Best Practices in Email, Web

and Social Media Security

An Osterman Research Survey Report
Published January 2014

Osterman Research, Inc.

P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA
Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • info@ostermanresearch.com
www.ostermanresearch.com • twitter.com/mosterman

EXECUTIVE SUMMARY
Osterman Research conducted a survey during November 2013 to
determine current practices, concerns and other issues related to
email, Web and social media security. Here are the details of the
survey:

• The survey was conducted with security-focused decision

makers and influencers on the Osterman Research survey panel
from November 12-19, 2013.

• A total of 157 surveys were completed.

• Surveys were conducted primarily in the United States

across a wide range of industries.

• The mean number of employees and email users at the

organizations surveyed was 10,824 and 10,781, respectively. The
medians were 1,470 and 1,000, respectively. The distribution of
organization sizes surveyed is shown in the following figure.
 Best Practices in Email, Web
and Social Media Security

Size of Organizations Surveyed

Osterman Research
completed 157 surveys,
primarily with mid-sized
firms and enterprises.

SURVEY RESULTS
For each of the following applications, which do you consider to be “legitimate”
applications for use in your organization and which are not?

©2013-14 Osterman Research, Inc. 1

 Best Practices in Email, Web
and Social Media Security

LinkedIn is
perceived as the
On a scale of 1 to 5, how much of a
concern is each of the following in your
most “legitimate” organization, where 1 is “not a concern at all / we have the issue solved”
and 5 is “it is a very serious concern / we don’t yet have a good solution”? business social
media tool, while

©2013-14 Osterman Research, Inc. 2

 Best Practices in Email, Web
and Social Media Security

Issue %
Malware being introduced from employees’ Web surfing
Twitter is viewed as the least
58%
Malware being introduced from employees’ personal Webmail 56% legitimate.
Phishing attacks 53%
Data loss from employees sending confidential info via email 50%
Data loss from employees sending confidential info via cloud-based
48%
tools like Dropbox
Malware being introduced from employees’ home computers 42%
Virus/worm/malware infections 42%
Malware being introduced from employees’ use of Web 2.0 apps 37%
Breaches of sensitive internal data 36%
Breaches of sensitive customer data 35%
The lag between new virus outbreaks and when our AV vendor
34%
issues an update to deal with these outbreaks
Mobile malware 33%
Direct hacker attacks 32%
Users working at home creating security problems 30%
Data loss from employees sending confidential info via social media 30%
Spam – the amount that your organization receives 29%
Spam - your IP address getting blacklisted due to outbound mail
27%
attack
Time spent by email administrators dealing with malware 25%
Denial-of-service attacks 25%
Employees viewing inappropriate content on the Web 25%
Time spent by email administrators dealing with spam 23%
Spam – the amount of false positives caused by your anti-spam
21%
system
Time spent by employees dealing with spam 21%
Which of the following has occurred in your organization DURING THE PAST
12 MONTHS? Please check all that apply.

©2013-14 Osterman Research, Inc. 3

 Best Practices in Email, Web
and Social Media Security

74% of organizations
have had
malware
infiltrate their
For each of the following,
does your organization a) allow its use, b) not corporate allow its use but do not block or c) actively
block?

©2013-14 Osterman Research, Inc. 4

 Best Practices in Email, Web
and Social Media Security

network through Web

surfing during the past
12 months.

Is the percentage of spam blocked by your anti-spam system(s) getting better,

worse or staying the same over time?

©2013-14 Osterman Research, Inc. 5

 Best Practices in Email, Web
and Social Media Security

A substantial proportion
of
security-focused
decision makers
and influencers Is the
amount of malware
reaching your end users getting better, worse or perceive their staying the same over time?
security

©2013-14 Osterman Research, Inc. 6

 Best Practices in Email, Web
and Social Media Security

solutions’ effectiveness
to be deteriorating over
time.

Is the issue of Web-based threats getting better, worse or staying the same
over time?

©2013-14 Osterman Research, Inc. 7

 Best Practices in Email, Web
and Social Media Security

Organizations’ primary
focus for
Web security
gateways is to
block the
On a scale of 1 to 5, please rate the importance to your organization of the infiltration of following
reasons for deploying a Web security gateway, where 1 is “not at all important” and 5 is “extremely
important”. malware.

Issue %
To block malicious sites 84%
To prevent viruses being introduced into the network 83%
To reduce the amount of malware entering the network 82%
To reduce the amount of malware that could steal data and prevent
74%
the loss of confidential data from an outbound post
To block unwanted content like porn or gambling from entering 67%
To block unwanted employee downloads 58%
To improve employee behavior since they are monitored 51%
To comply with specific or general regulatory requirements 50%
To reduce growth in bandwidth requirements 47%
To log and report on user Web surfing behavior 45%
To reduce corporate liability for poor employee behavior 41%
To block employee use of personal Webmail 27%

©2013-14 Osterman Research, Inc. 8

 Best Practices in Email, Web
and Social Media Security

During a typical week, how many person-hours does your IT staff spend on
managing all of your messaging and Web security capabilities, including anti-virus,
anti-spam, content filtering, secure messaging, etc.?

• Our research found that the typical organization invests 52.5 IT staff hours per
week per 1,000 email users on the security-related tasks noted in the question
above.

• If we assume that the fully burdened salary (including vacation, benefits, etc.)
for an IT staff member is $100,000, this time investment equates to a per
user cost of $131.22 annually, or a monthly per user cost of $10.93.

• However, salaries for IT staff members can vary widely based on geography and
other factors. For example, the average base salary for an IT administrator with
five years' experience in the New York City metro area is $132,194, whereas the
US national average base salary for this position is $90,5161. Using these figures,
the annual/monthly cost for security-related tasks based on our survey findings
would be $173.46/14.46 for the New York City metro area, and $118.77/$9.90 for
the US national average.

Which of the following best describes the email, Web and other social Labor costs alone media security solutions
you have in place TODAY and which you would
PREFER to have? for security-

1
Source: SalaryExpert
©2013-14 Osterman Research, Inc. 9
 Best Practices in Email, Web
and Social Media Security

related tasks cost

organizations
more than $10
per user per
month.

© 2013-14 Osterman Research, Inc. All rights reserved.

No part of this document may be reproduced in any form by any means, nor may it be distributed
without the permission of Osterman Research, Inc., nor may it be resold or distributed by any
entity other than Osterman Research, Inc., without prior written authorization of Osterman
Research, Inc.

Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes
legal advice, nor shall this document or any software product or other offering referenced herein
serve as a substitute for the reader’s compliance with any laws (including but not limited to any
act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,
“Laws”)) referenced in this document. If necessary, the reader should consult with competent
legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no
representation or warranty regarding the completeness or accuracy of the information contained
in this document.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR
IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
©2013-14 Osterman Research, Inc. 10
 Best Practices in Email, Web
and Social Media Security

DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE

ILLEGAL.

©2013-14 Osterman Research, Inc. 11