KnowBe4 2020 Security Data Breach Trends Survey 1. Demographic Questions Question Title * 1. Which best describes your vertical industry? Academic (College/University) Accounting Advertising Aerospace Agriculture/Forestry Automotive Biopharma and Biosciences Business Services/Consulting Communications/Telecom Computer hardware/software/technology manufacturer Construction Consulting Education (K through 12) Energy Engineering Financial services/banking, legal, real estate Gaming Government (federal) Government (state and local) Healthcare Hotel & Hospitality Insurance IT/Technology Services Provider Law Enforcement Legal Manufacturing Marketing Media and Entertainment News Organization Non Profit Oil/Gas/Mining Pharmaceutical Retail Sales Security Software Sports Surveillance Telecommunications Transportation Travel Utilities Weather Other (please specify) OK Question Title * 2. How many employees are in your organization? 1-49 50-200 201-499 500-999 1000-5,000 5000-10,000 10,000+ OK Question Title * 3. How many servers are in your organization? This includes on-prem and cloud servers. 1 to 10 11 to 20 21 to 30 31 to 50 51 to 100 101 to 250 251 to 500 501 to 1,000 1,000+ Other (please specify) OK Question Title * 4. What is your title/job function? Application Manager Architect CEO CIO CISO CMO COO CTO Database Administrator Engineer (Systems or Network) Independent Consultant/Systems Integrator IT Manager IT Staff Network Administrator Network Manager Plant Facilities Manager Security Administrator/Manager Server Hardware Administrator Software Developer Storage Administrator Telecom Engineer Telecom Manager VP of IT VP of Security Other (please specify) OK Question Title * 5. What is your organization’s TOTAL average annual expenditure on security including hardware, software, services and training? $20+ million $10-$19.9 million $5-$9.9 million $1-$4.9 million $500,000-$999,999 $250,000-$499,999 $101,000-$249,000 $51,000 -$100,000 $25,000 - $50,000 <$25,000 We do not have a separate security budget OK Question Title * 6. Has your organization experienced a successful data breach in which malware, ransomware or hackers gained access to your network, devices or computers within the last 12 months -- even if only for a short while, before detection and removal? Yes No Unsure We have no way of knowing OK Question Title * 7. If Yes, what root exploit causes were involved in successful attacks or compromises within the last 12 months? (Select ALL that apply) Email/Phishing scams Social Engineering Targeted attacks by organized hackers Ransomware CEO Fraud/Business Email Compromise User or Network Administrator Error MFA hack/Failure Zero Days Un-patched software exploits Malware Physical attacks on unsecured servers or devices or premises Attacks on the Network edge/perimeter End user carelessness Insecure end user/company-owed BYOD & mobile devices Lost or stolen devices Mis-configuration/provisioning errors by security administrators Back door or open ports on servers Password attacks Data leaks Eavesdropping/MitM Denial of Service (DoS) attacks Misconfiguration errors Inadequate Network Edge security Corporate espionage Insider attacks by employees Insider attacks via a Partner/Consultant/Vendor or 3rd Party Service Provider Lost or stolen laptop/notebook/tablet/mobile phone Failure to secure data in transit (insecure protocols) Regulatory Compliance issues A combination of the above Other (please specify) OK Question Title * 8. How many successful or attempted data breaches of ANY type did your organization experience over the last 12 months? One Two to four Five to seven Eight to 10 10 to 20 >20 Unsure Not applicable, we had no confirmed data breaches OK Question Title * 9. What was the Mean Time to Detection (MTTD) from the time the data breach began until your org's Security/IT Pros or Third Party detected/isolated/shut down or thwarted the attack? Immediately When we received a Ransomware demand Within the first five to 30 minutes Within the first 31 to 60 minutes Within the first one to two hours Approximately half a day (up to 12 hours) Within 24 hours Within two to four days One to three weeks One to two months (30 to 60 days days) Two to three months (61 to 90 days) Three to four months (91 to 120 days) Four to six months (121 to 180 days) Over six months (>181 days) Unsure It was discovered by Third Party Security service providers during vulnerability testing Our org didn't discover it; law enforcement or Federal Agencies alerted us Other (please specify) OK Question Title * 10. Rate the level or severity of the data breach No impact: we detected and thwarted the attempt before any damage occurred Very minor: no damage; no lost/stolen/destroyed/changed data, just a minimal productivity blip Minor operational disruption of up to 15 minutes; no other impact Moderate impact on operations. Productivity disrupted for one to two hours; some data/privacy was compromised; remediation required by security and IT Administrators Severe data privacy breach: internal system downtime; corporate/customer data stolen/compromised/changed/locked/held for ransom or destroyed. Remediation required by company security and IT administrators and external third party providers Catastrophic data breach: operations disrupted for up to several days; lost/stolen/destroyed/damaged/locked data. Extensive remediation required by company security and IT administrators, external third party providers and law enforcement intervention Not applicable; we have not had a successful data breach Other (please specify) OK Question Title * 11. If your organization experienced a successful data breach within the last 12 months, did it include data losses that negatively impacted business operations or caused financial losses to your business, customers, partners or suppliers? Yes No Unsure Not applicable; we have not experienced a successful data breach Other (please specify) OK Question Title * 12. If your organization suffered losses as a result of a successful data breach, describe the types of losses. (Select ALL that apply) Lost data Stolen data Damaged data Changed data Destroyed data Financial External customer, business partner & supplier data was exposed/compromised Unsure Not applicable; we did not experience data losses Other (please specify) OK Question Title * 13. In 2020 and beyond which issues pose major threats to your organization's security and data assets? (Select ALL that apply) External breach by organized hackers Internal breach by company insiders Threats from disgruntled ex-employees Corporate security is outdated & inadequate to cope with current and evolving threat landscape Corporate unpreparedness and inability to identify, isolate and quickly shut down data breaches Lack of security awareness training for IT staff and end users End user carelessness; failure to update & install security on their BYOD and mobile devices Email Phishing scams Ransomware CEO fraud Spyware Network Edge attacks Corporate espionage Physical attacks on unsecured data center, servers/devices Open ports on forgotten, mis-configured servers Software bugs and exploits There are too many security issues to track Management does not take security threats seriously; it's not a priority in our organization Lack of funds/budget for security products & vulnerability testing All of the above Other (please specify) OK Question Title * 14. Ransomware attacks are on the rise. Has your organization had one or more machines with criminally-encrypted files within the last 12 months? Yes No Unsure OK Question Title * 15. If your org experienced a Ransomware demand/attack, how did it respond and what was the outcome? We did not pay the ransom. It was a bluff; everything was fine We did not pay the ransom; our security and IT teams restored access ourselves We paid the ransom after we were unable to access data and operations were disrupted. The hackers gave us a decryption key which restored data access We paid the ransom but the hackers did not provide us with a decryption key or the key did not work We have not experienced a ransomware attack/demand Other (please specify) OK Question Title * 16. If your org paid a ransom to have data access and operations restored, how much did it pay? Up to $1,000 $1,001 to $5,000 $5,001 to $10,000 $10,001 to $25,000 $25,001 to $50,000 $50,001 to $100,000 $100,001 to $250,000 $250,001 to $500,000 $500,001 to $1,000,000 $1,000,001 to $3,000,000 $3,000,001 to $5,000,000 $5,000,001 to $10,000,000 >$10,000,000 Unsure Not applicable; we did not pay a ransom OK Question Title * 17. Estimate the amount of security-related monetary losses your organization sustained collectively from ALL data breaches, hacks, Phishing scams, Ransomware attacks, lost/stolen devices and other security incidents within the last 12 months Up to $1,000 $1,001 to $5,000 $5,001 to 10,000 $10,001 to $25,000 $25,001 to $50,000 $50,001 to $100,000 $100,001 to $250,000 $250,001 to $500,000 $500,001 to $1,000,000 $1,000,001 to $3,000,000 $3,000,001 to $5,000,000 $5,000,001 to $10,000,000 >$10,000,000 Unsure We have not experienced any security-related monetary losses We don't keep track OK Question Title * 18. Have you received a payment from your Cyber Security Insurance Policy this year as part of a data breach and/or ransomware attack that you reported? If Yes, what was the amount? ? Up to $1,000 $1,001 to $5,000 $5,001 to $10,000 $10,001 to $25,000 $25,001 to $50,000 $50,001 to $100,000 $100,001 to $250,000 $250,001 to $500,000 $500,001 to $1,000,000 $1,000,001 to $3,000,000 $3,000,001 to $5,000,000 $5,000,001 to $10,000,000 >$10,000,000 Our organization has not filed any security-related insurance claims Unsure We're still negotiating with our insurance company for payment Our insurance company refused to pay out OK Question Title * 19. Is your organization more/less prepared to identify and respond to the various data breach threats than it was 12 to 18 months ago? Much more prepared and proactive Somewhat more prepared, but we need to do more No change; we're adequately prepared to deal with data breaches Somewhat less prepared; we're more reactive than proactive Much less prepared We're overwhelmed; we lack the budget/resources to keep up with security threats We're totally unprepared; we have no plan in place to respond to a security hack Unsure OK Question Title * 20. Does your organization have a security awareness training program? Yes No Not at this time; we plan to implement one within six to 12 months We're considering it; no decision made OK Question Title * 21. How much time do administrators devote to managing your security awareness training programs during the year? Two to four days One week Two weeks No specific amount of time Ad hoc As needed Other (please specify) OK Question Title * 22. What is the total amount of time allotted for security awareness training for each employee per year? Up to 30 minutes One hour One to two hours Two to four hours > Four hours No specific time allotted Not applicable; we don't provide our employees with security awareness training OK Question Title * 23. Estimate how much your organization’s Security Awareness Training program has reduced your end-user malicious email click-through rate over the past 12 months? From 100% down to 80% From 79% down to 61% From 60% down to 41% From 40% down to 21% From 20% down to 11% From 10% down to 6% From 5% to 1% Unsure Not applicable; we don't have a security awareness training program Other (please specify) OK Question Title * 24. ESSAY QUESTION: What is your organization's view of the current and evolving threat landscape? What security measures are most effective in safeguarding the network and data assets from Cyber-heists, Phishing scams, Ransomware and targeted hack attacks? NOTE: Please leave your Email along with a comment to be eligible to win the $100 Amazon Gift certificate OK DONE