Security spending not on most-effective controls, report reveals

While planned spending on IT security is up globally, so too are data breaches, with evidence mounting that hackers are hitting the bottom line, a global security survey reveals

Spending on IT security continues to rise, with 78% of global organisations planning to increase their security budgets in 2018, up from 73% in 2017, according to the latest Thales data threat report.

However, the report also reveals that security breaches are up sharply, with 36% of 1,200 global firms polled by 451 Research reporting that they suffered a breach in the past year, up from 26% the year before. This shows that despite increased security spending, businesses are failing to protect data.

More than two-thirds (67%) of the organisations said they had been breached at some point in the past, and unsurprisingly, 44% said they felt “very” or “extremely” vulnerable to security threats – up from 30% a year ago.

According to the report, a key driver of vulnerability to cyber attacks is the rush to embrace new technologies, with 94% of organisations polled using cloud, internet of things (IoT), blockchain, mobile and other transformative technologies.

According to the survey, 42% of organisations use more than 50 software as a service (SaaS) applications, 57% use three or more infrastructure as a service (IaaS) suppliers, 53% use three or more platform as a service (PaaS) environments, 99% are using big data, 94% are implementing IoT technologies, and 91% are working on or using mobile payments.

“Enterprises are seeking to derive the efficiency and scale benefits of digital technology, but this has created more attack surfaces and new risks for data that need to be offset by data security controls,” the report said.

A key finding of the report is that while times have changed with respect to technological advancements, security strategies have not, mainly because security investments do not match up with what works best to protect data.

For example, 77% of respondents cite data-at-rest security technology as being most effective at preventing breaches, with network security (75%) and data-in-motion (75%) following close behind. But despite this, 57% of respondents are spending the most on endpoint and mobile security technologies, followed by analysis and correlation tools (50%).  

Read more about digital transformation

  • Businesses must address digital transformation security risks, says analyst.
  • digital transformation is not easy and requires not just the right technology, but also the right investment, people and engagement.
  • The Digital business transformation is steadily making its way to manufacturing, but an expert panel advises that strong leadership is needed to reach full potential.
  • We’re headed towards systems of systems, meaning we will need a secure and trusted ecosystem from the sensor to the user, says security firm Exceet.

When it comes to protecting data, the gap between perception and reality is apparent, with data-at-rest security (including encryption) coming bottom (40%) of IT security spending priorities, despite being considered the most effective at preventing breaches.

“In other words, the spending outlook is brightest for tools that we have identified as least effective, and vice-versa,” the report said. “Clearly, more work needs to be done to better align perceptions of effectiveness with the resources committed.”

This disconnect is also reflected in organisations’ attitude towards encryption – a key technology with a proven track record of protecting data.

While spending decisions do not reflect encryption’s popularity and investment in it needs to catch up with its perceived benefits, respondents still expressed a strong interest in deploying encryption technologies, with 44% citing encryption as the top tool for increased cloud usage and 35% saying encryption is necessary to drive big data adoption.

Nearly half (48%) of respondents cited encryption as the top tool for protecting IoT deployments, and 41% as the top tool for protecting container deployments. Encryption technologies also top the list of desired data security purchases in the next year, with 44% citing tokenisation capabilities as the number one priority, followed by encryption with bring your own key (BYOK) capabilities.

Encryption is also cited as the top tool (42%) for meeting new privacy requirements, such as the European Union’s General Data Protection Regulation (GDPR).

The report notes that while in the past, compliance has been the primary driver for setting security spending priorities, the fear of the financial penalties from data breaches has taken over the top spot, with 39% citing it as the top stimulus for security spending, up from 35% a year ago.

Other stop stimuli include increased use of cloud (also 39%) and compliance (37%). Although compliance is no longer in top spot,  more respondents feel compliance requirements are “very” or “extremely” effective compared with last year (59%).

New compliance regulations

The report ascribes this to new or updated compliance regulations, such as GDPR and the revised Payment Service Directive (PSD2), and more global respondents expect to feel the impact of GDPR this year (87%) compared with 72% a year ago.

Garrett Bekker, principal security analyst, information security at 451 Research and author of the report, said organisations are dealing with massive change as a result of digital transformation.

“But security spending focusing on the data itself is at the bottom of IT security spending priorities, leaving customer data, financial information and intellectual property severely at risk,” he said. “If security strategies aren’t equally as dynamic in this fast-changing threat environment, the rate of breaches will continue to increase.”

Peter Galvin, chief strategy officer at Thales eSecurity, said organisations are reshaping how they do business, and this digital transformation is reliant on data.

“As is borne out by our 2018 data threat report, we are now at the point where we have to admit that data breaches are the new reality, with over a third of organisations suffering a breach in the past year,” he said. “In this increasingly data-driven world, it is therefore hugely important to take steps to protect that data, wherever it is created, shared or stored.”

Traditional spend not effective

Jon Geater, CTO at Thales eSecurity, said cloud and digital transformation is the only way to be competitive in the modern world, but when organisations become truly digital, the traditional security spend is no longer effective.

“This is because all organisations’ data is exposed, and it has to be, because the economic lifeblood of what you are doing is based on the quality of the data, the amount of the data, and how quickly you can process it, analyse it and get business advantage,” he told Computer Weekly.

“It is imperative for UK plc to go online and embrace the open and data-based economies. But that does mean that what you are protecting is no longer the computer system, but the data itself.”

Geater recommends that busineses focus on their data. “Take a look at what you are doing with it,” he said. “Take a look at the applications, the APIs [application program interfaces] and the services that use that data. You have to secure them and the communications between them.”

In a data-driven economy, said Geater, organisations must ensure they are able to protect the data directly. “And that is why we are seeing this trend towards recognising the importance of encryption, because it is about securing the data, not locking down computers and IT systems,” he said.

To offset the data breach trend and take advantage of new technologies and innovations, Thales recommends that, as a minimum, organisations should adhere to the following practices:

  • Use encryption and access controls as a primary defence for data and consider an “encrypt everything” strategy.
  • Select data security platform offerings that address multiple use cases to reduce complexity and costs through automation and services.
  • Implement security analytics and multi-factor authentication solutions to help identify threatening patterns of data use

The report also recommends that organisations:

  • Consider security systems that will work both with existing tools from cloud service providers, and across multiple clouds and cloud apps.
  • Encrypt and manage keys locally, using BYOK for enterprise SaaS, PaaS and IaaS .
  • Employ discovery as a complement to encryption and access control within the environment.
  • Use secure device ID and authentication for IoT, as well as encryption of data-at-rest on devices, back-end systems and in transit to limit data threats.

Read more on Hackers and cybercrime prevention