Symantec 2004 Pulse of IT Security in Canada

Volume II

Survey shows Increases in Concern and Spending for IT Security

Andrew BissonDirector, Planning and Market Analysis

Branham Group

May 11, 2004

Survey Objective/Scope Survey Results

• Importance of IT Security• Risk of Attack• Disclosing a Security Breach• Resolving a Security Breach• IT Virus Infections• Managing IT Security• Monitoring for IT Security Breaches• Investment in IT Security

Summary

Agenda

Survey Objective/Scope

Objective: Gauge the awareness, priority and understanding of IT Security in Canada

Target Audience: Senior IT Executives from Canadian Financial Post 800 Companies and Leading Canadian Universities & Colleges

Timeframe: February - March 2004 Total Respondents: 150

• VP IT/IS: 99• CIO: 27• CTO: 3• CFO: 13• CSO: 8

Concern for IT Securityis on the Rise!

Survey Results

ALL respondents identified IT Security as an area of importance

65.5% ranked security amongst top 5 corporate priorities

55.4% of respondents from FP800 Companies are more concerned about IT Security then they were 12 months ago (3.57% Less, 41.1% Unchanged)

Importance of IT Security

Level of Concern

0%

10%

20%

30%

40%

50%

60%

More Less Unchanged%

of

Res

po

nd

ents

2003 2004 n= 74 (2003); n=112 (2004)

2004 Top 3 IT Security Concerns: • Unauthorized

Access by Insiders• Viruses• Identity Theft

Importance of IT Security

Survey Results

2003 Top 3 IT Security Concerns: • Hackers• Unauthorized

Access• Viruses

IT Security Threat Concerns (Based on Top 3 Concerns)

0 10 20 30 40 50 60 70 80

SPAM

Theft of Sensitive Information

Denial of Service Attacks

External Unauthorized Access

Identity Theft

Viruses (inclu. Worms)

Unauthorized Access by Insiders

# of Responses n=107

Survey Results

Risk of Attack

Risk of Attack was rated low

• Today: weighted average of 4.10 (10 being the highest risk and 1 being the lowest)

• Consistent with 2003 result of 4.12

• In 12 Months: weighted average of 4.18

Top 3 Drivers for attention to IT Security:

• Data/Information Protection

• Lost Revenue

• Negative Publicity

Survey Results

Disclosing a Security Breach

39.3% claimed they would admit to a security breach while 35.7% would not

• Consistent with 2003 results: 41.3% would admit to a breach vs. 37.3% who would not

79.5% of those that would admit to a breach have been a target (unauthorized access, viruses, etc.).

• Only 19.4% admitted to being a target in 2003!

Growth in Security Breaches

0%

20%

40%

60%

80%

100%

2003 2004

% o

f R

esp

on

den

tsn=31 (2003); n=44 (2004)

Survey Results

Disclosing a Security Breach Top 3 Security Breaches: SPAM, Unauthorized Access by Insiders,

Denial of Service Attacks

IT Security Breach Experiences

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

None

Other

External Unauthorized Access

Identity Theft

Theft of Sensitive Information

Financial Fraud

Eavesdropping / Spying / Probing

Virus / Worms

Denial of Service Attacks

Unauthorized Access by Insiders

SPAM

% of Respondents n=36

Survey Results

Resolving a Security Breach Top 3 Departments Involved in Resolving a Breach:

• Information Technology (IT); Human Resources; Legal

Top 3 Costs of Resolving a Security Breach:

• 67%: $0-$10K; 17%: $10K-$50K; 11%: $50K-$100KAnnual Cost Estimates of IT Security Breaches

0%

10%

20%

30%

40%

50%

60%

70%

$0–$10K $10K–$50K $50K–$100K $100K–$500K $500K–$1M $1M+

% o

f R

esp

on

den

ts

n=36

Survey Results

IT Virus Infections

Top 3 Categories for Frequency of Virus Infections:

• Quarterly: 24.5%

• Never: 23.5%

• Yearly: 19.6%

Perceived Threats

• Lost Revenue

• Lost Employee Productivity

Estimated Cost Attributed to Virus Outbreak

0%

10%

20%

30%

40%

$0-$5K $5K-$10K

10K-$50K

$50K-$100K

$100K-$500K

$500K+

Average Cost

% o

f R

esp

on

den

ts

n=86

Survey Results

Managing IT Security

86.5% of FP800 respondents have implemented an IT Security Policy

The majority of IT Security Issues are dealt with internally

31%

45%

13%

11%

Internal IT Generalist

Internal IT Security Expert

Security Partner/Vendor

No Designated Department/Person

IT Security Responsiblity

n=98

Survey Results

Monitoring for IT Security Breaches

64.5% of respondents claim that 100% of their network is being monitored for intrusions (11.8% don’t monitor at all)

62.8% of respondents claim to review their Firewall logs for inappropriate activity Daily (22.5% weekly)

89.8% of respondents claim to monitor their critical application servers for non-authorized access/use

27.3% of respondents claim to run vulnerability assessment scans of their networks and critical services annually (19.3% quarterly, 18.2% monthly, 15.9% weekly, 11.3% daily)

37.4% of respondents claim to run penetration testing on their infrastructure annually (23.1% quarterly, 13.2% never)

80.6% of respondents claim to have a formal procedure to manage vulnerabilities and implement patches

69.4% of respondents claim to have developed an incident response plan that would be initiated should a security breach occur.

Survey Results

Investment in IT Security

IT Security Spend rose in 2004 and is expected to continue to rise going into 2005

On average 7.6% of the IT Budget for FP800 Companies is dedicated to IT Security

IT Security as a % of IT Budget

0

10

20

30

40

50

60

Increased Decreased Unchanged

% o

f R

espo

nden

ts

Previous 12 Months Next 12 months n=106

Survey Results

Investment in IT Security

IT Security Deployment and Investment Trends

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Other

Data Forensic Tools

Real-time 24/7 Information Security Monitoring

Physical Access Management incl. Biometrics

Security Information Management

Early Warning Security Threat Notif ications

Incident Response Team

Intrusion Detection System

Anti-SPAM

Security Training

Security Standards / Policies

Anti-virus

Firew all

% of Respondents2004 Invest; n=101 2004 Deployed; n=107 2003; n=75

Summary

Canada’s leading IT executives are more concerned about IT Security then they were a year ago, however few see their organizations as being a significant risk of attack

IT attacks are on the rise, however IT executives continue to be reluctant in disclosing breaches

Concerns for Identity Theft are on the rise

Denial of Service Attacks are on the rise

Investment in IT Security Training is on the rise

A majority of FP800 respondents have implemented an IT Security Policy

IT Security Investments continue to rise, albeit at a slower pace…

Contact

Andrew BissonDirector, Planning and Market AnalysisTel: (613) 745-2282 ext 17E-mail: abisson@branhamgroup.com

www.branhamgroup.com