Data Protection Not Keeping Pace With Threats: C-suite Survey

Data protection not keeping pace with threats: C-suite survey

If there’s anything another year of sophisticated IT security attacks has shown us, it’s that keeping pace with cyber-threats is a near impossible task. Especially when organizations don’t seem to understand the threats they’re facing.

While Thales’ 2017 data threat report, a poll of 1,105 executives in the UK, US, Germany Australia, Brazil and Japan prepared by 451 Information Security Analysts, paints organizations initiative towards security spending in a relatively positive light – in 2017, 73 per cent of organizations increased IT security spending, a jump from 58 percent in 2016 – the disconnect between spending and results is painfully apparent if you drill deeper.

There’s no question the threats are more prevalent.

Amongst the surveyed c-suites, more than two thirds (68 per cent) of organizations have experienced a data breach, with 26 per cent experiencing one in the past year. And they know they’re vulnerable – with 30 per cent of those polled classifying their organizations as ‘very vulnerable’ or ‘extremely vulnerable’ to data attacks.

But herein lies the disconnect. According to the c-suites, the spending priorities for IT security are network (62 per cent) and endpoint (56 per cent). Data-at-rest solutions are the lowest priority at 46 per cent.

“It’s no longer enough to just secure our networks and endpoints,” Garrett Bekker, 451 Principal Analyst of Information Security wrote in the report. “With the rapid and continuing growth of data outside the four walls of the enterprise, spending on securing internal networks from external threats is less and less effective – and less relevant.”
Further to that, 59 per cent of the executives polled believe being compliant is enough to prevent data breaches.

“Compliance is a minimum table stake for regulated enterprises … But being compliant does not mean you won’t be breached,” writes Bekker.

It’s obvious businesses need to be moving beyond just compliance. So how do you do that? Here are three things businesses can be doing to keep pace with the evolving data threats.

Make basic user training and identity management mandatory

According to the survey, when it comes to internal threats – 58 per cent of c-suite respondents say privileged users are the most dangerous insiders while executive management is seen as the second-most-risky insider at 44 per cent. Ordinary employees and contractors sit at 36 and 33 per cent respectively.
Businesses can help themselves by convincing employees to buy-in and own their identities. The emphasis is so often on “protecting the organization” – make it about protecting their identity. Training them to own their individual role in protecting their identity through factors like not reusing passwords, locking their computer when they leave the desk for lunch or the evening, not stashing their password reminders in sticky notes on the side of their cubicle and keeping their work and private accounts separate is a good start. And rather than forcing them to use a certain type of password, show them why something like a2&%sdjSDf could be cracked by a botnet in two hours versus ThisPasswordIs100%Better! which would take the world’s fastest super computer centuries to break.

Educate them on basic identity management and what it means to them.

Invest in turnkey data security solutions that are easy for even the average employee to use

While every business needs designated IT security personnel, the days of Nick Burns, “your company’s computer guy”, are gone. Complex security measures like biometric authentication are commonplace and used in everyday technology like smartphones; people use VPNs to watch Netflix; data-breaches are regularly covered by mainstream media – IT security is no longer as mystifying as it was. It’s time to acknowledge that the average employee can work within IT infrastructure, provided you find solutions that are user-friendly.

A virtual data room is a prime example – the complexity is behind the scenes but it can be used to seamlessly trade sensitive information, whether its between members of the marketing team prepping for a new product launch or the financial department trading reports and swapping data.

Make encryption and access controls the standard

Good encryption keeps hackers away from the information and with so many businesses out there neglecting security; hackers would rather look elsewhere than try to work through your codified data. Using cutting edge 256-bit AES SSL/TLS encryption for both data in transit and at rest (i.e. the element most businesses are neglecting according to the Thales report) can ensure you’re on top of threats.

A simple way to add an extra barrier and put a serious damper on password them is to require users and administrators to log in with two factors. This could take the shape of a password and a unique phone code for instance.

If there’s anything to glean from Thales report on the disconnect between data spending and data security it’s that staying on top of new threats and adapting security measures isn’t about building complex IT security infrastructures and leaving them to rot, it’s about making sure you’re taking the simple steps and keeping ahead of the curve.




Andrew Seale

Andrew Seale is a Toronto-based business writer who contributes frequently to Yahoo Canada Finance, The Globe and Mail's Report on Business and The Toronto Star.