Every year the cloud and data security firm Thales publish a detailed report on the state of data security in the enterprise and the threats that organisations face today. The report analyses research conducted by surveying over a thousand organisations from all over the world, from a wide variety of industries, in order to develop a clear idea of the current state of data security. The survey collected a number of different metrics that included annual security and data security spending and budgeting, breach and vulnerability statistics, as well as how current technology trends are impacting the effectiveness and complexity of data security.
The report discusses how the adoption of digital technologies is rapidly changing how business is conducted. The utilisation of computers offers incredible benefits to businesses, but it also means that security is more important than ever. 97% of respondents are using sensitive data with digital technologies. The report also found that 60% of organisations surveyed had experienced a breach, with 30% breached in the last year alone. A large takeaway from the report is that no organisation is safe from data security risks. Any and every organisation can become a target to malicious actors.
An interesting finding was that 64% of companies that spend more than 10% of their IT budget on security have experienced a breach. Comparing this to organisations that spend less than 10% of their IT budget on security, where 47% report that they have experienced a breach. This might seem backwards as one would think that spending more on security leads to better security, however the study has shown that the greater the level of sophistication, the more likely respondents are to say that they have experienced a breach. One possible explanation is that organisations that spend more on security are larger and/or more technology-focused and therefore have a larger attack surface. It could also possibly be that companies that spend less may be unaware of breaches that have occurred or are ongoing. Organisations should not feel safe despite spending more on security.
The report also found that threat vectors are shifting to external actors. External threats such as cyber-criminals and hacktivists were ranked higher as a threat than internal threats (personnel such as employees and contractors). Despite this, internal threats are still a high risk. Many organisations invest more in external protection (firewalls, IDP & IPS technologies, etc.) but do not invest in internal security.
As mentioned previously, complexity also appears to play a large role in the likelihood that a breach will occur. The number of organisational processes that involve computers has been rapidly increasing over the last decade or two, however environments have been evolving from largely being on-premises (in-house servers and/or datacentres) to off-premises with the introduction of cloud-hosted services. Almost every medium-to-large organisation is utilising a cloud technology of some kind. Respondents very surprisingly rated complexity as their #1 perceived barrier to implementing data security – higher than staff and budget.
While many organisations aspire to be secure and protect their assets properly, the survey found that there was a disconnect between security aspirations and budget realities. Resources are being spread too thin and expectations are not realistic in regard to the capabilities of the security team.
The research also found that use of security technologies such as encryption, multi-factor authentication and user access management is quite underwhelming. Fewer than 30% of organisations reported that they use encryption. And many organisations who use cloud technologies are under the impression that the burden of securing data is offloaded to the provider when this is absolutely not the case. The majority of cloud providers employ a shared security model, where the responsibility of security is shared between the client and provider. For example, the provider will take on the responsibility of securing some aspects, whether it be physical, backups, etc. however the client must take on the responsibility of securing access. Many providers will offer security features with their application, but the client must take the time to appropriately implement it.
The recent major changes in the regulatory and compliance world have also presented a challenge for enterprises, especially those who operate in a number of regions around the world. Data privacy regulations such as the EU’s GDPR has meant that many organisations have had to change how they deal with sensitive personal data in large ways. These regulations often dictate how businesses who handle sensitive data must protect it, or how to react in the event of a breach
Agilient specialises in helping organisations protect their sensitive data and assets. Our consultants are experts in data security techniques and technologies and stay on the forefront of security by keeping in touch with current security trends and threats impacting organisations in 2019. If you’d like more information about how Agilient can help your organisation protect against today’s security risks, contact us today.
Author: Jack Schofield, Agilient Consultant