Thales warns budgets are being misspent - UK Cyber Security Spending Misplaced?
The UK is the most breached country in Europe, according to a survey of 400 senior security managers by cyber security company Thales released today - with 37 percent of respondents saying they were breached in 2017 - up from 22 percent on the previous year.
Rates of failure in the last year" or data security compliance audits also soared: more than one in three of respondents polled in European enterprises reported a failed compliance audit in the last year.
Chief Strategy Officer at Thales, Peter Galvin said, "A tidal wave of data breaches is continuing to roll across Europe, with three in every four organisations now a victim of cyber-crime. As a result, people are feeling more vulnerable than ever before, worried about where the next threat will come from, and in what form."
Are companies looking in the right places when it comes to spending IT budgets?
The report found that respondents clearly recognise the defences designed specifically for protecting data are the most effective tools for doing so.
Data-at-rest defences were rated as the most effective tools for protecting data, with 72 percent responding that they were either 'very' or 'extremely' effective. However, data-at-rest security tools are not getting a high priority in spending increases.
"In fact, the data-at-rest defences that are the most effective at protecting large data stores are the lowest priority for increases in IT security spending, at only 36 percent", the report's authors noted.
At the same time, increases in IT security spending are greatest for endpoint (51 percent) and network (44 percent) defences, even as these tools become are no longer wholly effective against attacks designed to compromise data.
Network and Endpoint-Based Security Controls Inadequate
The combination of spear phishing (*) with zero-day exploits (*) available to criminal hackers makes it almost impossible to keep intruders away from critical data stores solely with network and endpoint-based security controls, Thales highlighted/
"As respondents recognize, the most effective solutions are security controls that provide an additional layer of protection directly around data sets. Data-at-rest and data-in-motion security tools can reduce attack surfaces, and provide the information needed to quickly find and stop attacks designed to mine critical data while in progress," Thales noted.
"Cloud computing also makes network security tools less relevant as increasingly infrastructure is no longer implemented within the four walls of the enterprise. In fact, the vast majority of new projects are implemented using cloud resources"
Peter Galvin from Thales further explained: "To stand the best chance of success against these advanced attacks, businesses need to dedicate the appropriate level of attention, budget and resource into safeguarding their sensitive data, wherever it happens to be created, shared or stored."
* Spear phishing occurs when scammers use personal details to tailor the emails, text messages, or phone calls they use to swindle victims.
* A zero-day vulnerability, at its core, is a flaw. It is an unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong. In fact, a zero-day exploit leaves NO opportunity for detection. A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability-hence "zero-day."
Extracts from the Report :
A generation ago, IT security was fairly straight-forward. Most data was contained within the proverbial 'four walls' of the organization behind corporate firewalls and Intrusion Prevention System (IPS) devices. Access to that data and applications was via terminals, desktops, laptops and consoles for the most part. And the worst threat actors hacked as much for fun and notoriety as anything else.
By sharp contrast, today's computing environments are increasingly driven by the desire for digital transformation, resulting in highly distributed implementations - data is increasingly held beyond the corporate boundaries, in complex hybrid cloud and mobile environments. Hackers are now motivated by everything from nationalism to anarchy to the promise of instant riches. Clearly, doing what we have been doing for decades is no longer working. The more relevant question on the minds of IT and business leaders, then, is more direct: "What will it take to stop the breaches?"
Thales surveyed 1,200+ senior security executives from across the globe (up from 1,100), including respondents from key regional markets in the U.S., U.K., Germany, Japan, Sweden, the Netherlands, Korea and India. We also key segments were surveyed within those countries including federal government, retail, finance and healthcare. While all 1,200 respondents have at least some degree of influence in data security decision-making, more than one-third (34%) have 'major' influences on these decisions and nearly half (46%) have sole decision making authority.
The results are sobering: while planned spending on IT security is up globally over the previous year, so too are data breaches, with evidence mounting that hackers are indeed hitting the bottom line. At the same time, data privacy
regulations are looming, with the potential to substantially impact organizations of all stripes, the most potent of which
is the General Data Protection Regulation (GDPR). GDPR takes full effect in May 2018 and ushers in sweeping changes in the way organizations must deal with any data related to the European Union's 740 million residents.
Also from the EU comes the Revised Payment Service Directive (PSD2), which takes effect in 2018 and in essence ends retail banks' monopoly on their customer's account information and payment services. PSD2 enables bank customers, both consumers and businesses, to use third-party providers to manage their finances, with banks obligated to provide those providers with access to customers' accounts through open APIs. …
… Organizations continue to deal with the security ramifications of emerging technologies that now are firmly rooted within most organizations' overall IT strategy.
o Big Data, which continues to flood and even overwhelm organizations struggling to figure out how to leverage Big Data - 99% of respondents plan to use Big Data this year - while also keeping it secure.
o The Internet of Things (IoT) which, as we saw last year, has become a prime target of hackers as well as a jumping off point for launching large-scale attacks such as the Mirai botnet attacks. Data from 451 Research found that nearly three quarters (71%) of enterprises are already gathering data for IoT initiatives, while security remains a major concern and impediment to IoT deployments.
o SaaS which continues to spawn concerns over sensitive data stored outside the firewalls of the organization and is the 'new' technology most likely to house sensitive data (45% globally).
o Containers, which continue their impressive growth and acceptance by development staff despite nascent efforts to secure containers and the sensitive data within them - nearly one-quarter (24%) are using containers in production environments. A bright spot in the cloudenabling technology area, 451 Research predicts that containers will have a compounded annual growth rate of 40%, reaching $2.7 billion by 2020.
o Blockchain, which is becoming more widely used for commercial transactions outside the highly established payment settlement systems. 451 Research believes blockchain, which drives the execution and integrity of digital currency, can potentially disrupt virtually all business models and industries globally, as well as security markets such as Public Key Infrastructure (PKI), information rights management and identity management.