Global Survey: Cyber Security Awareness Rises, Yet Bad Habits Persist

While 82 Percent of Respondents Believe the IT Security Industry Is Making Progress Against Cyber Attacks, Gains Are Undercut by Failure to Enforce Best Practices in Critical Areas

Newton, Mass. and Petach Tikva, Israel – September 21, 2016 – While 82 percent of respondents believe the IT security industry is making progress against cyber attacks, those gains are undercut by egregious security practices in critical areas such as privileged account security, third-party vendor access and cloud, according to results from a new global survey commissioned and released by CyberArk (NASDAQ: CYBR).

The 10th annual CyberArk Global Advanced Threat Landscape Survey 2016, themed “Cyber Security: Past, Present & Future,” examines whether global enterprises are learning and applying lessons from high-profile cyber attacks, and how security priorities and business decision-making are being influenced.

Cyber Lip Service? Bad Security Habits Persist, Despite Rising Awareness
Headline-making cyber attacks have driven significant increases in cyber security awareness. However, the failure to turn increased awareness into the enforcement of security best practices undermines progress for organizations’ cyber security efforts.

  • Seventy-nine (79) percent state their organization has learned lessons from major cyber attacks and has taken appropriate action to improve security.
    • Sixty-seven (67) percent now believe their CEO/board of directors provide sound cyber security leadership (up from 57 percent in 2015).
    • The top actions taken because of this awareness are deployment of malware detection (25 percent), endpoint security (24 percent) and security analytics (16 percent).
  • Fifty-five (55) percent of respondents state their organization has changed or evolved processes for managing privileged accounts.
    • Despite this, 40 percent of organizations still store privileged and admin passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick.
  • Nearly half of organizations (49 percent) allow third-party vendors (such as supply chain and IT management firms) remote access to their internal networks.
    • While the majority of respondents secure and monitor that access, the public sector has the least third-party vendor access controls in place compared to other industries, with 21 percent not securing and 33 percent not monitoring that activity.

A Cyber State-of-Mind: Striking a Balance Between Fear and Overconfidence
Organizations are increasingly adopting a post-breach mindset, preparing to deal with ongoing cyber attacks and activity in the case of a breach. This preparedness is leading to positive steps in post-breach planning, but concerns exist about how overconfidence may affect the ability to protect against cyber attacks.

  • Three out of four IT decision makers now believe they can prevent attackers from breaking into their internal network – up from 44 percent in 2015.
    • Despite this, 36 percent believe a cyber attacker is currently on their network, or has been in the last 12 months.
    • Forty-six (46) percent believe their organization was a victim of a ransomware attack in the past two years.
  • Eighty-two (82) percent of respondents believe the security industry in general is making progress against cyber attacks.
    • Seventeen (17) percent believe the industry is falling further behind.
  • Nearly every organization (95 percent) has a cybersecurity emergency response plan.
    • This preparedness is undermined by a lack of communication and testing – only 45 percent communicate and regularly test their plan with all IT staff.
  • Sixty-eight (68) percent of organizations cite losing customer data as one of their biggest concerns following a cyber attack.
    • Sixty (60) percent of those who use the cloud store customer data in it.
    • Fifty-seven (57) percent who store information in the cloud are not completely confident in their cloud provider’s ability to protect their data.
  • When identifying the most difficult stage of a cyber attack to mitigate, malware installation ranked first (41 percent), followed by privileged account takeover (25 percent).

On the Radar: Future Risks Emerge
As cyber attacks continue on trusted institutions such as government, utilities and financial systems, respondents identify what types of cyber attacks or tactics are most concerning. Respondents also share which cyber attack scenarios they think represent the most immediate and potentially catastrophic threat in general.

  • Respondents list the following types of cyber attacks or tactics as the top-ranked concern in the next 12 months: Distributed denial-of-service (DDoS) attacks (19 percent), phishing (14 percent), ransomware (13 percent), privileged account exploitation (12 percent) and perimeter breaches (12 percent).
  • Attacks on financial systems, including disruption of global markets (58 percent) is the most potentially catastrophic threat perceived by respondents, followed by attacks causing massive utilities damage (55 percent) and those impacting civil services such as healthcare and hospital services (51 percent).

The Impact of a Breach on Customer Data and Corporate Accountability
The survey found a varied global picture in terms of preparedness for increased regulatory oversight and the impact on cyber security programs and accountability.

  • While 70 percent of global respondents agree that the threat of legal action and fines influence the level of executive/board involvement in security-related decisions, 22 percent of the respondents do not incorporate compliance fines or legal fees (19 percent) into the cost of a breach.
  • Nearly seven in ten (69 percent) respondents state that, in response to a breach or cyber attack, stopping the breach/removing the attackers is among their top priorities, followed by detecting the source of the breach (53 percent).
    • Far fewer respondents prioritize notifying the CEO/board (26 percent), entire staff/workforce (25 percent) or customers (18 percent).

“The findings of this year’s Global Advanced Threat Landscape Survey demonstrate that cyber security awareness doesn’t always equate to being secure. Organizations undermine their own efforts by failing to enforce well-known security best practices around potential vulnerabilities associated with privileged accounts, third-party vendor access and data stored in the cloud,” said John Worrall, CMO, CyberArk. “There’s a fine line between preparedness and overconfidence. The majority of cyber attacks are a result of poor security hygiene – organizations can’t lose sight of the broader security picture while trying to secure against the threat du jour.”

Download the Report
To download the full CyberArk Global Advanced Threat Landscape Survey 2016, visit

About the Research
CyberArk commissioned independent research firm Vanson Bourne to conduct surveys with 750 IT and IT security decision makers from around the world, including C-level executives, directors and department heads among enterprise organizations. Respondents represent a range of public and private organizations across multiple vertical industries from the United States, Europe (France, Germany, United Kingdom), Israel and Asia Pacific (Australia, New Zealand, Singapore).

About CyberArk
CyberArk is the only security company focused on eliminating the most advanced cyber threats; those that use insider privileges to attack the heart of the enterprise. Dedicated to stopping attacks before they stop business, CyberArk proactively secures against cyber threats before attacks can escalate and do irreparable damage. The company is trusted by the world’s leading companies – including 45 percent of the Fortune 100 – to protect their highest value information assets, infrastructure and applications. A global company, CyberArk is headquartered in Petach Tikvah, Israel, with U.S. headquarters located in Newton, Mass. The company also has offices throughout EMEA and Asia Pacific and Japan. To learn more about CyberArk, visit, read the company blog,, follow on Twitter @CyberArk or Facebook at

Future Looking Statements
This release may contain forward-looking statements, which express the current beliefs and expectations of CyberArk’s management. Such statements involve a number of known and unknown risks and uncertainties that could cause the Company’s future results, performance or achievements to differ significantly from the results, performance or achievements expressed or implied by such forward-looking statements. Important factors that could cause or contribute to such differences include risks relating to: changes in the new and rapidly evolving cyber threat landscape; failure to effectively manage growth; fluctuations in quarterly results of operations; real or perceived shortcomings, defects or vulnerabilities in the Company’s solution or the failure of the solution to meet customers’ needs; the inability to acquire new customers or sell additional products and services to existing customers; competition from IT security vendors and other factors discussed under the heading “Risk Factors” in the Company’s most recent annual report on Form 20-F filed with the Securities and Exchange Commission. Forward-looking statements in this release are made pursuant to the safe harbor provisions contained in the Private Securities Litigation Reform Act of 1995. These forward-looking statements are made only as of the date hereof, and the Company undertakes no obligation to update or revise the forward-looking statements, whether as a result of new information, future events or otherwise.