There’s a sizable gap between confidence in security programs and their effectiveness
A Syncsort survey of over 300 respondents found that while 85 percent of respondents are either very or somewhat confident in their organization’s security program, 41 percent said their company had experienced a security breach and 20 percent more were unsure.
The survey also uncovered several challenges and liabilities in security practices that contradict their high levels of confidence.
Vulnerabilities around newer data sources
- Respondents had firsthand knowledge of security for Windows servers (69%), followed by network infrastructure (54%).
- In contrast, only seven percent were familiar with newer, but widely-adopted data storage options like Hadoop data lakes.
Cloud and compliance are security challenges
- Twenty-eight percent of respondents named adoption of cloud services as their top security-related challenge, followed by growing complexity of regulations (20%) and insufficient IT security staffing (19%).
- The regulation most respondents had to adhere to was GDPR (37%), followed by HIPAA and SOX (32% each).
- Security (42%) and cloud computing (35%) are organizations’ top two IT priorities in the coming year.
Most organizations only perform security audits annually
- Thirty-two percent of responding organizations only perform security audits annually, while 23 percent do so every three months and 19 percent every six months.
- The most popular areas examined in audits include application security (72%), backup/disaster recovery processes (70%), network security (69%), antivirus programs and password policies (67% each).
Organizations are investing in security, but mostly around basic measures
- Almost half of respondents (46%) reported increased spending on security-related technology over the past three years. Thirty-five percent (each) developed or significantly updated a security program and increased spending to support cybersecurity initiatives.
- The top three security investments include network firewall (69%), virus protection (66%) and malware protection (65%), while investments in newer approaches like data tokenization (18%) are starting to emerge.
- In the coming year, 39 percent plan to invest in internal staffing and skills, while 23 percent plan to invest in intrusion prevention and 21 percent in patch management.
Data breaches are common
- Forty-one percent of organizations have experienced data breaches, while 39 percent have not, and 20 percent say they don’t know.
- The most common type of breaches were virus/malware attacks (76%) and phishing (72%). Interestingly, virus attacks came from internal sources roughly half the time while phishing usually came from external sources (78%).
- Fifty percent of breaches were identified in less than a day, while 26 percent were identified in less than a week.
- Mean time to respond was the breach metric most often met (41%), followed by mean time to resolve (35%).
- Following a breach, companies’ most common action was to increase training for IT staff (43%).
“The good news is most organizations are auditing their security systems,” said Terry Plath, Senior VP, Support and Services, Syncsort. “The bad news is more than two-thirds of audits are done by in-house staff – meaning they’re more likely to be biased – and only once per year. This may not be enough to keep up with the newer and more sophisticated approaches malicious hackers are constantly developing. The bottom line is that data security requires increased focus from IT organizations, particularly against the backdrop of increasing compliance regulations and emerging data rights.”