KnowBe4 2019 Security Threats and Trends Survey 1. Demographic Questions Question Title * 1. Which best describes your vertical industry? Academic (College/University) Accounting Advertising Aerospace Agriculture/Forestry Automotive Biopharma and Biosciences Business Services/Consulting Communications/Telecom Computer hardware/software/technology manufacturer Construction Consulting Education (K through 12) Energy Engineering Financial services/banking, legal, real estate Gaming Government (federal) Government (state and local) Healthcare Hotel & Hospitality Insurance IT/Technology Services Provider Law Enforcement Legal Manufacturing Marketing Media and Entertainment News Organization Non Profit Oil/Gas/Mining Pharmaceutical Retail Sales Security Software Sports Surveillance Telecommunications Transportation Travel Utilities Weather Other (please specify) OK Question Title * 2. How many servers are in your organization? 1 to 10 11 to 20 21 to 30 31 to 50 51 to 100 101 to 250 251 to 500 501 to 1,000 1,001 to 5,000 More than 5,000 OK Question Title * 3. What is your title/job function? Application Manager Architect CEO CIO CISO COO CTO Database Administrator Engineer (Systems or Network) Independent Consultant/Systems Integrator IT Manager IT Staff Network Administrator Network Manager Plant Facilities Manager Security Administrator/Manager Server Hardware Administrator Software Developer Storage Administrator Telecom Engineer Telecom Manager VP of IT VP of Security Other (please specify) OK Question Title * 4. What is your organization’s TOTAL average annual expenditure on security including hardware, software, services and training? $20+ million $10-$19.9 million $5-$9.9 million $1-$4.9 million $500,000-$999,999 $250,000-$499,999 $101,000-$249,000 $51,000 -$100,000 $25,000 - $50,000 <$25,000 We do not have a separate security budget OK Question Title * 5. Has the increase in cyber security attacks caused your firm to become more security conscious and proactive in terms of its security initiatives? Yes No Remains the same. Cyber attacks are a fact of life/cost of doing business in the Digital Age. We’re considering it; no decision made. Unsure OK Question Title * 6. What issues pose the greatest threats to the organization’s security over the next 12 months? Select ALL that apply Email/Phishing scams Social Engineering Targeted attacks by hackers Physical attacks on the devices or premises Attacks on the Network edge/perimeter End user carelessness BYOD and mobile devices Lost or stolen devices Mis-configuration/provisioning errors by security administrators Back door or open ports on servers Password attacks Data leaks Eavesdropping/MitM Denial of Service (DoS) attacks Corporate espionage Insider attacks by employees Insider attacks via a Partner/Consultant/Vendor or 3rd Party Service Provider Regulatory Compliance issues A combination of the above Other (please specify) OK Question Title * 7. What are your firm's most important security priorities over the next 12 months? (Select ALL that apply) Proactive security maintenance, upgrades and patches Keeping pace with the latest security threats Keeping pace with security exploits in technologies (e.g., cloud, IoT, Machine learning) Implementing Security Awareness Training Updating, enforcing computer security policies Upgrading security mechanisms (e.g., firewalls, routers, gateways, switches) Upgrading intrusion detection/audit trail/authentication/access control/tracking Strengthening encryption/encrypting data Strengthening infrastructure and physical security Strengthening virtualization and cloud security Securing the Network edge Allocating funds to buy security products & hire security consultants Identifying & choosing the right security products for our business Dealing with multiple security vendors Conducting vulnerability testing GDPR, regulatory compliance and data privacy Contractual and legal responsibilities Understanding security protocols and APIs Correct configuration and provisioning of security devices, applications Other (please specify) OK Question Title * 8. What are the biggest security challenges facing your firm the next 12 months? (Select ALL that apply) Cost/budget constraints Overworked security, IT staff Lack of skilled security, IT staff Too many entry points into the network to monitor & manage Inadequate security awareness training Our inability to identify, quickly respond to and shut down a security hack Upper management does not take security seriously enough Weak, physical infrastructure security Weak application, operating system security Weak Network edge security Security administrators have little, no control over BYOD & mobile devices End user carelessness Potential losses, litigation due to security breaches, data theft Weak, lax computer security policies & procedures Failure of our business to adhere to compliance regulations Other (please specify) OK Question Title * 9. Recently, there is a trend showing IT pros are no longer buying third-party Antivirus. Instead, they're relying on Win10 and its built-in Windows Defender. Does your firm plan to do the same thing? We have already migrated to Win10 and use Windows Defender now Yes, we're planning to migrate to Win10 and use Windows Defender in the near future No, we will continue to buy third-party antivirus for the desktop Unsure OK Question Title * 10. What new security threats most concern your firm over the next 12 months? (Select ALL that apply) Active content in Email applications Laser Phishing New sophisticated BEC or CEO Fraud spear Phishing variants Cryptojacking malware New "sextortion" scams Shadow IT applications Attacks on IoT devices attached to the network Nothing in particular at this time Unsure Other (please specify) OK Question Title * 11. Does your firm allow its end users to Bring Their Own Devices (BYOD) e.g., notebooks, tablets, smart phones and utilize them as corporate devices accessing network data and applications? Yes No OK Question Title * 12. If your firm allows BYOD usage, who is responsible for installing,maintaining & updating security on employee-owned notebooks, tablets, smart phones and other devices? Security and IT administrators Employees Both: the IT Dept. provides & installs the security packages and the employees maintain it We have no formal, specific BYOD security provisions We leave it up to the end users to install and maintain security on their BYOD devices Unsure OK Question Title * 13. Have there been any security breaches to employee-owned BYOD devices in the last 12 months that have impacted the corporate network? Yes No We have no way of knowing We don't require employees to notify the IT Dept. when BYOD devices experience a security breach or hack Unsure OK Question Title * 14. If any of your employee-owned BYOD devices did experience a security breach, what impact did it have on corporate servers, applications & network operations? (Select ALL that apply) No impact The corporate network experienced data leakage The corporate network was infected with Malware & other malicious programs The corporate network was infected with keyboard logging Sensitive data was lost, stolen or hijacked Sensitive data was changed Network operations or key applications (e.g., Email or servers) were disrupted for a short time (one to five minutes) Network operations or key applications were disrupted for up to 30 minutes Network operations or key applications were disrupted for one hour to several hours Unsure Other (please specify) OK Question Title * 15. Does your firm have a response plan in place to deal with lost, stolen or hijacked BYOD devices? Yes No We're in the process of devising a policy We're considering it; no decision made Unsure OK Question Title * 16. What measures is your firm and the IT/Security Dept. taking to police its end users - including remote workers, contract workers and anyone using BYOD equipment to access the corporate network? (Select ALL that apply) We informally or verbally tell all employees & contract workers they must comply with corporate security policies and procedures regardless of whether devices are company or employee-owned. We require strict adherence to corporate security policies. All employees (remote and contract workers) are required to read security compliance policies on passwords, software updates, data privacy & compliance regulations and be aware of all penalties for violating security policies - including termination. We provide security awareness training to keep employees updated on all of the latest hacks and threats. We require employees to immediately notify Security/IT administrators if their corporate or BYOD devices experience a security breach or or if their devices are lost or stolen. We do not require end users or contract workers to install security on BYOD devices and we have no specific security measures in place to oversee or monitor them. Unsure Other (please specify) OK Question Title * 17. Does your firm calculate the hourly cost of downtime for mission critical servers, devices and applications related to security breaches? Yes No Not currently, but we plan to do so in the near future Unsure OK Question Title * 18. Is your organization more/less prepared and better equipped to respond to the various security threats than it was 12 to 18 months ago? Much more prepared and proactive Somewhat more prepared, but we need to do more No change; we're adequately prepared to deal with security threats Somewhat less prepared; we're more reactive than proactive Much less prepared We're overwhelmed; we lack the budget/resources to keep up with security threats We're totally unprepared; we have no plan in place to respond to a security hack Unsure Other (please specify) OK Question Title * 19. ESSAY Question: Please provide us with your comments, insights on your firm's approach to security. Do you think your organization is doing a good job of securing its infrastructure and data assets in the face of the evolving threat landscape? Leave your Email address so we may contact you if you win the $100 Amazon Gift Certificate. OK DONE