We issued today our 2015 Insider Threat Report – Japan and ASEAN Edition, and the results have been a study in contrasts. Results for ASEAN are the closest match from our sample set to those of U.S. respondents, while those from Japan are often closer to the results from our first Vormetric Insider Threat Report in 2013.
Insider Threats are different from a few years ago – with the addition of service providers and contractors to manage internal infrastructure, the realization that privileged users (system administrators, network administrators and other) typically have full access to the data on systems that they management and with advanced attacks that compromise credentials from all these groups it’s different world from just two years ago.
With this in mind we also found that there were very strong differences in the level of threat perceived by the two regions. Although the "somewhat of more vulnerable" level was nearly identical (87% Japan, 84% ASEAN), Japanese organizations felt substantially lower levels of "Very or Extremely vulnerable:
- Japan - 17%
- ASEAN - 33%
- U.S. - 46%
Given this low level of vulnerability in Japan, it isn't surprising that ASEAN had a much higher rate of planned increases in spending around the threat at the highest rate measured in the study:
- Japan - 27% - Increasing spending to offset the threat
- ASEAN - 64%
- U.S. - 54%
Cloud usage followed the same pattern. ASEAN and U.S. organizations have moved to embrace cloud computing environments, and placed sensitive data within them. Japanese organization have not, with typical adoption for use with sensitive data at half of these areas.
This may also be partially a lack of awareness. To quote Andrew Kellett with Ovum the author of the study “Data breaches are happening everywhere, and the Japanese and ASEAN markets are not immune.” It's also true that data breaches are much less likely to become public knowledge in Japan and ASEAN, but that they are definitely happening. The the recent disclosures of 25.66 billion attempts to compromise corporate systems in Japan by NICT, and the recent Sony Entertainment breach may never-the-less be changing attitudes in that region, while the results point to the fact that ASEAN organization have already recognized the threat.
Lastly, organizations in both areas are failing to protect data - Respondents in ASEAN reported the highest rate of "experiencing a data breach or failing a compliance audit in the last year" - 48% - exceeding even the U.S. at 44%. While it is fairly certain that the vast majority of these are compliance failures, this rate of compliance failure is troubling. Compliance has now become a good "baseline" for the protection of sensitive data. With the rapid evolution of threats, and the slow rate of change of compliance and regulatory standards, it's "advantage threats" against compliance.
Our recommendations? Much the same as you'll hear from analysts and industry pundits these days. No matter how good your defenses, plan for what you'll do when they are penetrated. Plan for a service provider, contractor, or typical employee led breach. Add protections for data at the source level ... where it is stored, to alert you early on their entry, and to protect even when "the barbarians are inside the walls".