INTRODUCTION

One of the fundamental challenges of cybersecurity is dealing with the speed of change. With each new computing paradigm shift – Cloud, Big Data, IoT etc. – come new capabilities and possibilities – along with new security vulnerabilities to be exploited. It’s no wonder that the security industry overall now tallies in excess of 1,400 vendors by 451 Research’s count, with as many as nine new startups per month and roughly 10 new security categories created each year.

In like spirit, one of the main challenges of the Thales Global Data Threat Report has been to continue to evolve to reflect the latest threats and technologies. For example, past versions of the report focused primarily on the threat presented by insiders, both malicious – as in the renowned case of Edward Snowden – and inadvertent. But as we have learned over the past few years, the global threat landscape is constantly evolving, and one of our biggest challenges is to protect data from a fluid cast of not just insiders but also external threat actors, many of which are well funded, organized and often – though not always – highly sophisticated.

Respondents Concerned that Advanced Technologies Deployment is Happening Before Appropriate Data Security is in Place By Technology Platform

Even the very nature of attacks seems to be undergoing a metamorphosis. In one of the most notable incidents of 2016 and a possible sign of things to come, attackers relied on a massive botnet of over 100,000 poorly protected and compromised (IoT) devices to overload the servers at DNS provider Dyn and disrupt Internet services in two-thirds of the U.S., rather than attacking Dyn directly.

However, despite the higher spending (and planned spending) on security, some 26% of respondents said their organizations experienced a breach in the last year, up from 21.7% in 2016, while 42% of respondents experienced a data breach at another time in the past (up from 39.3%). It is no wonder then that nearly one in three respondents feel their organizations are either ‘very vulnerable’ or ‘extremely vulnerable’ to threats to sensitive data. Overall, the research suggests that the security industry looks increasingly like a dog chasing its own tail – despite more and more money spent on security each year, our collective problems continue to worsen.

KEY FINDINGS:

  • More than two in three respondents (67.8%) said their organizations have been breached at some point, an increase of nearly 7% percent over the previous year. And more than one in four (26%) were breached in the last year alone, up from 21.7% the previous year.
  • The overwhelming majority of respondents still feel some degree of vulnerability to data threats (88%), down slightly from the previous year (90%), but still at an alarmingly high level. Those feeling ‘extremely vulnerable’ rose slightly, to 9.1% from 8.2%.
  • Compliance (44%) remains the primary reason for spending on data security by a stubbornly wide margin over implementing security best practices, the second strongest driver (38%). However, we found it encouraging that fewer respondents (59.5%) viewed compliance requirements as ‘very or extremely effective’, a notable drop from 64% last year. Meanwhile brand and reputation plummeted to 36%, down markedly from 50% in last year’s study as a primary reason for security spending.
  • In a departure from both practical experience and anecdotal evidence, more than 57% of respondents claim ‘complete knowledge’ of where sensitive data is located, up sharply from 42% last year.

  • Data sovereignty has become a hot topic in light of concerns about new regulations, and government snooping. Encryption was identified as the clear choice (64%) to satisfy local data privacy laws such as the EU’s recently approved General Data Protection Regulation (GDPR). Tokenization (40%) is listed as a distant second, while migrating data to jurisdictions or choosing local cloud providers are at the very bottom of the list.
  • Complexity remains the top barrier to more aggressive adoption of data security solutions chosen by 50.4% of respondents. ‘Lack of staff’ trailed by a considerable margin in second place at 36%.
  • Though still a nascent technology that’s been in the market for barely two years, Docker containers are being used by four in ten respondents for production applications, with a nearly 50-50 split between critical and non-critical applications. Only 13% of respondents have no plans to use Docker containers in the year ahead. Like other emerging technologies like cloud, Big Data and (IoT), not surprisingly, security remains the #1 Docker adoption barrier (46.7% of respondents) and the #1 method for securing containers is encryption.

SPENDING INTENTIONS

Against a backdrop of flat or even declining overall IT budgets, 73% of respondents say their organizations will increase security spending next year, up sharply from 59% last year. The main driver of the jump was the number of organizations saying they will have ‘much higher’ security spending nearly doubled, from 12% last year to 23%.

Encryption and data security

As was the case last year, respondents listed compliance requirements as the top driver of security spending. Thus, it is no surprise that in the two most heavily regulated and compliance-rich vertical markets – healthcare and financial services – 76% and 78% of organizations respectively are planning spending increases. And in retail, which has seen some of the most highly publicized attacks (Target, Home Depot, TJX, British Airways), 77% of organizations will increase security spending. Geographically, the two regions planning to increase their security spending the most were Brazil (85% of respondents from Brazil said their organizations would increase security spending next year, up sharply from 73% last year) and Germany (80% compared to just 63% last year).

RECOMMENDATIONS

In recent years, we have witnessed traditional models of computing being figuratively – and in some cases literally – turned upside down and inside out. And as the technology landscape has shifted, so too has the threat environment, as well as the various methods of defending against those threats. Information security will always be a cat-and-mouse game as technology providers look to keep up with the ever-changing threat landscape and attackers. But a main theme of 451 Research’s ongoing analysis – and also one of the main theses of this report – is the misalignment between current threats and the appropriate defenses needed to truly protect an organization’s assets from compromise. To the extent that security spending continues to increase each year, a defensible argument could be made that, at worst, much of that money is being wasted, or at best, sub-optimally allocated.

Simply put, as our corporate boundaries become increasingly porous and our resources are on the move, traditional endpoint and network security approaches are no longer sufficient in and of themselves. Indeed, research from 451’s Voice of the Enterprise survey on cloud computing in Q3 2015 shows that the security tools that are most important in the ‘old world’ – firewalls, anti-malware, etc., are less relevant in the cloud, while those security controls that are less popular – including identity management, DLP and encryption – become more so in the new world.

Once firms have a better idea of where their sensitive data may reside, applying more comprehensive data controls such as encryption would be a logical next step. However, encryption is no longer just for laptops, PCs and mobile devices. Regardless of which new technology is chosen – whether SaaS, IaaS, Big Data, IoT or containers, the preferred means of securing each of them was encryption.

For More Information about “Trends in Encryption and Data Security” Download Whitepaper Now

To read full download the whitepaper:
Trends in Encryption and Data Security”

SEND ME WHITEPAPER