Today, we issued our final installment of the 2015 Vormetric Insider Threat report - Adding results from Mexico and Brazil to our already release results from the U.S., U.K., Germany, Japan and the ASEAN region. As usual we learned some things that we really weren't expecting.
One thing that's become clear as we extended the survey results to include more markets around the globe, no geography is free from concerns about these threats. Respondents from the U.S., U.K. and ASEAN had the highest rates of "very or extremely concerned", but all the regions that we surveyed showed high overall levels of "feeling vulnerable" to these threats. Just a note that insider threats aren't just employees or executives these days, they also include a host of service providers and partners that have access to networks or other corporate resources - insider firewalls or beyond them in cloud and other external environments. Last, the threat includes the compromise of these accounts by outside attackers - with privileged user roles that manage infrastructures as the primary targets.
Especially large variations came through in the level of Brazil however, with the lowest rate worldwide of feeling very or extremely vulnerable. It's possible that Brazil does not require disclosure when a data breach occurs, whereas Mexico, the U.S. and other jurisdictions where people feel more vulnerable do have this requirement. What people aren't aware of they don't worry about.
Another critical variation is in spending plans. While Brazil feels vulnerable at the lowest levels measured, they are increasing spending at the greatest rate measured in the survey. High spending plans may well be the result of the strict data residency requirements for personal data instituted in Brazil during the last few years, and the increased emphasis on compliance that organizations are encountering. A failing worldwide has been to rely on compliance requirements to safeguard data. But time after time, organizations that pass compliance audits are breached, with significant personal and financial data lost.
Compliance isn't effective because of the slow rate of change of standards and the limited scope of the remit. I.e. only limited information sets are protected by the compliance standard, and as the standards change over the course of years, while attacks morph minute by minute, the standards are less and less able to protect organizations.
Even so, organizations in Mexico and Brazil (as well as the U.S. and elsewhere) reported that they failed a compliance audit or encountered a data breach in the last year at fairly high levels - for Mexico, almost half (48%). This is especially troubling, given that meeting compliance requirements are only just a starting point in creating an effective data security strategy.
Last, organizations in both Brazil and Mexico are confused about what to do about the problem. They are investing in additional spending, but rating as more effective, or concentrating their spending in the areas that will make the most difference, data-at-rest defenses and analytics. Time and again, organizations have encountered a breach even though they had the latest firewall, network and end point security controls in place. These controls are important, but organizations need to concentrate on protecting data as a first step to cutting their risk and exposure.
Read more detailed findings details in our press release and English/Spanish/Portuguese versions of the report.