1. International Trends in
Cybersecurity
April 2016
REMINDER: The complete International Trends in Cybersecurity report and 12 country
snapshots can be viewed free of charge at CompTIA.org (with simple registration)
2. The Importance of IT Security Continues to Grow
6%
18%
49%
27%
3%
18%
43%
35%
NET Lower No Change Moderately
Higher
Significantly
Higher
Today
Two Years
From Now
79%
NET of businesses
expect IT security to
become a higher priority
over the next two years
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
NET Higher: Significantly Higher + Moderately Higher
NET Lower: Significantly Lower + Moderately Lower
International Summary
3. Satisfaction With Current Security Level
20%
28%
23%
56%
53%
54%
25%
20%
23%
Maturing Economies
Mature Economies
International Summary
NET
Satisfactory
77%
72%
80%
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
Completely
Satisfactory
Mostly
Satisfactory
Adequate/
Unsatisfactory
NET Satisfactory: Completely + Mostly Satisfactory
Adequate/Unsatisfactory: Simply Adequate + Mostly Unsatisfactory + Completely Unsatisfactory
Note: see slide 18 for which countries are categorized
in Mature Economies vs. Maturing Economies.
4. Top Drivers for Changing IT Security Approach
1. Change in IT operations (e.g. cloud, mobility)
2. Reports of security breaches at other firms
3. Internal security breach or incident
4. Change in business operations or client base
5. Knowledge gained from training or certification
International Summary
1. Change in IT operations (e.g. cloud, mobility)
2. Reports of security breaches at other firms
3. Internal security breach or incident
4. Knowledge gained from training or certification
5. Change in business operations or client base
Mature Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
Maturing Economies
1. Change in IT operations (e.g. cloud, mobility)
2. Change in business operations or client base
3. Internal security breach or incident
4. Knowledge gained from training or certification
5. Reports of security breaches at other firms
5. Top Factors Impacting IT Security Practices
38%
40%
41%
45%
46%
46%
49%
32%
32%
37%
39%
37%
39%
39%
36%
37%
39%
42%
42%
43%
45%
Volume of security threats
Greater availability of hacking tools
Sophistication of security threats
More reliance on Internet applications
Greater tech interconnectivity
Growing organization of hackers
Rise of social networking
International
Summary
Mature
Economies
Maturing
Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
6. Top IT Security Concerns
1. Malware (e.g. viruses, worms, trojans)
2. Hacking (e.g. DoS attack)
3. Data loss/leakage
4. Physical security threats (e.g. device theft)
5. Privacy concerns
6. Social engineering/Phishing
7. Intentional abuse by insiders (e.g. staff)
8. Understanding security risks of emerging
areas
9. Regulatory compliance
10. Human error among general staff
Top Serious Concerns
Greatest Growth in Concern
(More Critical Today vs. Two Years Ago)
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
International Summary
1. Data loss/leakage
2. Malware (e.g. viruses, worms, trojans)
3. Hacking (e.g. DoS attack)
4. Social engineering/Phishing
5. Understanding security risks of emerging
areas
6. Privacy concerns
7. Physical security threats (e.g. device theft)
8. Intentional abuse by insiders (e.g. staff)
9. Regulatory compliance
10. Human error among general staff
7. Mobile Security Incidents
18%
31%
33%
34%
40%
40%
31%
26%
20%
22%
22%
32%
24%
28%
28%
29%
32%
37%
None of the above
Violation of policy on corporate data
Employees disabling security features
Mobile phishing attack
Mobile malware
Lost device
International
Summary
Mature
Economies
Maturing
Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
76% of organizations overall self-report experiencing at least one of these mobile security events
8. Top 5 Concerns Over Mobile Security Threats
1. Open WiFi networks
2. Mobile-specific viruses or malware
3. USB flash drives
4. Theft or loss of corporate devices
5. Unauthorized apps
International Summary
1. Theft or loss of corporate devices
2. Open WiFi networks
3. Mobile-specific viruses or malware
4. Unauthorized apps
5. Social media
Mature Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
Maturing Economies
1. Open WiFi networks
2. USB flash drives
3. Mobile-specific viruses or malware
4. Theft or loss of corporate devices
5. Unauthorized apps
9. Experiences With Data Loss
28%
38%
34%
51%
29%
20%
41%
35%
24%
No/Don't know
Yes, probably
Yes, definitely
International Summary Mature Economies Maturing Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509 and n=850 who had a loss
Many are aware of their company experiencing some type of loss of confidential data through
carelessness or negligence in the past 12 months
Types of Data Lost
• Employee data
• Financial data
• Customer records
• Intellectual property
Top Areas Where
Managers Plan to
Improve DLP
• Spyware prevention
• Consumer app restriction
• Mobile file encryption
• BYOD restriction
• Device safety policy
enforcement/creation
10. Self-Reported Occurrence of Security Breaches
27%
64%
9%
35%
58%
7%
22%
69%
9%
None 1-10 breaches > 10 breaches
International
Summary
Mature
Economies
Maturing
Economies
Over the past 12 months
61%
of all firms
experienced at
least one serious
breach
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
73%
of all firms
experienced at least
one breach
11. Human Element a Major Part of Security Risk
42%
58%
Technology error
Human error
International Summary
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,200 who had a security incident in the past 12 months
Top Human Error Sources
42% General carelessness
37% Failure to get up to speed on
new threats
37% Lack of expertise with websites
and applications
37% End user failure to follow
policies and procedures
36% Lack of expertise with networks,
servers and other infrastructure
34% IT staff failure to follow policies
and procedures
12. Human Error Becoming More of a Factor in Security
Breaches and Incidents
13%
19%
68%
13%
30%
57%
13%
23%
64%
NET technology error more of a factor
No change in the allocation
NET human error more of a
factor in security breaches
International Summary Mature Economies Maturing Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,200 who had a security breach in the past 12 months
NET More of a factor: Significantly More + Moderately More
23%
of organizations
where human
error is now
significantly
more of a factor
Human error is significantly more of a factor among firms in Maturing Economies (27%) vs.
those in Mature Economies (18%) now compared to two years ago
13. Utilization of Security Assessments and Training
Among Staff
6%
30%
33%
34%
34%
41%
45%
43%
10%
18%
22%
26%
35%
30%
34%
43%
8%
25%
28%
31%
35%
36%
41%
43%
None of the above
Ad hoc security experiments
Formal vulnerability assessments
Online course
Posted security policies
Random security audits
Ongoing security training program
New employee orientation
International
Summary
Mature
Economies
Maturing
Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
92% of companies overall use at least one of these formats to assess or improve security
knowledge among employees
14. Managers Value IT Security Certifications
80%
17%
3%
NET Valuable
Neutral
NET Not that Valuable
International
Summary
38% Very Valuable 68%
25%6%
NET Valuable Neutral NET Not that Valuable
Mature
Economies
25% Very Valuable
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,246 managers/executives
NET Valuable: Very Valuable + Valuable
NET Not that Valuable: Not that Valuable + Not at all Valuable
Maturing
Economies
49% Very Valuable
89%
10%1%
15. 99%
NET Important to
managers in Maturing
Economies (72% very
important)
The Importance of Testing After IT Security Training
4%
34%
63%
7%
42%
51%
1%
27%
72%
Not that
Important
Somewhat
Important
Very Important
International
Summary
Mature
Economies
Maturing
Economies
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,246 managers/executives
96% NET of managers overall believe it is important (very + somewhat) to test
after IT security training to confirm knowledge gains
93%
NET Important to
managers in Mature
Economies (51% very
important)
NET Important: Very Important + Somewhat Important
16. Security Awareness Levels Among Employees
39%
52%9%
Advanced Basic Low priority
International Summary
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,509
Top Potential Business Impacts of
Deficiencies in Security
Awareness
39% Unaware of areas where
company may be exposed
39% Incurred costs for (re)training
current workforce
37% Loss of business as a result of
security issues with customer
data
36% Failure to keep up with changes
in regulatory environment
36% Unaware of new trends in
security
17. Effectiveness of Security Training
Source: CompTIA International Trends in Cybersecurity | Overall results, n=1,392 firms using security training
- “Continual training on new threats.”
- “Regular retraining.”
- “More comprehensive and formalised training.”
- “Keep it up to date.”
- “Regular reviews.”
- “Mandatory training.”
- “More tests of employees’ security understanding.”
- “A more strict regime and more random security audits.”
- “Have a particular person assigned for the training.”
- “More investment in new tech.”
- “More hands-on simulations of real-world breaches.”
- “There should be very strict policies be enforce on proper
training. Proper budgets for training.”
- “Shorter training sessions but more of them.”
- “Tests must be done every three months. Continuous
training.”
Suggestions for Improving Training*
*Sampling of international comments representing common themes
Interna-
tional
Summary
Mature
Economies
Maturing
Economies
NET Effective
(Extremely + Fairly
Effective)
73% 70% 76%
Extremely Effective 23% 22% 25%
Fairly Effective 50% 48% 51%
Moderately Effective 22% 26% 20%
Slightly Effective 4% 4% 3%
Not at all Effective 0% 1% 0%
18. About This Research
CompTIA’s 2016 International Trends in Cybersecurity was conducted to collect and share information on behaviors, techniques, and
opportunities associated with information technology (IT) security across several countries. The objectives of this research include:
• Evaluate and track changes in IT security practices, policies, threats, breaches, etc. over time
• Identify drivers and inhibitors among IT decision makers when evaluating security tech
• Gain insights into the security issues associated with emerging tech (e.g. cloud computing, mobile solutions)
• Track trends in IT security training and education
The data for this study was collected via a quantitative online survey conducted January 21 to February 18, 2016 among 1,509 IT and business
executives directly involved in setting or executing IT security policies and processes within their organizations. See the Appendix for Respondent
Profile details such as industry, company size, and job role. The 12 countries covered in this study include:
Australia (n=125); Brazil (n=126); Canada (n=125); Germany (n=125); India (n=131); Japan (n=125); Malaysia (n=125); Mexico (n=126): South
Africa (n=125); Thailand (n=125); United Arab Emirates (n=126); United Kingdom (n=125).
Maturing Economies: Brazil, India, Malaysia, Mexico, South Africa, Thailand, UAE (n=884).
Mature Economies: Australia, Canada, Germany, Japan, UK, (n=625).
Surveys were localized and translated to allow respondents to participate in their native language. Additionally, precautions were taken to
minimize misinterpretations of questions. However, research has shown, cultural differences exist and can affect responses to certain question
types, such as 5-point satisfaction rating questions. Viewers of this report should keep that in mind when comparing results across countries.
The margin of sampling error at 95% confidence for aggregate results is +/- 2.5 percentage points. Sampling error is larger for subgroups of the
data. As with any survey, sampling error is only one source of possible error. While non-sampling error cannot be accurately calculated,
precautionary steps were taken in all phases of the survey design, collection and processing of the data to minimize its influence. Note: because
data collection occurred via an online survey, in countries where Internet penetration is lower among businesses, the non-sampling error could
be higher.
More information and all country snapshots are available at CompTIA.org/internationalsecurity. CompTIA is responsible for all content contained
in this report. Any questions regarding the study should be directed to CompTIA Research & Market Intelligence staff at research@comptia.org.
CompTIA is a member of the Marketing Research Association (MRA) and adheres to the MRA’s Code of Market Research Ethics and Standards.
19. Thank You
Copyright (c) 2016 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
REMINDER: The complete International Trends in Cybersecurity report and 12
country snapshots can be viewed free of charge at CompTIA.org (with simple
registration)