Reputation and brand protection are most important IT security spending drivers for UK organisations, according to a company’s 2016 Data Threat Report.
Organisations continue to equate compliance with security in the belief that meeting compliance requirements will be enough, even as data breaches rise in organisations certified as compliant. Investments in IT security controls were misplaced, it was claimed, as most are heavily focused on perimeter defenses that consistently fail to halt breaches and increasingly sophisticated cyber-attacks.
Garrett Bekker, senior analyst, enterprise security, at 451 Research and the author of the report, said: “Compliance does not ensure security. As we learned from data theft incidents at companies that had reportedly met compliance mandates (such as Anthem, Home Depot and others), being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen. But we found that organisations don’t seem to have gotten the message, with nearly two thirds (64 per cent) rating compliance as very or extremely effective at stopping data breaches.”
The fourth annual report for the US-based data security product company Vormetric polled 1100 senior IT security executives at enterprises worldwide. Covered were rates of data breach and compliance failures, perceptions of threats to data, data security stances and IT security spending plans.
• Rates of data breaches are up, with 61 per cent experiencing a breach in the past (22 per cent within the last year, and 39 per cent in a previous year)
• 64 per cent believe compliance is very or extremely effective at preventing data breaches, up from 58 per cent last year
• At 46 per cent overall, compliance was also the top selection for setting IT security spending priorities. Industries particularly focused on compliance include healthcare (61 per cent) and financial services (56 per cent) organisations.
“Organisations are also spending ineffectively to prevent data breaches, with spending increases focused on network and endpoint security technologies that offer little help in defending against multi-stage attacks,” added Bekker. “It’s no longer enough to just secure our networks and endpoints.”
• 78 per cent rate network defences as very or extremely effective at preventing data breaches
• 62 per cent also rated endpoint and mobile defences very or extremely effective for data breach prevention
• Increases in spending on data-at-rest defences (39 per cent) have declined from last year (47 per cent)
• Tools that are less effective at preventing data breaches have seen the heaviest spending increases, such as network defences (48 per cent) and endpoint or mobile (44 per cent).
Considerations
The report also finds significant differences in the primary drivers for data security strategies around the world:
• Compliance requirements were top drivers in the U.S. (54 per cent), Australia (51 per cent) and Germany (47 per cent)
• In Japan, requirements from business partners, customers or prospects were the highest priority (50 per cent)
• Reputation and brand protection were the most important spending drivers in the UK (50 per cent) and Mexico (58 per cent).
Louise Bulman, Regional Vice President & General Manager, EMEA at Vormetric, said: “Given the extensive media coverage dedicated to UK firms that suffered data breaches in the past year, it should come as no surprise that reputation and brand protection are now the top drivers for security spend among UK organisations. There is absolutely no doubt that businesses today need an urgent rethink on current data security policies as consumers are rapidly losing faith with companies that cannot protect their private information effectively. Proactive steps such as strong encryption should be taken now to ensure the protection of that data even if it falls into the wrong hands.”
Some of the greatest differences identified were in organisations planned spending increases on data-at-rest defences, the most effective solutions for protecting data from multi-phase, multi-layer attacks. These differences suggest again that many organisations are less concerned about preventing data breaches than they are with checking the compliance box. Planned data-at-rest defence spending increase variations reported were:
• Brazil – 48 per cent
• US – 45 per cent
• Mexico – 40 per cent
• Germany – 37 per cent
• UK – 34 per cent
• Australia – 29 per cent
• Japan – 20 per cent.
Perceptions of risk from cloud and privileged insiders continued to increase around the globe from last year, while the perception of risk from mobile devices decreased as organisations started to recognise relatively small volumes of sensitive data reside on these devices.
• 63 per cent believe privileged users are the most dangerous insiders, an increase from the rate of 57 per cent measured last year
• 44 per cent consider cloud environments a “top three” risk for loss of sensitive data, up from 40 per cent the previous year
• Perceptions of risk from big data implementations dropped from 25 per cent last year to 20 per cent this year.
With the Internet of Things (IoT) a new area, few seemed to recognise the risks posed by the mountains of personal data being collected by connected IoT devices, with only 17 per cent recognising it as a top three risk for loss of sensitive data.
Source
The study was based on web and phone interviews of 1114 senior executives in Australia, Brazil, Germany, Japan, the UK and the US. Most have influence on or are the sole decision maker for IT at their respective companies. Respondents represented: automotive; education; energy; engineering; federal government; healthcare; IT; retail; and telecommunications. Visit: www.vormetric.com.
