Cybersecurity Survey 2019

Welcome to the TEST Magazine Cybersecurity Survey 2019!

The aim of this anonymous survey is to gauge the state of our readership's Cybersecurity experiences; software testing & development, preparedness, training, products and issues.

NB: If you fill in the email field you will be entered into a prizedraw to win a pair of tickets to both days of
The National Software Testing Conference, 21st-22nd May
- worth £1470 !!!

Question Title

1. Full Name: (optional)

Question Title

2. Company: (optional)

Question Title

3. Email address: (optional)

Question Title

4. Contact number: (optional)

BUSINESS INFO

Question Title

5. How would you describe you or your company / organisation's status?

Non-commercial end user of software

Commercial end user of software

Commercial vendor/developer of software

Non-commercial developer of software (in-house dev)

Other (please specify):

Question Title

6. In what sector is your company or organisation's main business activity?

Agriculture

Banking

Consultancy and professional services

Distribution

Education

Government

Health

Insurance

Manufacturing

Media

Other financial services

Pharmaceutical

Property and construction

Retail

Travel, leisure and entertainment

Technology

Telecommunications

Utilities, energy and mining

Other

Question Title

7. How many staff does your company or organisation employ?

Less than 10 employees

10 - 50

50 - 100

100 - 250

250 - 500

500+ employees

EXPERIENCES & OPINIONS

Question Title

8. Has your company or organisation had any form of security breach in the last year?

Yes

Question Title

9. Have you seen an increase in the number of attacks/incidents over the past 5 years?

Yes

Question Title

10. Based on previous years' incidents, do you feel your company would be adequately equipped to handle a surge in cyber security threats this year?

Yes

Question Title

11. To the best of your knowledge, how many incidents did your company or organisation have in the last year?

	< 10	10-25	25-50	50-75	75-100	100 <
Infection by viruses or malicious software	Infection by viruses or malicious software < 10	Infection by viruses or malicious software 10-25	Infection by viruses or malicious software 25-50	Infection by viruses or malicious software 50-75	Infection by viruses or malicious software 75-100	Infection by viruses or malicious software 100 <
Customer impersonated fraudulently (e.g. identity theft)	Customer impersonated fraudulently (e.g. identity theft) < 10	Customer impersonated fraudulently (e.g. identity theft) 10-25	Customer impersonated fraudulently (e.g. identity theft) 25-50	Customer impersonated fraudulently (e.g. identity theft) 50-75	Customer impersonated fraudulently (e.g. identity theft) 75-100	Customer impersonated fraudulently (e.g. identity theft) 100 <
Organisation impersonated via Internet (e.g. phishing attack)	Organisation impersonated via Internet (e.g. phishing attack) < 10	Organisation impersonated via Internet (e.g. phishing attack) 10-25	Organisation impersonated via Internet (e.g. phishing attack) 25-50	Organisation impersonated via Internet (e.g. phishing attack) 50-75	Organisation impersonated via Internet (e.g. phishing attack) 75-100	Organisation impersonated via Internet (e.g. phishing attack) 100 <
Attack on Internet or telecommunications traffic	Attack on Internet or telecommunications traffic < 10	Attack on Internet or telecommunications traffic 10-25	Attack on Internet or telecommunications traffic 25-50	Attack on Internet or telecommunications traffic 50-75	Attack on Internet or telecommunications traffic 75-100	Attack on Internet or telecommunications traffic 100 <
Denial of service attack	Denial of service attack < 10	Denial of service attack 10-25	Denial of service attack 25-50	Denial of service attack 50-75	Denial of service attack 75-100	Denial of service attack 100 <
Actual penetration into the organisation’s network	Actual penetration into the organisation’s network < 10	Actual penetration into the organisation’s network 10-25	Actual penetration into the organisation’s network 25-50	Actual penetration into the organisation’s network 50-75	Actual penetration into the organisation’s network 75-100	Actual penetration into the organisation’s network 100 <
Incidents caused by staff	Incidents caused by staff < 10	Incidents caused by staff 10-25	Incidents caused by staff 25-50	Incidents caused by staff 50-75	Incidents caused by staff 75-100	Incidents caused by staff 100 <

Question Title

12. What was the worst single incident suffered by your company or organisation?

Infection by viruses or malicious software

Customer impersonated fraudulently (e.g. identity theft)

Organisation impersonated via Internet (e.g. phishing attack)

Attack on Internet or telecommunications traffic

Denial of service attack

Actual penetration into the organisation's network

Incidents caused by staff

Other (please specify):

Question Title

13. What was the cause of the incident?

Question Title

14. Have any company issued Smartphones or Tablets been the victim of a cyber security breach/attack?

Yes - what happened?

Question Title

15. Has your company or organisation had a security or data breach relating to one of their cloud computing services?

Yes - what happened?

Question Title

16. Does your company of organisation have have a formal cybersecurity risk assessment process? If so, how often is this updated or carried out?

Every day

1 - 2 a week

1 - 2 a month

Every 3 months

Once a year

Before every release to production

Other (please specify)

Question Title

17. How large is the cybersecurity team in your organisation?

1 person

< 10

10 - 20

20 - 30

30 - 40

40 - 50

50+

Question Title

18. To the best of your knowledge, approximately what percentage of the company budget is spent on cybersecurity ?

< 10%

20%

30%

40%

50% <

< 10%

20%

30%

40%

50% <

Question Title

19. In your opinion where is most of your company or organisation's cybersecurity time spent?

	< 10%	20%	30%	40%	50%	60%	70%	80%	90%	100%
Evaluation & tool selection	Evaluation & tool selection < 10%	Evaluation & tool selection 20%	Evaluation & tool selection 30%	Evaluation & tool selection 40%	Evaluation & tool selection 50%	Evaluation & tool selection 60%	Evaluation & tool selection 70%	Evaluation & tool selection 80%	Evaluation & tool selection 90%	Evaluation & tool selection 100%
Updates	Updates < 10%	Updates 20%	Updates 30%	Updates 40%	Updates 50%	Updates 60%	Updates 70%	Updates 80%	Updates 90%	Updates 100%
Implementation	Implementation < 10%	Implementation 20%	Implementation 30%	Implementation 40%	Implementation 50%	Implementation 60%	Implementation 70%	Implementation 80%	Implementation 90%	Implementation 100%
Maintenance & compliance	Maintenance & compliance < 10%	Maintenance & compliance 20%	Maintenance & compliance 30%	Maintenance & compliance 40%	Maintenance & compliance 50%	Maintenance & compliance 60%	Maintenance & compliance 70%	Maintenance & compliance 80%	Maintenance & compliance 90%	Maintenance & compliance 100%

Question Title

20. Does your company have a formal process in place for reporting security breaches?

Yes

Question Title

21. Do you feel your company or organisation is transparent enough to stakeholders , consumers and regulators regarding security threats?

Question Title

22. In which area do you feel your company or organisation's vulnerabilities mostly lie?

Staff & personnel

Web servers

DNS servers

Mail servers

Cloud infrastructure

Cloud services

Internal admin processes

Other (please specify):

STAFF ACCESS & TRAINING

Question Title

23. Does your company provide employees access to any of the following?

Software hosting & collaborating tools such as Github, GitLab and Bitbucket

Company email and calendar

CI/CD access such as Jenkins, Circle CI and Travis

Company messaging systems such as Slack or Skype

Cloud services such as AWS and Google Cloud

Software licences – JetBrains IDEs, Applitools, learning platforms

Exclusive perks and discounts via 'perks companies' e.g Perk Box, Perks at Work

Project tracking software/tools such as Jira, Asana and Trello

Staff Intranet and/or business social platforms e.g WorkPlace by Facebook

Company mobile apps

Remote working access / VPN access

Question Title

24. If you have answered 'yes' to at least two of the above:

Who grants this access?

Is the employee ever allowed to use their personal email for any of these services?

How does your company or organisation ensure all access is revoked once an employee/contractor has left?

Has failure to do so ever caused issues?

Question Title

25. Is 2FA (2 factor authentication) a mandatory requirement in your organisation?

Yes

If 'no' – is it being phased in?

Question Title

26. In your company or organisation who is mostly responsible for the deployment of cybersecurity measures?

IT teams

External vendors

Specialist security team

Other (please specify):

Question Title

27. Who is mostly responsible for the training of non-technical staff?

IT teams

External vendors

Specialist security team

Other (please specify):

Question Title

28. What training is provided in your organisation to improve cybersecurity?

TOOLS & TESTING

Question Title

29. Which tools does you your company or organisation use for security testing?

Acunetix

Netsparker

Charles

Retina

Cain & Abel

Wireshark

Nmap

Aircrack-ng

Wifiphisher

Burp Suite

OWASP ZAP

SQLmap

CME (CrackMapExec)

Impacket

PowerSploit

Luckystrike

Nessus

BeEF (Browser Exploitation Framework)

THC-Hydra

Immunity Inc. – Debugger

Social Engineer Toolkit (SET)

Metasploit

SecLists

Zed Attack Proxy

ZMap

SOAtest

Jtest

AddressSanitizer

Wapiti

Vega

W3af

Skipfish

Ratproxy

Wfuzz

Grendel Scan

Arachni

Grabber

Other (please specify):

Question Title

30. Why are these tools chosen in particular?

Question Title

31. What methodologies do you use for security testing your products/services?

OWASP

ISSAF

NIST 800-115

OSSTMM

PTES

PCI DSS

Other (please specify):

Question Title

32. Does your company or organisation use third parties to conduct security assessments on your products/systems?

Yes

Question Title

33. Who performs your security testing?

In-house testers

Product security teams

In-house network specialists

In house cyber security teams

External security consultants/vendors

Other (please specify):

Question Title

34. Do you have security teams that attack your products/systems prior to release? (Red Teams/Blue Teams)

Yes

Other (please specify):

Question Title

35. Has your company or organisation ever hired ethical hackers to pentest your network and/or outer networks?

Yes

Other (please specify):

Question Title

36. If so, did this deliver measurable improvements/benefits to your cybersecurity programme?

Yes - please say why:

Question Title

37. Has your company or organisation ever undertaken cybersecurity testing targeted at staff (sending emails, java applets, etc.) rather than systems?

Yes

Other (please specify):

Question Title

38. Do you have a dedicated team to assess and respond to security vulnerabilities reported in your products, services or business?

Yes

Other (please specify):

Question Title

39. Does your company or organisation have an out-of-hours process to deal with incidents (i.e. Ops Cops, on-call rotas)?

Yes

Other (please specify):

Question Title

40. Do you use automated tools for security testing or code review – if so, which ones?

Question Title

41. What cloud security certifications do you or your organisation's teams hold?

CompTIA Cloud+

(ISC)² CCSP

Microsoft MCSA: Cloud Platform

Microsoft MCSE: Cloud Platform and Infrastructure

Microsoft MCSA: Linux on Azure

AWS Certified Solutions Architect – Associate

AWS Certified Solutions Architect – Professional

Google Professional Cloud Architect

Cisco CCNA Cloud

Cisco CCNP Cloud

SANS SEC545

CCSK

Other (please specify):

Question Title

42. Has your company or organisation incorporated any of the following into its cybersecurity program?

Artificial Intelligence

Blockchain

Test Automation

Automated Build and Deploy systems (CI/CD)

Other (please specify):

Question Title

43. Has your company or organisation used blockchain security-based platforms as part of product development to strengthen security encryption?

Yes

Question Title

44. If yes, which one(s)?

Question Title

45. If no, are they planning on implementing blockchain security-based platforms in the future?

Yes

Question Title

46. Does your company or organisation use any Identity Management tools (i.e. OKTA , auth0 , ForgeRock identity) as a barrier to entry for any tools or services?

Yes

Other (please specify):

Question Title

47. If yes, which one(s)?

Question Title

48. What percentage of your software development and testing team is focused on security?

< 10%

10-25%

25-50%

50-75%

75-100%

100%

< 10%

10-25%

25-50%

50-75%

75-100%

100%

Question Title

49. How effective is your organisation's process for using intelligence from internal sources (such as configuration log activities) to predict malicious activities?

1 - very ineffective

10 - very effective

1 - very ineffective

10 - very effective

Question Title

50. How effective is your organisation's process for using intelligence from external sources (such as vendor-supplied threat feeds) to predict malicious activities?

1 - very ineffective

10 - very effective

1 - very ineffective

10 - very effective

Question Title

51. Does your company or organisation use open source / community based testing, such as GitHub?

Yes - which ones?

DevOps / SDLC

Question Title

52. At which stage do you usually review / begin to build-in security in the software development lifecycle?

Planning & requirements

Design

Coding

Testing

Throughout all stages

Question Title

53. Do you feel that regularly deploying and changing software in a DevOps environment affects your cybersecurity?

Yes - please say why:

Question Title

54. Do you feel that development, test and production environments are adequately separated in your organisation?

Yes - please say why:

Question Title

55. Are your security and engineering functions integrated, or are you planning to integrate them?

Yes - please say why: