While 82 Percent of Respondents Believe the It Security Industry is
Making Progress Against Cyber Attacks, Gains Are Undercut by Failure to
Enforce Best Practices in Critical Areas
NEWTON, Mass. & PETACH TIKVA, Israel--(BUSINESS WIRE)--Sep. 21, 2016--
While 82 percent of respondents believe the IT security industry is
making progress against cyber attacks, those gains are undercut
by egregious security practices in critical areas such as privileged
account security, third-party vendor access and cloud, according to
results from a new global survey commissioned and released by CyberArk
(NASDAQ: CYBR).
This Smart News Release features multimedia. View the full release here:
http://www.businesswire.com/news/home/20160921006404/en/
CyberArk Global Advanced Threat Landscape Survey 2016: http://www.cyberark.com/ThreatSurvey2016 (Photo: Business Wire)
The 10th annual CyberArk
Global Advanced Threat Landscape Survey 2016, themed “Cyber
Security: Past, Present & Future,” examines whether global enterprises
are learning and applying lessons from high-profile cyber attacks, and
how security priorities and business decision-making are being
influenced.
Cyber Lip Service? Bad Security Habits Persist, Despite Rising
Awareness
Headline-making cyber attacks have driven significant
increases in cyber security awareness. However, the failure to turn
increased awareness into the enforcement of security best practices
undermines progress for organizations’ cyber security efforts.
-
Seventy-nine (79) percent state their organization has learned lessons
from major cyber attacks and has taken appropriate action to improve
security.
-
Sixty-seven (67) percent now believe their CEO/board of directors
provide sound cyber security leadership (up from 57 percent in
2015).
-
The top actions taken because of this awareness are deployment of
malware detection (25 percent), endpoint security (24 percent) and
security analytics (16 percent).
-
Fifty-five (55) percent of respondents state their organization has
changed or evolved processes for managing privileged accounts.
-
Despite this, 40 percent of organizations still store privileged
and admin passwords in a Word document or spreadsheet, while 28
percent use a shared server or USB stick.
-
Nearly half of organizations (49 percent) allow third-party vendors
(such as supply chain and IT management firms) remote access to their
internal networks.
-
While the majority of respondents secure and monitor that access,
the public sector has the least third-party vendor access controls
in place compared to other industries, with 21 percent not
securing and 33 percent not monitoring that activity.
A Cyber State-of-Mind: Striking a Balance Between Fear and
Overconfidence
Organizations are increasingly adopting a
post-breach mindset, preparing to deal with ongoing cyber attacks and
activity in the case of a breach. This preparedness is leading to
positive steps in post-breach planning, but concerns exist about how
overconfidence may affect the ability to protect against cyber attacks.
-
Three out of four IT decision makers now believe they can prevent
attackers from breaking into their internal network – up from 44
percent in 2015.
-
Despite this, 36 percent believe a cyber attacker is currently on
their network, or has been in the last 12 months.
-
Forty-six (46) percent believe their organization was a victim of
a ransomware
attack in the past two years.
-
Eighty-two (82) percent of respondents believe the security industry
in general is making progress against cyber attacks.
-
Seventeen (17) percent believe the industry is falling further
behind.
-
Nearly every organization (95 percent) has a cybersecurity emergency
response plan.
-
This preparedness is undermined by a lack of communication and
testing – only 45 percent communicate and regularly test their
plan with all IT staff.
-
Sixty-eight (68) percent of organizations cite losing customer data as
one of their biggest concerns following a cyber attack.
-
Sixty (60) percent of those who use the cloud store customer data
in it.
-
Fifty-seven (57) percent who store information in the cloud are
not completely confident in their cloud provider’s ability to
protect their data.
-
When identifying the most difficult stage of a cyber attack to
mitigate, malware installation ranked first (41 percent), followed by privileged
account takeover (25 percent).
On the Radar: Future Risks Emerge
As cyber attacks continue
on trusted institutions such as government, utilities and financial
systems, respondents identify what types of cyber attacks or tactics are
most concerning. Respondents also share which cyber attack scenarios
they think represent the most immediate and potentially catastrophic
threat in general.
-
Respondents list the following types of cyber attacks or tactics as
the top-ranked concern in the next 12 months: Distributed
denial-of-service (DDoS) attacks (19 percent), phishing (14 percent),
ransomware (13 percent), privileged account exploitation (12 percent)
and perimeter breaches (12 percent).
-
Attacks on financial systems, including disruption of global markets
(58 percent) is the most potentially catastrophic threat perceived by
respondents, followed by attacks causing massive utilities damage (55
percent) and those impacting civil services such as healthcare and
hospital services (51 percent).
The Impact of a Breach on Customer Data and Corporate Accountability
The
survey found a varied global picture in terms of preparedness for
increased regulatory oversight and the impact on cyber security programs
and accountability.
-
While 70 percent of global respondents agree that the threat of legal
action and fines influence the level of executive/board involvement in
security-related decisions, 22 percent of the respondents do not
incorporate compliance fines or legal fees (19 percent) into the cost
of a breach.
-
Nearly seven in ten (69 percent) respondents state that, in response
to a breach or cyber attack, stopping the breach/removing the
attackers is among their top priorities, followed by detecting the
source of the breach (53 percent).
-
Far fewer respondents prioritize notifying the CEO/board (26
percent), entire staff/workforce (25 percent) or customers (18
percent).
“The findings of this year’s Global Advanced Threat Landscape Survey
demonstrate that cyber security awareness doesn’t always equate to being
secure. Organizations undermine their own efforts by failing to enforce
well-known security best practices around potential vulnerabilities
associated with privileged accounts, third-party vendor access and data
stored in the cloud,” said John Worrall, CMO, CyberArk. “There’s a fine
line between preparedness and overconfidence. The majority of cyber
attacks are a result of poor security hygiene – organizations can’t lose
sight of the broader security picture while trying to secure against the
threat du jour.”
Download the Report
To download the full CyberArk Global
Advanced Threat Landscape Survey 2016, visit http://www.cyberark.com/ThreatSurvey2016.
About the Research
CyberArk commissioned independent
research firm Vanson Bourne to conduct surveys with 750 IT and IT
security decision makers from around the world, including C-level
executives, directors and department heads among enterprise
organizations. Respondents represent a range of public and private
organizations across multiple vertical industries from the United
States, Europe (France, Germany, United Kingdom), Israel and Asia
Pacific (Australia, New Zealand, Singapore).
About CyberArk
CyberArk is
the only security company focused on eliminating the most advanced cyber
threats; those that use insider privileges to attack the heart of the
enterprise. Dedicated to stopping attacks before they stop business,
CyberArk proactively secures against cyber threats before attacks can
escalate and do irreparable damage. The company is trusted by the
world’s leading companies – including 45 percent of the Fortune 100 – to
protect their highest value information assets, infrastructure and
applications. A global company, CyberArk is headquartered in Petach
Tikvah, Israel, with U.S. headquarters located in Newton, Mass. The
company also has offices throughout EMEA and Asia Pacific and Japan. To
learn more about CyberArk, visit www.cyberark.com,
read the company blog, http://www.cyberark.com/blog/,
follow on Twitter @CyberArk or
Facebook at https://www.facebook.com/CyberArk.
Forward-Looking Statements
This release may contain
forward-looking statements, which express the current beliefs and
expectations of CyberArk’s (the “Company”) management. In some cases,
forward-looking statements may be identified by terminology such as
“believe,” “may,” “estimate,” “continue,” “anticipate,” “intend,”
“should,” “plan,” “expect,” “predict,” “potential” or the negative of
these terms or other similar expressions. Such statements involve a
number of known and unknown risks and uncertainties that could cause the
Company’s future results, performance or achievements to differ
significantly from the results, performance or achievements expressed or
implied by such forward-looking statements. Important factors that could
cause or contribute to such differences include risks relating to:
changes in the rapidly evolving cyber threat landscape; failure to
effectively manage growth; near-term declines in the Company’s operating
and net profit margins and its revenue growth rate; real or perceived
shortcomings, defects or vulnerabilities in the Company’s solutions or
internal network system, or the failure of the Company’s customers or
channel partners to correctly implement the Company’s solutions;
fluctuations in quarterly results of operations; the inability to
acquire new customers or sell additional products and services to
existing customers; competition from IT security vendors; the Company’s
ability to successfully integrate recent and or future acquisitions; and
other factors discussed under the heading “Risk Factors” in the
Company’s most recent annual report on Form 20-F filed with the
Securities and Exchange Commission. Forward-looking statements in this
release are made pursuant to the safe harbor provisions contained in the
Private Securities Litigation Reform Act of 1995. These forward-looking
statements are made only as of the date hereof, and the Company
undertakes no obligation to update or revise the forward-looking
statements, whether as a result of new information, future events or
otherwise.
Copyright © 2016 CyberArk Software. All Rights Reserved. All
other brand names, product names, or trademarks belong to their
respective holders.
View source version on businesswire.com: http://www.businesswire.com/news/home/20160921006404/en/
Source: CyberArk
Media Relations Contacts:
fama PR
Brooke Wenrick,
+1-617-986-5022
cyberark@famapr.com
or
CyberArk
Liz
Campbell, +1-617-558-2191
press@cyberark.com
or
Investor
Relations Contact:
CyberArk
Erica Smith, +1 617-630-6426
ir@cyberark.com