igor - Fotolia

Security spending leaving data vulnerable, study finds

Cyber breaches are increasing despite increased security spending, a study shows, highlighting that security investment decisions are not aligned with actual cyber threats

There is an ongoing disconnect between the security systems organisations spend money on and the ability of those systems to protect sensitive data, a study has confirmed.

Data protection tactics have not evolved to match security threats, according to the 2017 Thales data threat report based on a poll of 1,105 executives in the UK, US, Germany Australia, Brazil and Japan.

According to the survey, 73% of organisations increased IT security spending in 2017, a marked increase from 58% the year before.

Despite this increase, 68% of respondents said they had experienced a breach, with 26% experiencing a breach in the past year – up 5% compared with the previous year.

The study, conducted in conjunction with 451 Research, also showed while 30% of respondents classify their organisations as “very vulnerable” or “extremely vulnerable” to data attacks and that the number of breaches continues to rise, the two top spending priorities are network (62%) and endpoint (56%) protection, compared with just 46% spending on systems to protect data at rest.

The report notes that despite the rise in breaches, companies are still prioritising network and endpoint security systems over encryption.

More than three-quarters of organisations (76%) recognise encryption of data at rest as more effective in protecting sensitive data compared with endpoint security, but network and endpoint security topped their IT security shopping list, showing the largest year-on-year increase in spending on these security categories.

Garrett Bekker, senior analyst of information security at 451 Research and author of the report, said organisations keep spending on the same systems that worked for them in the past but are not necessarily the most effective at stopping modern breaches.

“It stands to reason that if security strategies aren’t equally as dynamic in this fast-changing threat environment, the rate of breaches will continue to increase,” he said.

Compliance the top driver for IT security spending

According to the report, the reasons behind security spending decisions are varied, but compliance remains the key driver.

Almost half of respondents list meeting compliance requirements as their top spending priority, followed by best practices (38%) and protecting reputation/brand (36%).

However, the report said it was encouraging that fewer respondents (59.5%) viewed compliance requirements as “very or extremely effective”, a notable drop from 64% the previous year.

According to Thales and 451 Research, while compliance regulations provide a data security blueprint, they should not be the only consideration when building a security strategy robust enough to withstand sophisticated attackers.

External and internal actors the top threat

All vertical industries polled identified cyber criminals as the top threat (44%), followed by hacktivists (17%), cyber terrorists (15%) and nation-states (12%).

With respect to internal threats, 58% believe privileged users are the most dangerous insiders, slightly down from 63% in 2016. At 44%, executive management is seen as the second-most risky insider, followed by ordinary employees (36%) and contractors (33%).

According to Thales and 451 Research, as increasing volumes of enterprise data is being created, transported, processed and stored outside corporate network boundaries, traditional perimeter-based security controls and legacy network and endpoint protection systems are becoming less relevant.

Other new, popular technologies bring added security challenges. For example, the study found that 40% of respondents are using Docker containers for production applications. At the same time, 47% cite security as the “top barrier” to broader Docker container adoption.

Peter Galvin, vice-president of strategy at Thales e-Security, said enterprises must inevitably confront an increasingly complicated threat landscape.

“Our world – which includes the cloud, big data, the IoT [internet of things] and Docker – calls for robust IT security strategies that protect data in all its forms, at rest, in motion and in use,” he said.

“Businesses need to invest in privacy-by-design defence mechanisms – such as encryption – to protect valuable data and intellectual property. They also need to view security as a business enabler that facilitates digital initiatives and builds trust between partners and customers.”

To offset the data breach trend and take advantage of new technologies and innovations, the report recommends that organisations should, at a minimum, adhere to the following practices:

  • Use encryption and access controls as a primary defence for data and consider an “encrypt everything” strategy.
  • Select data security platform offerings that address a variety of use cases and emphasise ease-of-use.
  • Implement security analytics and multi-factor authentication systems to help identify threatening patterns of data use.

Read more about security spending

Read more on Hackers and cybercrime prevention

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Simon Smith here:

This is my take

1. They are not spending money on the right 'people'. Cyber breaches come from a weakness involving a human mind. It is not the solution to 'buy a better router'. 

2. Security teams are not working in unison across the organisation. Although roles are defined uniquely, data categorisation and decision making ownership that is taught today IMHO is not correct. All data must be treated securely as it is now a board-room issue. In the real world, any change must be documented by an entire team alongside a model. 

3. The concept of "data value" does not work with me. In my opinion all data should be treated high security. It is IP first and foremost, and second, no person, especially an employee can make this decision. What they deem invaluable based on their learning may be worth millions to an internet criminal.

4. Companies will take this approach by force when receive million dollar statutory fines. They will learn fast what to spend their money on. Cyber security involves more than spending. It involves strategy. One has to reverse cyber criminal mindset and hire true professionals with those skills required to defensively protect an organisation.

From my industry experience and the attitude of the 2 week courses and half day exam graduates and in reading their classifications, this is my best answer as I see it. I have been programming, managing and deploying enterprise systems for over 20 years in extremely secure corporate environments.

Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close