Pavel Ignatov - Fotolia
Some 96% of UK businesses feel as though their network perimeter security is effective at keeping unauthorised users out of their network, according to the fourth-annual Gemalto Data Security Confidence Index.
Across the 10 global regions surveyed, 94% of the more than 1,000 IT professionals said perimeter security is effective, but only 35% said they were extremely confident their data would be secure if perimeter defences were breached. In contrast, 58% of UK respondents said they were extremely confident that their data would be secure in the event of a breach.
However, the survey also revealed that 46% of UK businesses are only protecting their customers’ data with passwords, and when considering their latest data breaches, 75% of the data stolen from businesses on average was not encrypted, with 11% of businesses not encrypting any of their data.
“As a security professional, it feels like I’ve been saying forever that basic perimeter security measures are no longer enough,” said Joe Pindar, director of data protection product strategy at Gemalto.
“So it’s worrying to see the UK is continuing to place ultimate faith in these systems, without thinking about what attackers actually want – their data,” he said.
Without a switch in mentality, and starting to protect the data at its source with robust encryption and two-factor authentication, Pindar said the UK is like one of the three little pigs.
“Unfortunately, the one sitting in the straw house – not realising that when the time comes, passwords and perimeter security alone will not stand up to attackers,” he said.
Read more about GDPR
- The GDPR is not only relevant to CISOs and DPOs, and has a massive impact on businesses.
- There is no time for businesses to delay in preparing for the GDPR, says the UK privacy watchdog.
- GDPR: One year to compliance and opportunity.
- Finding customer data is big hurdle to meeting GDPR right to erasure.
The Gemalto report notes that many businesses are continuing to prioritise perimeter security without realising it is largely ineffective against sophisticated cyber attacks.
According to the research findings, 76% of global respondents said their organisation had increased investment in perimeter security technologies such as firewalls, intrusion detection and prevention, antivirus, content filtering, and anomaly detection to protect against external attackers.
Despite this investment, 68% believe unauthorised users could access their network, rendering their perimeter security ineffective.
These findings suggest a lack of confidence in the solutions used, especially when over a quarter (28%) of organisations polled have suffered perimeter security breaches in the past 12 months. The reality of the situation worsens when considering that, on average, only 8% of data breached was encrypted.
Business confidence undermined
Businesses’ confidence is further undermined by over half of respondents (55%) not knowing where their sensitive data is stored. In addition, over a third of businesses do not encrypt valuable information such as payment (32%) or customer (35%) data.
According to the Gemalto report, this means that, should the data be stolen, a hacker would have full access to this information, and could use it for crimes including identify theft, financial fraud or ransomware.
“It is clear there is a divide between organisations’ perceptions of the effectiveness of perimeter security and the reality,” said Jason Hart, vice-president and chief technology officer for data protection at Gemalto.
“By believing that their data is already secure, businesses are failing to prioritise the measures necessary to protect their data, which is a company’s most valuable asset,” he said, adding that it is important to focus on protecting this resource. “Otherwise, reality will inevitably bite those that fail to do so.”
Securing personal data
With the General Data Protection Regulation (GDPR) compliance deadline in May 2018, businesses must understand how to comply by properly securing personal data to avoid the risk of administrative fines and reputational damage, the report said.
The GDPR applies to any organisation anywhere in the world holding or collecting data on citizens in Europe, and could result in penalties of up to €20m or 4% of annual turnover, whichever is higher.
However, over half of respondents (53%) said they do not believe they will be fully compliant with GDPR by the deadline. With less than a year to go, the report said businesses must begin introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies.
“Investing in cyber security has clearly become more of a focus for businesses in the last 12 months,” said Hart. “However, what is of concern is that so few are adequately securing the most vulnerable and crucial data they hold, or even understand where it is stored. This is standing in the way of GDPR compliance, and before long the businesses that don’t improve their cyber security will face severe legal, financial and reputational consequences.”