A new report by 451 Research, which polled 1,100 senior IT security executives at large enterprises worldwide, details rates of data breach and compliance failures, perceptions of threats to data, data security stances and IT security spending plans.
Critical findings illustrate organizations continue to equate compliance with security in the belief that meeting compliance requirements will be enough, even as data breaches rise in organizations certified as compliant. Investments in IT security controls were also shown to be misplaced, as most are heavily focused on perimeter defenses that consistently fail to halt breaches and increasingly sophisticated cyberattacks.
“Compliance does not ensure security,” said Garrett Bekker, senior analyst, enterprise security, at 451 Research and the author of the report. “As we learned from data theft incidents at companies that had reportedly met compliance mandates (such as Anthem, Home Depot and others), being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen. But we found that organizations don’t seem to have gotten the message, with nearly two thirds (64%) rating compliance as very or extremely effective at stopping data breaches.”
- Rates of data breaches are up, with 61% experiencing a breach in the past (22% within the last year, and 39% in a previous year)
- 64% believe compliance is very or extremely effective at preventing data breaches, up from 58% last year
- At 46% overall, compliance was also the top selection for setting IT security spending priorities. Industries particularly focused on compliance include healthcare (61%) and financial services (56%) organizations.
“Organizations are also spending ineffectively to prevent data breaches, with spending increases focused on network and endpoint security technologies that offer little help in defending against multi-stage attacks,” added Bekker. “It’s no longer enough to just secure our networks and endpoints.”
- 78% rate network defenses as very or extremely effective at preventing data breaches
- 62% also rated endpoint and mobile defenses very or extremely effective for data breach prevention
- Increases in spending on data-at-rest defenses (39%) have declined from last year (47%)
- Tools that are less effective at preventing data breaches have seen the heaviest spending increases, such as network defenses (48%) and endpoint or mobile (44%).
The report also finds significant differences in the primary drivers for data security strategies around the world:
- Compliance requirements were top drivers in the U.S. (54%), Australia (51%) and Germany (47%)
- In Japan, requirements from business partners, customers or prospects were the highest priority (50%)
- Reputation and brand protection were the most important spending drivers in the U.K. (50%) and Mexico (58%).
Some of the greatest differences identified were in planned spending increases on data-at-rest defenses, the most effective solutions for protecting data from multi-phase, multi-layer attacks. These differences suggest again that many organizations are less concerned about preventing data breaches than they are with checking the compliance box. Planned data-at-rest defense spending increase variations reported were:
- Brazil – 48%
- U.S. – 45%
- Mexico – 40%
- Germany – 37%
- U.K. – 34%
- Australia – 29%
- Japan – 20%
Perceptions of risk from cloud and privileged insiders continued to increase around the globe from last year, while the perception of risk from mobile devices decreased as organizations started to recognize relatively small volumes of sensitive data reside on these devices.
- 63% believe privileged users are the most dangerous insiders, an increase from the rate of 57% measured last year
- 44% consider cloud environments a “top three” risk for loss of sensitive data, up from 40% the previous year
- Perceptions of risk from big data implementations dropped from 25% last year to 20% this year.
With the Internet of Things (IoT) a new area for the vast majority of enterprises, few seemed to recognize the risks posed by the mountains of personal data being collected by connected IoT devices, with only 17% recognizing it as a top three risk for loss of sensitive data.
As detailed in the report, organizations need to realize that continuing to invest in “business as usual” IT security tools is no longer enough to protect critical data. A strong focus on data security must be added to create a comprehensive security strategy that can protect sensitive information. Organizations can make immediate improvements by:
- Making more extensive use of encryption and access controls as a first line of defense for data-at-rest (locally in the data center, in cloud, big data and IoT environments) and considering an “encrypt everything” strategy
- Avoiding the complexity and high costs of implementing multiple data security solutions by selecting data security platform offerings that address a variety of use cases, emphasize ease-of-use and offer encryption, enterprise key management, access control and security intelligence
- Implementing security analytics and multi-factor authentication solutions to help identify threatening patterns of data use and to reduce unauthorized access risks.