Last updated: 16 May 2016
This post originally appeared on SafeNet’s The Art of Data Protection blog – now part of the Gemalto Digital Security blog.
It’s fitting that the theme for this year’s RSA Conference is “Change: Challenge Today’s Security Thinking,” because change is exactly what many corporate security programs need to do if they’re going to effectively safeguard their valuable data assets.
As the description of the conference theme points out, “the rules of information security are constantly changing with the age of the Internet and threats becoming more and more sophisticated.”
Security executives and programs should never be just about maintaining the status quo, turning to the same tried and true methods and technologies that have been around for years and in some cases decades. There’s no reason that information security can’t be innovative and that security executives shouldn’t be constantly on the lookout for better ways to do things or more effective technologies to explore.
Along those lines, it’s clearly time for organizations to focus on just perimeter defenses and start emphasizing what’s really urgent: protecting the data itself. We call this shift in thinking, “Secure the Breach,” which is about transforming the security mindset from one of breach prevention to securing the very assets the attackers are going after.
Companies have been using breach prevention tactics as the foundation of their security strategies for some time. But it’s clear that this approach has failed to stop the data breach epidemic. Consider all the high-profile—and many lesser known—attacks that have occurred recently.
According to the Gemalto 2014 Breach Level Index Report, data breaches totaled 1,574 in 2014, up 49% from the 1,056 in 2013. Even more dramatic was the increase in data records involved in the breaches. That jumped 78%, from about 575 million in 2013 to more than one billion in 2014.
Despite the frequent failure of the guard-the-perimeter strategy, organizations continue to invest a huge share of their security budgets in this area. To some degree they’re stuck in a bygone era when sensitive data was kept in a centralized data center, and the “edge” of the enterprise was typically a desktop PC in a known location.
In those days, network firewalls and other perimeter “breach-prevention” tools were effective enough in keeping hackers away from corporate information. But those days are over. Data is now distributed well beyond the walls of the enterprise, on numerous mobile devices and often in multiple cloud services. Put simply, the perimeter is dead – and so is data breach prevention for that matter.
Hackers and other attackers are a constant threat to compromise these widely dispersed information resources, and organizations clearly need to change their thinking when it comes to information security planning and execution.
Secure the Breach challenges the prevalent security thinking by focusing on the protection of data, through the strong use of technologies such as authentication, encryption and key management.
To be sure, there’s nothing wrong with companies deploying network perimeter security tools, because they provide a layer of protection and can be a key component of a security-in-depth strategy. But many organizations have come to rely on these technologies as the foundation of their security strategy. That’s a recipe for trouble, as we’ve seen.
A global study just released by Gemalto shows that there’s clearly a need for securing data more effectively than just guarding the perimeter. The report, Data Security Confidence Index, shows that while 87% of 900 IT decision-makers surveyed worldwide consider perimeter security effective at keeping out security threats, 34% are not confident that their organization’s data would be protected should a data breach occur. In addition, 30% admitted that their organization had suffered a data breach in the past 12 months – another proof point that breach prevention cannot stop cybercriminals.
Despite this reality, 64% of the respondents said their organization plans to increase their investments in perimeter security. And yet three out of every five (62%) said they are no more confident than they were this time last year in the security industry’s ability to defend against emerging security threats.
That last finding kind of sums up the problem in a succinct way: Many executives don’t feel confident that perimeter security can stop the rising tide of data breaches, yet they continue to use it as the foundation of their organization’s information security posture.
That sounds like the definition of insanity, and it certainly sounds like it’s time for change in the way companies think about security. It’s finally good that this year’s RSA Conference has a theme that has real relevance about an issue that needs serious debate.
Want to learn about the data breaches that occurred around the world in 2014? Download the complete 2014 Data Breaches Report. You can also check out our Breach Level Index 2014 infographic to quickly review some of the most notable breach statistics of 2014.
We hope that you’ll also connect with us on Twitter via @GemaltoSecurity to discuss data breach trends, information security news, and more.