igor - Fotolia

Security spending leaving data vulnerable, study finds

Cyber breaches are increasing despite increased security spending, a study shows, highlighting that security investment decisions are not aligned with actual cyber threats

There is an ongoing disconnect between the security systems organisations spend money on and the ability of those systems to protect sensitive data, a study has confirmed.

Data protection tactics have not evolved to match security threats, according to the 2017 Thales data threat report based on a poll of 1,105 executives in the UK, US, Germany Australia, Brazil and Japan.

According to the survey, 73% of organisations increased IT security spending in 2017, a marked increase from 58% the year before.

Despite this increase, 68% of respondents said they had experienced a breach, with 26% experiencing a breach in the past year – up 5% compared with the previous year.

The study, conducted in conjunction with 451 Research, also showed while 30% of respondents classify their organisations as “very vulnerable” or “extremely vulnerable” to data attacks and that the number of breaches continues to rise, the two top spending priorities are network (62%) and endpoint (56%) protection, compared with just 46% spending on systems to protect data at rest.

The report notes that despite the rise in breaches, companies are still prioritising network and endpoint security systems over encryption.

More than three-quarters of organisations (76%) recognise encryption of data at rest as more effective in protecting sensitive data compared with endpoint security, but network and endpoint security topped their IT security shopping list, showing the largest year-on-year increase in spending on these security categories.

Garrett Bekker, senior analyst of information security at 451 Research and author of the report, said organisations keep spending on the same systems that worked for them in the past but are not necessarily the most effective at stopping modern breaches.

“It stands to reason that if security strategies aren’t equally as dynamic in this fast-changing threat environment, the rate of breaches will continue to increase,” he said.

Compliance the top driver for IT security spending

According to the report, the reasons behind security spending decisions are varied, but compliance remains the key driver.

Almost half of respondents list meeting compliance requirements as their top spending priority, followed by best practices (38%) and protecting reputation/brand (36%).

However, the report said it was encouraging that fewer respondents (59.5%) viewed compliance requirements as “very or extremely effective”, a notable drop from 64% the previous year.

According to Thales and 451 Research, while compliance regulations provide a data security blueprint, they should not be the only consideration when building a security strategy robust enough to withstand sophisticated attackers.

External and internal actors the top threat

All vertical industries polled identified cyber criminals as the top threat (44%), followed by hacktivists (17%), cyber terrorists (15%) and nation-states (12%).

With respect to internal threats, 58% believe privileged users are the most dangerous insiders, slightly down from 63% in 2016. At 44%, executive management is seen as the second-most risky insider, followed by ordinary employees (36%) and contractors (33%).

According to Thales and 451 Research, as increasing volumes of enterprise data is being created, transported, processed and stored outside corporate network boundaries, traditional perimeter-based security controls and legacy network and endpoint protection systems are becoming less relevant.

Other new, popular technologies bring added security challenges. For example, the study found that 40% of respondents are using Docker containers for production applications. At the same time, 47% cite security as the “top barrier” to broader Docker container adoption.

Peter Galvin, vice-president of strategy at Thales e-Security, said enterprises must inevitably confront an increasingly complicated threat landscape.

“Our world – which includes the cloud, big data, the IoT [internet of things] and Docker – calls for robust IT security strategies that protect data in all its forms, at rest, in motion and in use,” he said.

“Businesses need to invest in privacy-by-design defence mechanisms – such as encryption – to protect valuable data and intellectual property. They also need to view security as a business enabler that facilitates digital initiatives and builds trust between partners and customers.”

To offset the data breach trend and take advantage of new technologies and innovations, the report recommends that organisations should, at a minimum, adhere to the following practices:

  • Use encryption and access controls as a primary defence for data and consider an “encrypt everything” strategy.
  • Select data security platform offerings that address a variety of use cases and emphasise ease-of-use.
  • Implement security analytics and multi-factor authentication systems to help identify threatening patterns of data use.

Read more about security spending

  • While it is good news that businesses are increasing investment, it is clear that spending on security is still not at a level that matches the changing threat landscape, says IISP.
  • Around 60% of decision makers are reporting that their organisation’s cyber security is currently financed by the central IT budget, while half of those think it should come from a separate security budget.
  • Data protection is to remain a key focus for IT security investment for European firms in 2017, but the emphasis is on cloud and mobile security as companies move to these technology platforms.

Read more on Hackers and cybercrime prevention