What keeps your CEO up at night?

Copyright Quocirca 2014

Bob Tarzey
Quocirca Ltd
Tel : +447900275517
Email: bob.tarzey@quocirca.com

Bernt stergaard
Quocirca Ltd
Tel: +4545505183
Email: bernt.ostergaard@quocirca.com

What keeps your CEO up at night?
The insider threat: solved with DRM
June 2014

Organizations are becoming more and more aware of the problems posed by their own
users. To address this, they are looking for security technologies that can provide
pervasive protection of data, so that breaches do not occur as a result of the careless or
malicious activities of insiders. Most need to do this for a broad base of users that
includes both employees and external users, who need to safely share data to drive
business processes as they go about their legitimate day-to-day tasks.

This report looks at the extent of the challenges faced by organizations when it comes
to the insider threat and the protection of sensitive information. It examines the
shortfalls of the security technologies many organizations already have in place for
mitigating the risk of data breaches, which are not fully effective when it comes to
addressing the insider threat. It finishes by looking at some of the misconceptions
about digital rights management (DRM) and makes the case that this is one of the best
security technologies to provide the pervasive protection required against insider
threats.
What keeps your CEO up at night?




Quocirca 2014 - 2 -
What keeps your CEO up at night?
The insider threat: solved with DRM?
EXECUTIVE SUMMARY: The insider threat, the problem of legitimate users accidentally or intentionally leaking
confidential data, is one that many organizations have been complacent about to date. However, awareness is
increasing about the threat itself and the shortcomings of traditional security tools for mitigating the insider
threat. This has led to an increasing interest in digital rights management (DRM), a technology that protects the
data itself.

The insider threat is
rising up the list of IT
security threats
There is a wide range of issues to worry IT and business managers when it comes to IT
security. In the past, much of the focus has been on threats that come from outside the
business, such as malware and hackers. However, more and more data leaks are shown to be
attributable to legitimate users and the focus is switching to mitigating the insider threat.
Some insiders are just
careless, others are
malicious
The majority of insider incidents are accidental; emails sent to the wrong recipient or lost
devices. While such incidents will never go away, organizations can work with users to
improve behavior. More insidious is the intentional theft of data, most commonly by users
moving from one employer to another, or for financial gain, espionage or just because they
bear a grudge.
There is a fundamental
need for the broad
sharing of data
More and more business processes rely on the sharing of data, not just between employees
but also with users from customers and business partners. Controlling the sharing of data is
compounded by the range of online tools users can access including email, social media and
cloud storage services. The line between legitimate users and outsiders can become blurred
without sufficient controls.
Traditional security
measures do not fully
address the insider
threat
Organizations are reliant on their existing security technologies to counter various risks,
including firewalls, data loss prevention (DLP) and identity and access management (IAM).
Along with written policy and user training, some have a role to play in mitigating the insider
threat, in particular IAM. However, with many different systems in use there are bound to be
gaps and none of these systems are designed to protect the data itself from insider threat.
One technology that is focused on protecting actual data is digital rights management (DRM).
DRM is not as widely
used as other security
technologies
There are two reasons why DRM is not currently as widely adopted as other security
technologies. First, one of the key strengths of DRM is its power to mitigate insider threats, a
risk area that many organizations have been complacent about. Second, there are a number
of misconceptions about what can be achieved with DRM, including scalability and its
acceptability to users. These concerns can be overcome with a state-of-the-art DRM
deployment.
DRM provides key
features that better
protect against insider
threats
With a DRM system all documents are classified from the moment of creation and monitored
throughout their life cycle. Policy is controlled via an online server, which is referred to each
time a sensitive document is accessed and an audit trail of who has done what to a
document, and when, is collected and managed.


Conclusion:
More so than conventional security solutions, DRM is perhaps the most well suited technology for mitigating the
insider threat and for ensuring IT and business managers can get a better nights sleep.






What keeps your CEO up at night?




Quocirca 2014 - 3 -
Why insider threats are an increasing concern
Businesses have a wide range of issues to worry about when
it comes to IT security; malware, data protection and hackers
all come near the top of the list of perceived concerns, as
research published by IS Decisions in 2013
1
shows

(Figure 1).
Many of these threats, and therefore the defenses put in
place, are focused on stopping illegitimate outsiders getting
access to internal systems and the sensitive information they
store and process. However, creeping up the list of problems
keeping CEOs awake at night, with regard to IT, is one that is
already within every organization the insider threat: the
way legitimate users abuse their access rights.

There are good reasons for this. SafeNets Breach Level
Index
2
measures actual incidents rather than perceptions. It
reports that of the publicly disclosed breaches in Q1 2014,
58% could be attributed to malicious outsiders, 13%
malicious insiders and 26.5% were accidental losses, which
are also attributable to insiders (for example sending emails
to the wrong people and losing devices). That adds up to
almost 40% being down to insiders. Even such empirical data
cannot be absolute; not all breaches are reported and many,
especially those involving insiders, may go unnoticed or take
a long time be discovered (Figure 2). Furthermore, regardless
of the number of incidents, SafeNets report claims that
insiders account for more than half of the actual information
lost.

That the careless use of data should be a concern is also
reported in the IS Decisions report
1
; when it comes to
insiders, ignorant users are shown to be most worrying
perceived threat (Figure 3). Careless employees are clearly a
problem, but they can be admonished and attempts can be
made to modify their behavior through training. Many
organizations are also putting in place technology to enforce
controls with regard to what the user can do with their
access rights to reduce the number of careless instances.
Users should accept such safeguards if they understand they
are there to help prevent bad practice.

The malicious insider is another matter. When a user does
turn against their employer they often know exactly what
content is worth stealing and will attempt to work around
security controls. There are a number of reasons for the
malicious theft of data by insiders. One of the most common
is that they believe data will be valuable to them in a new
job. According to Verizons Data Breach Investigations
Report
3
, 70% of the thefts of intellectual property, most
commonly of customer and financial data, are committed
within thirty days of an employee resigning from their job.
Other motives include financial gain, industrial espionage
and simply bearing a grudge.

What keeps your CEO up at night?




Quocirca 2014 - 4 -
Even after a user has gone, problems can persist; many cases of theft involve ex-employees who have insider
knowledge and, in some cases, have been able to retain access credentials. Recent research published by Lieberman
Software shows that 1 in 8 IT security professionals could still access a previous employers systems using old
credentials
4
.

The insider threat is also compounded by the fundamental need to share data. No organization exists in isolation; all
must interact with the outside world. This is exacerbated by the growing number of channels via which documents
can be shared. Such sharing, while essential for driving businesses processes, increases the possibility that
information will be misused and sometimes will inevitably end up in the wrong hands.

Many of these channels are available as cloud-based services, making it easy for them to be invoked directly by
users. Email is still the most common online activity and, according to Verizon
3
, is the most common method for
employees to steal documents. Many will know, to their cost, that it is all too easy to accidentally forward
confidential files to the wrong recipients. There is a growing new danger as users share content via various social
media sites.

Another big problem area is the use of online document storage services. Strategy Analytics
5
lists the top four,
amongst a large number of options, as Apple iCloud/iTunes (27%), Dropbox (17%), Amazon Cloud Drive (15%) and
Google Drive (10%). The attraction to users is to be able to backup data and access it from any device. The danger
for businesses is that confidential data gets caught up in the mix and ends up in public stores or on unmanaged user
devices.

Copying to USB devices and printing are two other potential problems and both ones that users could carry out
while a device is offline in an attempt to conceal their actions. Verizon
3
reports that USB devices account for 6% of
insider thefts and that 26% is via print.

This need to share data, often with individuals that are not employed by the organization that owns the data in the
first place, makes drawing a line between insiders and outsiders tricky. Research from Vormetric
6
shows the extent
of this (Figure 4). This, taken with the reality that any
user can be anywhere, often using their own devices,
means there is a need to take a broad view of the term
insider. One way to look at it is that an insider is
anyone who has been given some level of legitimate
access to information, as opposed to the outsider who
has sought illegitimate access. That said, one of the
problems with outsiders is that they often pose as
insiders through the theft of identities.

All of these security issues must be mitigated by the
security technology an organization has in place to
protect itself. However, many traditional security
tools have shortfalls when it comes to protecting
against the insider threat.


What keeps your CEO up at night?




Quocirca 2014 - 5 -
The limitations of traditional IT security for protecting
against the insider threat
Mitigating the insider threat requires that data is protected at all times
when it is stored, when it is in use and when it is being moved and
shared across networks. All the various technologies that organizations
deploy to secure their information have a role to play in protecting
against the insider threat; however, each also has weaknesses and/or
limitations. Furthermore, the very number of them may provide a false
sense of security and lead to gaps being left in the protection that is in
place. The Ponemon Institute reports that only about 20% of
organizations say they are confident that cybersecurity threats do not
sometimes fall through the cracks of existing security systems
7
.

Network edge security
Firewalls and intrusion detection/prevention systems (IDS/IPS) define
the limits of a given set of IT resources; they are all about keeping
unauthorized outsiders out. As such, these technologies are of little help
when it comes to mitigating the insider threat. Many consider that, in
the age of mobile users and cloud computing, such network edge
technologies have little to offer and that a new IT perimeter needs
defining.

Identity and access management (IAM) and user authentication
Many believe the new perimeter lies with the users wherever they
happen to be Identity is the new perimeter, as a 2012 Quocirca report
asserts
9
. IAM does nothing to directly protect data from misuse, but it
does have a key role to play when it comes to distinguishing insiders
from outsiders and ensuring users are who they say they are. Before user
actions can be judged it must be clear who they are and what access
rights and privileges they have. Verizon
3
calculates that 88% of insider
incidents rely on higher than usual privilege. IAM also allows an
organization to react to the changing status of users, removing access
rights rapidly and comprehensively.

The theft of such credentials is a common way for outsiders to gain
access to an organizations IT systems. This is best mitigated though the
use of strong authentication, which is also essential for maintaining
veracious audit trails. Strong authentication also prevents bad practices
such as the sharing of identities. Malicious insiders often use someone
elses credentials to cover their tracks. CIA employee Edward Snowden
simply asked colleagues for their passwords in order to get access to
some of the information he disclosed in the widely publicized leakages
attributed to him during 2013.

System level security
Host-based security applied to servers and user devices controls activity
on a given virtual or physical device. Whether it is to control access to
files, detecting malware or preventing certain applications from running,
end points are safer with system level security than without it. However,
once information leaves a given end point the local security controls
cease to apply.

Malicious theft from airline
A case cited in a paper titled Security
beyond the firewall
8
highlights the
danger of not fully depriving former
employees of access to IT systems. A
senior employee left Air Canada and
joined a competitor. Using continued
extranet access, the employee colluded
with his new employer to steal
documents regarding route plans, ticket
costs etc. estimated to be worth US
$220K. The theft was carried out via
250,000 network entries; anomalous
behavior that was not detected to
access documents with insufficient
protection.
Employee emails personal data to
wrong recipient
Who has not sent an email to the wrong
person? In December 2013 an
undisclosed number of customer names,
social security numbers, addresses,
dates of birth and group retirement plan
names was accidentally emailed to
wrong recipient by an employee at the
Massachusetts Mutual Life Insurance
Company (MassMutual). In this case the
user was doing their job; the system
allowed them to mishandle regulated
data, it should not have done (source
http://datalossdb.org/)
Employee loses tax files copied to CD
In a high profile case a few years ago, an
employee of the UKs tax office, the
HMRC (Her Majestys Revenue and
Customs) downloaded the private
details of 25 million families to a file and
copied them to a CD that was then lost
in the mail. There was no malicious
intent; just a legitimate need to share
data. Due to a lack of DRM, the user was
allowed to manipulate data and files in a
highly insecure way. The loss made
headline news in the UK causing
embarrassment to the government and
concern among taxpayers.
What keeps your CEO up at night?




Quocirca 2014 - 6 -
System level security cannot effectively address the insider threat because the very nature of the problem is the
movement of valuable data assets from one device to another, within or beyond a given organizations
infrastructure. Protection needs to be data-centric rather than system-centric to effectively address the insider
threat.

Network traffic inspection and data loss prevention (DLP)
Network traffic inspection checks on data in transit, helping to detect malware and the unwanted egress of data.
Again, this is mostly aimed at detecting the unwanted attention of outsiders. It also only addresses data at a point in
time when it is in motion, not when it is in use on devices or at rest on a storage system. To make such inspection
more useful it needs a layer over the top that links network traffic to users, which is the role of a DLP system.

DLP monitors data in transit and, linked with IAM, can observe and detect careless and malicious behaviors.
However, protections only apply where DLP is deployed; once files are outside of a given organizations direct
control there is no way to monitor them. Beyond the reach of DLP, insiders can share files with impunity.
Furthermore, DLP systems are not designed to maintain continuous audit trails for individual files.

Encryption
Sometimes put forward as the Holy Grail of IT security, encryption is good for protecting information stored to disk
and in transit over networks. However, there is no point in having data in the first place if it cannot be used and, to
do that, the files in question must be fully or partially decrypted and insiders with access rights must have access to
the decryption keys. Once a file is decrypted the user is free to copy and share it without further controls being
imposed. This includes not just copying the files itself, but taking screenshots, cutting and pasting, printing and so
on, all ways of stealing unencrypted data.

Data access and usage policies
All organizations should have clear guidelines in place for how data is used and users should be constantly reminded
of them. However, obviously users cannot be relied on to remember all the details, and the careless insiders (which
will be all users at some point) will be grateful for technology that helps prevent mistakes while the malicious insider
will, of course, ignore such policies. Research reported by CBR
10
in May 2014 showed that only about half of
organizations have implemented an internal information security policy. That, in itself, seems low, but just having a
policy is not enough, controls need to be put in place that police user behavior and the misuse of data for whatever
reason.

Employee security training
User education should be a regular and on-going process, however, as with usage policies, all users will lapse into
bad practice at some point and the malicious insider will find pointers in their training to working around the
security controls that aim to prevent the theft of data. The data reported by CBR
10
suggests only 47% of
organizations have staff training programs in place. This figure needs to be much higher but, even if it were, users
forget and/or ignore what they have been told; as with usage policy, training needs reinforcing with technology.

So what is the answer to mitigating the insider threat?
So, is there a truly data-centric approach to security that can address all aspects of the insider threat, protecting
data at rest, in transit and in use? One that ensures that security policies are enforced, audit trails are maintained,
while enabling legitimate insiders to access data wherever they happen to be? The one technology that can achieve
all this is a digital rights management (DRM) system. Arguably, when it comes to the pervasive protection of an
organizations data assets against the insider threat, DRM is the most comprehensive single technology available.

DRM is not a new idea; the concept has been around since the late 1990s. The aim of DRM is to enable legitimate
users (insiders), through granular access controls, to use data safely, ensuring they cannot over-exploit their access
rights. Increased awareness of the insider threat has seen a recent new interest in DRM as an effective protection
against insider threats. The concern has been increasing that insiders can share access to sensitive files with
outsiders and that conventional security products could not adequately prevent this. So, if DRM has been around so
long and is an effective protection, why hasnt it already been adopted more widely?


What keeps your CEO up at night?




Quocirca 2014 - 7 -
Why isnt everyone already using DRM?
Quocirca research
11
shows that about 40% of organizations have some form of DRM in place (Figure 5), while about
60% have DLP in place. If DRM can play such a big role in protecting against the insider threat, why has there not
been wider adoption? One reason is that many have been complacent about the insider threat and focused on
technologies that protect against outsiders. However, as concern about the insider threat increases, more are
looking in more detail at the capability DRM has to provide for broad protection of their data. As they do so, some
previously held misconceptions are being overcome.
These include:

DRM is not an enterprise-wide technology
In the past some have considered that DRM is only
appropriate for departmental deployments. While it is
true that many organizations start by putting controls
in areas where users are given access to the most
sensitive of material, such as legal and finance, many
DRM systems are capable of scaling across and
beyond the enterprise to encompass all users of
classified documents. Deployment times and
integration capabilities are improving.

Support for file formats is limited
Effective DRM must support all files containing
sensitive data that can be manipulated by users. The
range of formats supported by most DRM systems has increased over time to include all common office suites,
standard document formats, text files and PDFs. Some DRM vendors offer customer support for unusual file formats
used by specific customers.

DRM is intrusive
By its very nature DRM is intrusive, but only when users step out of line. There is little impact on the user experience
for those going about their daily work, making legitimate use of documents and sharing them with those that also
have access rights. As DRM systems have become better at supporting other applications, such as office suites and
PDF readers, they are transparent to users while policies regarding sensitive files are not violated. DRM should,
therefore, be positioned as protective technology for the user, rather than a restrictive one, and an effective DRM
system should be transparent to users until they make a mistake or abuse their access rights.

We should trust our users
Most humans have an innate desire to trust and this extends to a business and its employees. However, as has been
pointed out, misuse of documents is not just malicious, it is often just carelessness user ignorance is easier to
accept as a starting point for DRM adoption. Furthermore, access increasingly needs to be extended to external
users over whom a given business has less control and therefore less reason to trust.

DRM systems are overpriced
All technology, including any security product, has a cost. The view taken of the cost of implementing DRM should
not be just about the impact on the bottom line but also about the reduction of business risk and creation of
business value. As with any technology, early adopters will benefit at the expense of competitors and, as adoption
increases, prices will come down.

We dont believe vendors that tell us DRM is the answer to the insider threat
DRM is not a silver bullet for protecting against the insider threat: however, neither is any other single security
technology. Effective overall IT security will always require deploying a wide range of security systems to protect
against a wide range of threats. However, arguably, DRM is the most effective way of ensuring security policies
travel with data wherever it goes and the documents are protected in use, when stored and in transit. The pervasive
protection offered to a wide range of documents at all times is why DRM is effective at mitigating the insider threat.

What keeps your CEO up at night?




Quocirca 2014 - 8 -
Mitigating the insider threat through DRM
What specific aspects of DRM (sometimes termed Enterprise DRM or EDRM) make it so effective at countering the
insider threat?

It starts with securing the data and assigning the appropriate level of access per insider no other security
technology is designed specifically to classify every file, apply policy to it and monitor it from the moment of
creation, throughout its life cycle, including access, editing, copying, sharing, printing and transforming, while
maintaining a continuous audit trail for the document itself. This level of control can be used to prevent careless and
malicious misuse of documents by insiders and, when a breach occurs, it should be clear who has been involved.

Documents are classified based on rules laid down by the organization implementing DRM, which can take account
of the regulatory regime in which it operates. Data with no sensitivity, such as marketing materials, can be freely
shared while the focus for DRM is on monitoring sensitive and regulated materials. Users should not be expected (or
trusted) to classify documents themselves, which would offer no protection from the insider threat; this must be
done completely independently and automatically by the DRM system.

Access policies, defined within the DRM system, control which users have what right to access the data. Application
of policy must be pervasive. Most of the time enforcement can be via an online policy server. That said, there is, of
course, much benefit in users being able to work with documents on mobile devices while in remote locations; for
example editing a report on a laptop or sharing a presentation on a tablet. In such cases a user may not be online.
Permissions and controls must be extendable to offline use for given files, for a given period of time. Any actions
performed offline are checked against the policy server next time the device comes online and audit trails updated.

To further mitigate the inside threat, baselines for patterns of normal data usage can be established within the
DRM system over time. Deviations in either the way
a certain type of user is acting or the way given types
of files are being manipulated, that are typical of
insiders behaving maliciously or carelessly, can then
be observed and pre-defined actions taken.

Finally, the audit trail recorded for every sensitive file
details user identities, time stamps and the actions
carried out on a given file. Audit trails were
considered the most important of a range of security
technologies in a recent Quocirca report
12
(Figure 6).
These are essential not just for internal investigation
and reporting to auditors when a breach has
occurred, but also for evolving both written and DRM
system policy and improving training. The net result
is to make the use of data safer and more effective.


What keeps your CEO up at night?




Quocirca 2014 - 9 -
Conclusions
More and more organizations are facing up to the
insider threat; this is not just because they perceive
the problem, but also increasingly because they
have been a victim of a data breach through an
insiders carelessness or malicious behavior. To
protect against the insider threat, they need to
look beyond the traditional security technologies
that they have already deployed for pervasive
protection of data. To this end many are
overcoming previously held misconceptions and
turning to DRM.

In comparison to other conventional security
technologies, DRM arguably provides superior
protection against insider threats. It provides
protection against insiders who could be abusing
their insider access accidentally or maliciously
while enabling legitimate users to safely and
appropriately access data. That should see many
CEOs get a better nights sleep.





If you answer yes to these questions,
your organization may be at an increased
risk of insider threats
1. Has your organization installed a range of conventional
security technology, such as network and system
security products, but still been affected by data
breaches?
2. Does your organization allow the same level of access
to confidential information for all employees?
3. Does your organization work with 3
rd
party vendors it
cannot trust 100% to protect shared confidential
information?
4. Would a soon-to-be ex-employee be able to take
confidential information via a USB device, screen
capture or print out and share it with a competitor?
5. If an employee is able to access confidential company
information on their personal device and loses it, could
an outsider gain access to the lost device and the
information stored on it?
What keeps your CEO up at night?




Quocirca 2014 - 10 -
References
1 IS Decisions: The Insider Threat Security Manifesto, 2013
http://www.isdecisions.com/insider-threats-manifesto/

2 SafeNets Breach Level Index
http://www.breachlevelindex.com/

3 Verizons Data Breach Investigations Report
http://www.verizonenterprise.com/DBIR/

4 Lieberman Software: May 2014
http://go.liebsoft.com/Information-Security-Survey-2014

5 Strategy Analytics data reported in eWeek, March 2013
http://www.eweek.com/storage/apple-dropbox-google-battle-for-cloud-storage-market-share/

6 Vormetric 2013Vormetric ESG Insider Threats Survey
http://www.vormetric.com/sites/default/files/ap_Vormetric-Insider_Threat_ESG_Research_Brief.pdf

7 Ponemon Institute: Exposing the Cybersecurity Cracks: A Global Perspective
http://www.websense.com/assets/reports/report-ponemon-2014-exposing-cybersecurity-cracks-en.pdf

8 Security beyond the firewall: Xerox/David Drab, 2007
http://semanticommunity.info/@api/deki/files/8051/DavidDrab05142008.pdf

9 Quocirca, The identity perimeter, September 2012
http://www.quocirca.com/reports/791/the-identity-perimeter

10 CBR - Rogue employees are biggest threat to information security, May 2014
http://www.cbronline.com/news/rogue-employees-biggest-threat-to-information-security-4263652

11 Quocirca: Getting to grips with BYOD, May 2014
http://www.quocirca.com/reports/947/getting-to-grips-with-byod

12 Quocirca: The adoption of cloud based services, July 2013
http://www.quocirca.com/reports/927/the-adoption-of-cloud-based-services




About Fasoo

Fasoo has been successfully building its worldwide reputation as an EDRM (Enterprise Digital Rights Management)
solution provider with industry leading solutions and services. Fasoo solutions allow organizations to prevent
unintended information disclosure or exposure, ensure a secure information-sharing environment, better manage
workflows and simplify secure collaboration internally and externally. Fasoo Enterprise DRM, a data-centric security
solution, safeguards and prevents unauthorized use of digital files and provides persistent and reliable protection of
the files with effective file encryption, permission control and audit trail technologies. Fasoo has successfully
retained its leadership in the EDRM market by deploying solutions for more than 1,200 organizations in enterprise-
wide level, securing more than 2 million users.

More on Fasoo's products and services can be found at http://www.fasoo.com









About Quocirca

Quocirca is a primary research and analysis company specialising in
the business impact of information technology and communications
(ITC). With world-wide, native language reach, Quocirca provides in-
depth insights into the views of buyers and influencers in large, mid-
sized and small organizations. Its analyst team is made up of real-
world practitioners with first-hand experience of ITC delivery who
continuously research and track the industry and its real usage in the
markets.

Through researching perceptions, Quocirca uncovers the real hurdles
to technology adoption the personal and political aspects of an
organizations environment and the pressures of the need for
demonstrable business value in any implementation. This capability
to uncover and report back on the end-user perceptions in the
market enables Quocirca to provide advice on the realities of
technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC
has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocircas
mission is to help organizations improve their success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of
long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that
ITC holds for business. Quocircas clients include Oracle, IBM, CA, O2, T-Mobile, HP, Xerox, Ricoh and Symantec,
along with other large and medium sized vendors, service providers and more specialist firms.

Details of Quocircas work and the services it offers can be found at http://www.quocirca.com

Disclaimer:
This report has been written independently by Quocirca Ltd. During the preparation of this report, Quocirca may
have used a number of sources for the information and views provided. Although Quocirca has attempted
wherever possible to validate the information received from each vendor, Quocirca cannot be held responsible for
any errors in information received in this manner.

Although Quocirca has taken what steps it can to ensure that the information provided in this report is true and
reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details
presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented
here, including any and all consequential losses incurred by any organization or individual taking any action based
on such data and advice.

All brand and product names are recognised and acknowledged as trademarks or service marks of their respective
holders.


REPORT NOTE:
This report has been written
independently by Quocirca Ltd to
provide an overview of the issues
facing organizations when it
comes to information security.

The report draws on Quocircas
extensive knowledge of the
technology and business arenas,
and provides advice on the
approach that organizations
should take to put in place more
effective information security.