dr. Larry Ponemon
 

Warmest regards,
Dr. Larry Ponemon
 

• More resources are allocated to preventing, detecting and resolving data breaches. According to 61 percent of respondents, the budget for security increased by an average of 34 percent. Most was used for SIEM, endpoint security and intrusion detection and prevention.

• Senior management gets a wake up call and realizes the need for a stronger cyber defense posture. Sixty-seven percent of respondents say their organization made sure the IT function has the budget necessary to defend it from data breaches.

• Operations and compliance processes are changing to prevent and detect breaches. Sixty percent of respondents say they made changes to operations and compliance processes to establish incident response teams, conduct training and awareness programs and use data security effectiveness measures.

We hope you will read the full report.

To register for the webinar featuring Dr. Larry Ponemon and Netskope Founder and CEO, Sanjay Beri, on July 16 at 1 PM EST, please click here:
http://www.netskope.com/webinar-data-breach-cloud-multiplier-effect/

Warmest regards,

Dr. Larry Ponemon

Will these costs continue to escalate? Are there preventive measures and controls that will make a company more resilient and effective in reducing the costs? Nine years of research about data breaches has made us smarter about solutions.

Critical to controlling costs is keeping customers from leaving. The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. Our report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover. In the aftermath of a data breach, these companies need to be especially focused on the concerns of their customers.

As a preventive measure, companies should consider having an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breach significantly. Other measures include having a CISO in charge and involving the company’s business continuity management team in dealing with the breach.

In most countries, the primary root cause of the data breach is a malicious insider or criminal attack. It is also the most costly. In this year’s study, we asked companies represented in this research what worries them most about security incidents, what investments they are making in security and the existence of a security strategy.

An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.

Global companies also are worried about malicious code and sustained probes, which have increased more than other threats. Companies estimate that they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month. Unauthorized access incidents have mainly stayed the same and companies estimate they will be dealing with an average of 10 such incidents each month.

When asked about the level of investment in their organizations’ security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million. This may be a tough sell in many companies. However, our cost of data breach research can help IT security executives make the case that a strong security posture can result in a financially stronger company.

To download the complete report please use the following link:

www.ibm.com/services/costofbreach
 

The study has interesting findings about the state of mobile authentication and the preferences of companies. Specifically, for security purposes, location and validation of the number in real-time is considered valuable. They believe this would strengthen their security measures assuming opt-in by end-user. Furthermore, in the coming year most of the respondents say they are considering planning to extend the use of SMS-based two-factor authentication for user registration or identity verification or activation of online services. To download the entire report, please use this link.

Warmest regards,

Dr. Larry Ponemon
 

“Whilst key management may be emerging as a barrier to encryption deployment, it is not a new issue. The challenges associated with key management have already been addressed in heavily regulated industries such as payments processing, where best practices are well proven and could translate easily to a variety of other verticals. With more than 40 years’ experience providing key management solutions. Thales is ideally positioned to help organizations re-assess and re-evaluate their crypto security and key management infrastructure and deliver solutions that ensure their integrity and trustworthiness.”
-Richard Moulds, vice president strategy at Thales e-Security

Download your copy of the new 2013 Global Encryption Trends Study today.

We believe that individuals, healthcare organizations and government working together can reduce the risk of medical identity theft. First, individuals need to be aware of the negative consequences of sharing their credentials despite possible good intentions. They should also take the time to read their medical records and explanation of benefits statements to ensure that their information is correct. Second, healthcare organizations and government should improve their authentication procedures to prevent imposters from obtaining medical services and products.
Sponsored by the Medical Identity Fraud Alliance (MIFA), with support from ID Experts, the report can be found at http://medidfraud.org/2013-survey-on-medical-identity-theft.

Today we are releasing a very interesting follow up study on how organizations are improving--or not--their cloud security practices. The Security of Cloud Computing Users study shows that when it comes to cloud computing the glass may be half full or half empty because only half or less of respondents have positive perceptions about how their organizations are adopting cloud security best practices and creating confidence in cloud services used within their organization. A significant finding is that only 50 percent of respondents are engaging their security team (always or most of the time) in determining the use of cloud services. We hope you will read the complete report to learn about changes in cloud computing security. Access the full Ponemon Research: 2013 Security of Cloud Computing Users Study
Highlights: View key takeaways in this infographic

One of our latest studies is the Efficacy of Emerging Network Security Technologies our objective is to learn about organizations’ use and perceptions about emerging network security technologies and their ability to address serious security threats.  The emerging technologies examined in this study include next generation firewalls, intrusion prevention systems with reputation feeds and web application firewalls. Some interesting findings include:  Securing web traffic is by far the most significant network security concern for the majority of organizations. However, the majority of respondents say network security technologies fall short of vendors’ promises. Almost half (48 percent) of respondents agree that emerging network security technologies are not effective in minimizing attacks that aim to bring down web applications or curtail gratuitous Internet traffic. To read a copy of the report please click http://www.juniper.net/us/en/dm/spotlight

Complete study is available - http://www.venafi.com/ponemon-institute-first-annual-cost-of-failed-trust-report/?ls=mb&cid=70150000000KIkw

1. A formal data protection strategy for the organization and metrics to determine if the strategy is effective.
2. Key metrics from a management console and observation and regular testing of data protection solutions.
3. Data protection technology features that focus on privileged users, restriction of access and outbound communications are considered critical
4. Centralized management of the data protection program with such features as actionable information, policy administration, reporting, automatic securing of endpoints and monitoring.
5. Automated policies for detection and prevention of end-user misuse of information assets. 

To download the complete report click here:  <https://prod.secureforms.mcafee.com/content/verify?docID=3E46E43C-2252-487A-885B-4C5F125DFB60&cid=WB290&aName=DP&src=web&aType=report®ion=us>

Please listen to a recent podcast on the True Cost of Compliance study completed last month.  Martin KcMeay at Network Security Blog did a great job conducting this 30 minute interview.

www.mckeay.net/2011/03/02/network-security-podcast-23/

If you would like a copy of the full report, please visit Tripwire's website as follows:

www.tripwire.com/ponemon-cost-of-compliance/

If you want to view the webinar, presented on the Windows Live Meeting platform, please click here.

If you have any questions or comments about this issue, our report, or the webinar, we'd love to hear from you.

Thanks!

Yes, I said complacency.

Admiral Mullen's perspective is different from yours and mine, but there are nuggets here that are vital no matter what your business.

CEO: Are you puzzled as to why the people your company has hired to address security and privacy concerns never seem to meet the objectives you have for them? Are you flummoxed by the fact that the investments you’ve made in data security aren’t helping to stem the tide of data loss? 

Why do you think this is?  I’m seeing a confluence of conditions that appear to be contributing to this challenge to data integrity: the development of new, mobile technologies that empower employees to do more while away from the office; a failure of organizations to keep pace with the ways technology is changing the dynamics of data security; and current economic conditions that are putting increased pressure on individuals to be more productive with fewer resources.