A few weeks ago, we issued the Global Edition of our 2019 Thales Data Threat Report, now in its seventh year. This year much of the emphasis within the results was on how digital transformation can put organizations’ sensitive data at risk. The results showed, for instance, that almost every organization surveyed is dealing with digital transformation at one level or another (97%), and that organizations that are aggressively investing in digital transformation had higher rates of data breaches.
But it can’t be a surprise that organizations in a headlong drive to survive or succeed may shave a few corners when getting to market is a life or death priority – that’s my personal view. An alternative is that perhaps those investing heavily in digital transformation are more sophisticated, and therefore better at detecting breaches than less innovative organizations.
I have to disagree with this alternative view. When I think about adoption of new tech, I tend to think of organizations in terms of leading adopters and lagging adopters. Typically, the laggards in adopting new technologies have been those biased toward the lowest risks, and that heavily emphasize using secure and proven approaches to new deployments. That doesn’t make them less sophisticated about securing the infrastructure that they have.
In addition to results of this sort that represent what you might expect, there were a number of items in the survey that you might find quite surprising.
Let’s talk about breach rates first. Although we still hear a near daily cadence of data breaches taking place:
- Protecting against them isn’t an IT security spending priority.
Best practices and compliance won out – with avoiding data breach penalties and past data breaches only one level up from the bottom of the list. - What was the top barrier to deploying more data security? Why aren't people using more?
This year was no different from the last several years – Respondents PERCEIVE that complexity is the top problem. Not budget, not resources, not lack of support - but a perception of complexity. (Just a short commercial - At Thales, we’re good at making this complexity go away with great solutions – It’s what we do!) - IT security spending increases are leveling out.
79% were increasing IT security spending last year, but only 50% this year. And as the report points out – these budgets now have to be stretched across many more environments than in the past. It’s no longer just data center applications – cloud implementations, big data, IoT, mobile payments, containers and blockchain are on the list for implementation by year end for 80%+ deployment in each category. Those IT security dollars are going to have to go a long way.
No surprise then that ….
- If you are rushing to market with new technologies
- If you believe that using data security is hard and complex, so you aren’t deploying it
- If preventing data breaches is at the bottom of your IT security spending priority list
- And if your budget isn’t increasing at the rate it did a few years ago You are going to have data breaches
The data bears this out. Of organizations that had a data breach in the last year –50% had a data breach at another time. Let’s think about that – if an organization has had a past breach, it’s an even chance that they’ll have another one. That also makes me think that consumers doing business with these organizations should reconsider, and opt out where possible to loyalty programs and apps.
And organizations really do think that they are deploying safely – 66% said that their digital transformation initiatives are very or extremely secure. Yet at the same time, only 30% or less are using basic data security best practices within these environments – by using data encryption. Clearly, we aren’t there yet.
The Good News
With all this negative news, what are organizations getting right?
- In our results for the first time, respondents recognized that data security is now an equivalent to network/end point and application security in importance, rating each at roughly similar levels of priority. That’s a positive change that has been a long time coming.
- Those new data privacy regulations like those in Europe (the GDPR), California and New York are having an effect – Most organizations are planning to meet their requirements with encryption and tokenization. Good move.
- Even though data security tools may be low on the IT security spending priority list, 80% of organizations say they will have at least started deployment of just about every category of data security tool by years end. These results might be for only limited implementations, or may even be wishful thinking, but the change is a big step in the right direction.