Vormetric, a leader in enterprise data security for physical, virtual, big data and cloud environments, today announced the results of its 2016 Vormetric Data Threat Report, issued in conjunction with analyst firm 451 Research. The fourth annual report, which polled 1,100 senior IT security executives at large enterprises worldwide, details rates of data breach and compliance failures, perceptions of threats to data, data security stances and IT security spending plans.
Critical findings illustrate organisations continue to equate compliance with security in the belief that meeting compliance requirements will be enough, even as data breaches rise in organisations certified as compliant. Investments in IT security controls were also shown to be misplaced, as most are heavily focused on perimeter defenses that consistently fail to halt breaches and increasingly sophisticated cyberattacks.
“Compliance does not ensure security,” said Garrett Bekker, senior analyst, enterprise security, at 451 Research and the author of the report. “As we learned from data theft incidents at companies that had reportedly met compliance mandates (such as Anthem, Home Depot and others), being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen. But we found that organisations don’t seem to have gotten the message, with nearly two thirds (64%) rating compliance as very or extremely effective at stopping data breaches.”
• Rates of data breaches are up, with 61% experiencing a breach in the past (22% within the last year, and 39% in a previous year)
• 64% believe compliance is very or extremely effective at preventing data breaches, up from 58% last year
• At 46% overall, compliance was also the top selection for setting IT security spending priorities. Industries particularly focused on compliance include healthcare (61%) and financial services (56%) organisations
“Organisations are also spending ineffectively to prevent data breaches, with spending increases focused on network and endpoint security technologies that offer little help in defending against multi-stage attacks,” added Bekker. “It’s no longer enough to just secure our networks and endpoints.”
• 78% rate network defences as very or extremely effective at preventing data breaches
• 62% also rated endpoint and mobile defences very or extremely effective for data breach prevention
• Increases in spending on data-at-rest defences (39%) have declined from last year (47%)
• Tools that are less effective at preventing data breaches have seen the heaviest spending increases, such as network defences (48%) and endpoint or mobile (44%)
The report also finds significant differences in the primary drivers for data security strategies around the world:
• Compliance requirements were top drivers in the U.S. (54%), Australia (51%) and Germany (47%)
• In Japan, requirements from business partners, customers or prospects were the highest priority (50%)
• Reputation and brand protection were the most important spending drivers in the U.K. (50%) and Mexico (58%)
“Given the extensive media coverage dedicated to U.K. firms that suffered data breaches in the past year, it should come as no surprise that reputation and brand protection are now the top drivers for security spend among U.K. organisations,” said Louise Bulman, Regional Vice President & General Manager, EMEA at Vormetric. “There is absolutely no doubt that businesses today need an urgent rethink on current data security policies as consumers are rapidly losing faith with companies that cannot protect their private information effectively. Proactive steps such as strong encryption should be taken now to ensure the protection of that data even if it falls into the wrong hands.”
Some of the greatest differences identified were in organisations planned spending increases on data-at-rest defences, the most effective solutions for protecting data from multi-phase, multi-layer attacks. These differences suggest again that many organisations are less concerned about preventing data breaches than they are with checking the compliance box. Planned data-at-rest defence spending increase variations reported were:
• Brazil – 48%
• U.S. – 45%
• Mexico – 40%
• Germany – 37%
• U.K. – 34%
• Australia – 29%
• Japan – 20%
Perceptions of risk from cloud and privileged insiders continued to increase around the globe from last year, while the perception of risk from mobile devices decreased as organisations started to recognise relatively small volumes of sensitive data reside on these devices.
• 63% believe privileged users are the most dangerous insiders, an increase from the rate of 57% measured last year
• 44% consider cloud environments a “top three” risk for loss of sensitive data, up from 40% the previous year
• Perceptions of risk from big data implementations dropped from 25% last year to 20% this year
With the Internet of Things (IoT) a new area for the vast majority of enterprises, few seemed to recognise the risks posed by the mountains of personal data being collected by connected IoT devices, with only 17% recognising it as a top three risk for loss of sensitive data.
The survey results and research report are available from Vormetric and can be found here. To download the press release, please click here.