Last updated: 07 June 2016
Update: Check out my post on the Data Security Confidence Index 2016 results to see the latest findings.
For the new Data Security Confidence Index (DSCI), Gemalto surveyed 900 IT decision makers to assess how confident they are in their companies’ abilities to prepare for and respond to a data breach as well as protecting customers’ sensitive data. In short, are they prepared to secure data from the edge to the core? In anticipation of the fast-approaching RSA Conference 2015, Gemalto announced the DSCI results today. Here are some highlights:
Take a look at some of the data breach stats from 2014:
- 1514 data breaches
- 1,023,108,267 data records stolen
- 55% of the breaches originated from malicious outsiders
In the infosec world, we’ve seen an increase in large-scale breaches, turning victims out of brands that are household names entrusted with customers’ sensitive data. Despite this, we’ve yet to see many companies dramatically change infosec tactics.
They continue to try to build walls around data with perimeter security rather than relying more heavily on data security to prepare for what happens when a cybercriminal scales those walls. The 2015 DSCI shows the pattern of infosec insanity – doing the same thing over and over again and expecting data to remain safe – hasn’t changed.
Over the past five years, 90% of respondents’ organizations have increased their perimeter security investment. Over the next twelve months, around two thirds (64%) of respondents’ organizations plan to increase investment in current or planned perimeter security systems.
While 87% of respondents feel that their organizations’ perimeter security systems are effective at keeping out unauthorized users, 34% are not confident that data would be secure if unauthorized users penetrated their network perimeter.
They’re right not to be confident. There has been an increase in breaches over the last 12 months, with 30% of respondents’ organizations reporting that they have been breached in that timeframe. Three quarters of perimeter security breaches experienced by respondents’ organizations were from external sources (malicious outsider, hacktivist, and state sponsored).
Perhaps most eye-opening of all, nine in ten (90%) of respondents’ organizations whose perimeter security systems experienced a breach, suffered negative commercial consequences of the breach. Some of those consequences include:
- Delay in product development (31%)
- Decreased employee productivity (30%)
- Decreased customer confidence (28%)
- Negative press (24%)
- Delayed getting products to market (23%)
Customer Data Protection
In respondents’ organizations more budget (75%), resources (55%), and time (61%) is spent on protecting customer data than protecting the organization’s IP. Organizations are putting their customers’ data security first.
Unfortunately, 24% of respondents admit that they do not feel their organization has the security capabilities necessary to keep up with emerging threats and technologies, and 15% of IT decision makers surveyed would not trust their own organization to manage and store their personal data.
While that’s an improvement in confidence in organizations’ security capabilities over the 2014 DSCI results, it shows organizations still need to make widespread improvements in their security systems.
Finally, high-profile data breaches have driven 71% of respondents’ organizations to adjust their security strategy. As discussed above, however, the adjustment seems to be coming in the form of investing more in perimeter security – in building a bigger, stronger wall.
While breach prevention tools can still provide some value, it’s time to change the status quo and put more emphasis on protecting what cybercriminals are really after – the data.
I’m excited that this year’s RSA Conference theme is “Change: Challenge today’s security thinking,” as it shows that many infosec professionals are of a similar mindset. If you’ll be attending RSA, stop by the SafeNet booth, #3329, to discuss the Data Security Confidence Index as well as our three-step approach to breach preparation.