Security spending rises in areas ineffective against multi-stage attacks

Vormetric announced the results of the Financial Services Edition of the 2016 Vormetric Data Threat Report (DTR). This edition extends earlier findings of the global report, focusing on responses from IT security leaders in financial services, which details IT security spending plans, perceptions of threats to data, rates of data breach failures and data security stances.

“Something doesn’t add up in the plans of financial services organizations for protecting data,” said Garrett Bekker, senior analyst, information security, at 451 Research. “Spending to protect data is increasing fastest in areas that have been shown to be ineffective at protecting against multi-stage attacks – Network defenses (65 percent) and end point and mobile device defenses (58 percent) – still see the highest increase in spending, while approaches like data-at-rest defenses that have been proven to be effective at protecting data after perimeter defenses have been bypassed, are at the bottom (48 percent).”

Other key findings:

• 90 percent feel vulnerable to data threats
• 44 percent have already experienced a data breach, with nearly one in five (19 percent) indicating a breach in the last year
• At 56 percent, meeting compliance requirements was the top IT security spending priority, but preventing data breaches at 50 percent and best practices, also at 50 percent, were close followers
• Complexity at 68 percent, and lack of staff at 35 percent, are identified as top barriers to adoption of better data security
• Bright spots include 70 percent increasing spending to offset threats to data and 48 percent increasing spending on data-at-rest defenses this year.

Top external and internal threat actors

As the primary repositories and conduits of the world’s financial data, financial services enterprises have always known that they are a primary target for cybercriminals and malicious insiders. Unsurprisingly, the top external threat actors identified were cybercriminals, a top selection for 42 percent of respondents, and a top three selection for 88 percent.

The top internal threat actors identified were privileged users, a top three selection for 68 percent of respondents. Privileged user accounts typically have access to all the resources and systems they manage, unless restrained by additional security controls, and their accounts are primary targets for compromise in cyberattacks.

Compliance is not enough

With adherence to a myriad of regulations and compliance required to do business, it’s no surprise that IT security professionals in financial services are focused on meeting these mandates.

• Compliance (56 percent)
• Data breaches (50 percent)
• Implementing security best practices (50 percent).

The problem? 66 percent view meeting compliance requirements as a ‘very’ or ‘extremely’ effective way to protect sensitive data, yet slow moving compliance standards consistently fail to stop today’s multi-level attacks.

Big Data a big deal in financial services

Big Data: Financial service reported the highest use of sensitive data within Big Data, with 59 percent of respondents planning to use sensitive data within these environments. In spite of this high level of use, only 33 percent regard Big Data implementations as presenting a top three risk for loss of sensitive information.

Cloud: Financial services organizations have high levels of concern with using cloud usage, but nevertheless, 91 percent are using sensitive data within these environments. Top concerns include:

• Security breaches at the cloud provider level (75 percent)
• Increased vulnerabilities from shared infrastructure (72 percent)
• Lack of a data privacy policy or privacy service level agreements (71 percent).

Even so, 54 percent will use Software as a Service (SaaS) environments, 48 percent Infrastructure as a Service (IaaS) and 48 percent Platform as a Service (PaaS) resources within the next 12 months.

Encrypting data and maintaining local control over keys was the number one factor that would increase willingness to use public cloud, at 51 percent of responses.

Financial services organizations are getting some things right

A number of positive results indicate that financial services organizations are taking steps in the right direction to recognize and deal with the problem.

• 70 percent are increasing spending to protect sensitive data
• 48 percent, plan to invest in data-at-rest defenses this year
• 62 percent are looking to implement data security for brand and reputation protection
• Many are planning to implement ‘newer’ security tools that are more effective at protecting data even when other defenses have been compromised. These include tokenization (42 percent), application encryption (33 percent), Security Event and Information Management (SIEM) systems (29 percent) and privileged user access management (29 percent).

“Financial services organizations continue to feel the heat from cyber attackers,” said Tina Stewart, vice president of marketing for Vormetric. “They are investing to help solve the problem, but surprisingly, are failing to connect the dots about the best solutions to use. With the world’s financial data in their custody, the most effective way to protect this information, once networks and systems are penetrated, is to enhance data protection investments.”