The harsh realities of the current state of cybersecurity are made starkly apparent by the seemingly endless reports of major data breaches, which continue unabated despite consistent increases in IT security spending.
This ongoing game of cat-and-mouse suggests that the tactics, sophistication and motivation are helping global attackers stay at least one step ahead of their often overwhelmed and beleaguered defenders. The obvious – or what should be obvious – question is whether the cyber defenses that are being deployed today need to be re-examined for overall effectiveness and recalibrated.
As with past reports, this year’s Thales Global Data Threat Report showcases a mix of good and bad news. From the glass-half-full perspective, most respondents plan to increase their spending on security, for the fourth consecutive year: 78% of the 1,200 organizations polled plan in increasing IT security spending in 2018, including nearly 86% of US organizations, up from 73% globally, in 2017.
In past reports, compliance has been the primary driver for setting security spending priorities. That changed this year, with the fear of financial penalties from data breaches taking over the top spot, again possibly reflecting the growing number of costly, high profile attacks.
The bad news is that rates of successful breaches have reached an all-time high for both mid-sized and enterprise class organizations, with more than two-thirds (67%) of global organizations and nearly three fourths (71%) in the US having been breached at some point in the past.
Further, nearly half (46%) of US respondents reported a breach just in the previous 12 months, nearly double the 24% response from last year, while over one-third (36%) of global respondents suffered a similar fate. In addition to the massive Equifax breach that exposed personal information of 143 million individuals, other noted breaches last year included the education platform Edmodo (77 million records hacked); Verizon (14 million subscribers possibly hacked); and America’s JobLink (nearly 5 million records compromised).
As we compare this year’s data to that from past surveys, while the numbers may change, the storylines remain essentially the same. We are spending more on security, more respondents view compliance as very effective at preventing data breaches, yet the number of breaches continues to rise.
One notable – and encouraging – change in this year’s data was that the perceived effectiveness of securing data at rest (77% globally) surpassed network security (75%) for the first time. At the same time, endpoint security ranked dead last in terms of effectiveness once again, yet has the highest planned spending both globally (57%) and in the US (65%) – a stunning disconnect.
Conversely, plans for spending on securing data at rest is at the bottom of this list globally (40%) and in the US (44%). In other words, the spending outlook is brightest for tools that we have identified as least effective, and vice-versa. Clearly, more work needs to be done to better align perceptions of effectiveness with the resources committed to support our goals.
Yet, implemented improperly, data security can be fraught with complexity, and the popularity of hybrid, distributed systems and mobility have certainly contributed to the challenges of deploying data security more broadly. Thus, it is not wholly surprising that complexity –or at least the perception that data security is complex – remains the top barrier to data security in this year’s report (43% globally, 44% US), though concerns about performance and business process impact (42% globally, 46% US) have closed the gap considerably from last year.
- For the fourth consecutive year, spending on IT security continues its much-needed upward trajectory, with 78% of global organizations planning on upping spending in the year ahead, compared with 73% in 2017. The US is even more aggressive with 86% of firms planning increases.
- On the downside, security breaches are up – and sharply so. More than a third (36%) of global firms were breached last year, up considerably from 26% in 2017 and 20% in 2016. The US was even more dire, with 46% of US firms polled reporting being breached last year having nearly doubled – from 24% last year. More than two-thirds (67%) of global organizations and 71% in the US have experienced a breach at some point.
- For the first time, respondents listed avoidance of financial penalties from data breaches (39% vs. 35% last year) along with increased use of cloud (also at 39% globally) as the top stimuli for IT security spending, edging out the former perennial top choice, compliance (37% global, 38% US).
- Yet, more respondents this year feel compliance requirements are ‘very’ or ‘extremely’ effective compared with last year (59%), perhaps due to new or updated compliance regulations such as GDPR and PSD2. To illustrate, more global respondents expect to feel the impact of GDPR this year (87%) compared with last (72%).
- The effectiveness of securing data at rest (77% global) for the first time surpassed network security, while endpoint security (64%) was dead last. Yet, endpoint security paradoxically has the highest response rates for planned security spending increases (57% global, 65% US), while data-at-rest ranked dead last for spending increases globally (40%) and in the US (44%).
- The low spending plans for data-at-rest security may be blamed once again on perceptions of complexity, which was once again the top barrier to adopting data security globally (43%) with concerns over performance a close second (42%).
- Encryption remains the technology of choice for ensuring compliance and privacy, with twice as many respondents choosing encryption over the number two choice, tokenization. For security in general however, tokenization ranked first in terms of planned deployments, with encryption with bring your own key (BYOK) second and application layer encryption third. Encryption with BYOK is the top choice for securing data in public cloud environments, with encryption with keys held by providers in second place.
- The vast majority of organizations are opting for a multi-cloud strategy as part of their digital transformation strategies, with 84% globally choosing more than one IaaS vendor and 34% using more than 50 SaaS applications. While cloud providers are increasingly providing their own security features, organizations will need to fill in the blanks themselves and also ensure interoperability amongst their various cloud providers.