2016 Vormetric Data Threat Report Finds 91% of Global Organizations Feel Vulnerable to Data Threats
Enterprises and Governments focusing on compliance ahead of breach prevention; investing in technologies that do not prevent data breaches
SAN JOSE, Calif. – Jan. 21, 2016 – Vormetric, a leader in enterprise data security for physical, virtual, big data and cloud environments, today announced the results of its 2016 Vormetric Data Threat Report, issued in conjunction with analyst firm 451 Research. The fourth annual report, which polled 1,100 senior IT security executives at large enterprises worldwide, details rates of data breach and compliance failures, perceptions of threats to data, data security stances and IT security spending plans.
Critical findings illustrate organizations continue to equate compliance with security in the belief that meeting compliance requirements will be enough, even as data breaches rise in organizations certified as compliant. Investments in IT security controls were also shown to be misplaced, as most are heavily focused on perimeter defenses that consistently fail to halt breaches and increasingly sophisticated cyberattacks.
“Compliance does not ensure security,” said Garrett Bekker, senior analyst, enterprise security, at 451 Research and the author of the report. “As we learned from data theft incidents at companies that had reportedly met compliance mandates (such as Anthem, Home Depot and others), being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen. But we found that organizations don’t seem to have gotten the message, with nearly two thirds (64%) rating compliance as very or extremely effective at stopping data breaches.”
- Rates of data breaches are up, with 61% experiencing a breach in the past (22% within the last year, and 39% in a previous year)
- 64% believe compliance is very or extremely effective at preventing data breaches, up from 58% last year
- At 46% overall, compliance was also the top selection for setting IT security spending priorities. Industries particularly focused on compliance include healthcare (61%) and financial services (56%) organizations
“Organizations are also spending ineffectively to prevent data breaches, with spending increases focused on network and endpoint security technologies that offer little help in defending against multistage attacks,” added Bekker. “It’s no longer enough to just secure our networks and endpoints.”
- 78% rate network defenses as very or extremely effective at preventing data breaches
- 62% also rated end point and mobile defenses very or extremely effective for data breach prevention
- Increases in spending on data‐at‐rest defenses (39%) have declined from last year (47%)
- Tools that are less effective at preventing data breaches have seen the heaviest spending increases, such as network defenses (48%) and endpoint or mobile (44%)
“There are significant concerns about how enterprises and federal government agencies are safeguarding confidential citizen, customer and company information,” said Tina Stewart, vice president of global marketing for Vormetric. “Organizations seem to be in denial about the risk, and are relying on tools that consistently fail against today’s multi‐layer attacks rather than adding a stronger emphasis on protecting data and valuable customer information. Data security technologies such as encryption, access controls, tokenization, data masking and data access monitoring can even enable new business models and cost structures, making it possible to securely use cloud, big data and IoT technologies that would otherwise be too risky to implement.”
The report also finds significant differences in the primary drivers for data security strategies around the world:
- Compliance requirements were top drivers in the U.S. (54%), Australia (51%) and Germany (47%)
- In Japan, requirements from business partners, customers or prospects were the highest priority (50%)
- Reputation and brand protection were the most important spending drivers in the U.K. (50%) and Mexico (58%)
Some of the greatest differences identified were in organizations planned spending increases on data-at‐rest defenses, the most effective solutions for protecting data from multi‐phase, multi‐layer attacks. These differences suggest again that many organizations are less concerned about preventing data breaches than they are with checking the compliance box. Planned data‐at‐rest defense spending increase variations reported were:
- Brazil – 48%
- U.S. – 45%
- Mexico – 40%
- Germany – 37%
- U.K. – 34%
- Australia – 29%
- Japan – 20%
Perceptions of risk from cloud and privileged insiders continued to increase around the globe from last year, while the perception of risk from mobile devices decreased as organizations started to recognize relatively small volumes of sensitive data reside on these devices.
- 63% believe privileged users are the most dangerous insiders, an increase from the rate of 57% measured last year
- 44% consider cloud environments a “top three” risk for loss of sensitive data, up from 40% the previous year
- Perceptions of risk from big data implementations dropped from 25% last year to 20% this year
With the Internet of Things (IoT) a new area for the vast majority of enterprises, few seemed to recognize the risks posed by the mountains of personal data being collected by connected IoT devices, with only 17% recognizing it as a top three risk for loss of sensitive data.
As detailed in the report, organizations need to realize that continuing to invest in “business as usual” IT security tools is no longer enough to protect critical data. A strong focus on data security must be added to create a comprehensive security strategy that can protect sensitive information. Organizations can make immediate improvements by:
- Making more extensive use of encryption and access controls as a first line of defense for data-at‐rest (locally in the data center, in cloud, big data and IoT environments) and considering an “encrypt everything” strategy
- Avoiding the complexity and high costs of implementing multiple data security solutions by selecting data security platform offerings that address a variety of use cases, emphasize ease-of-use and offer encryption, enterprise key management, access control and security intelligence
- Implementing security analytics and multi‐factor authentication solutions to help identify threatening patterns of data use and to reduce unauthorized access risks
The data in this study is based on Web and phone interviews of 1,114 senior executives in Australia, Brazil, Germany, Japan, the UK and the U.S. Most have a major influence on or are the sole decision maker for IT at their respective companies.
Respondents represented the following industries: automotive; education; energy; engineering; federal government; healthcare; IT; retail; and telecommunications.
About 451 Research
451 Research is a preeminent information technology research and advisory company. With a core focus on technology innovation and market disruption, we provide essential insight for leaders of the digital economy. More than 100 analysts and consultants deliver that insight via syndicated research, advisory services and live events to over 1,000 client organizations in North America, Europe and around the world. Founded in 2000 and headquartered in New York, 451 Research is a division of The 451 Group.
Vormetric’s comprehensive high‐performance data security platform helps companies move confidently and quickly. Our seamless and scalable platform is the most effective way to protect data wherever it resides—any file, database and application in any server environment. Advanced transparent encryption, powerful access controls and centralized key management let organizations encrypt everything efficiently, with minimal disruption. Regardless of content, database or application—whether physical, virtual or in the cloud—Vormetric Data Security enables confidence, speed and trust by encrypting the data that builds business.
Quote Sheet: 2015 Vormetric Insider Threat Report Partners
"The Cloud Security Alliance is dedicated to helping organizations make safe use of cloud computing environments,” said Jim Reavis, CEO of Cloud Security Alliance. “The report clearly illustrates that organization still feel at risk from their cloud and SaaS implementations, illustrating the need for education and best practices that enable them to safely benefit from their cloud‐based resources.”
“At Executive Mosaic we focus on connecting government and private sector leaders to the benefit of both. Our community sees the safety of citizen and other government data as a critical topic,” said President Jim Garrettson of Executive Mosaic. “Results from the report highlight the vulnerability of government and private sector organizations to cyber threats, and the need for the tools and relationships that can help to protect their sensitive data.”
“OASIS is dedicated to driving the development and adoption of open standards, and in supporting the safe adoption of cloud, IoT, big data and other new technologies,” said Carol Geyer, senior director, OASIS. “The report clearly shows the need for organizations to feel secure in their use of sensitive data both within their data centers, and within new technology environments, suggesting the need for standards that support this goal.”
“As organizations undergo digital transformation and their architectures continue to evolve to include cloud, IoT and mobile, the risk of exposing data is growing exponentially. To secure information in all its forms, data in use, data in transit and data at rest, organizations must focus on protecting their most sensitive data through encryption and encryption technologies.” said Peter Galvin, vice president strategy at Thales e‐Security. “The report highlights the struggles that organizations are encountering as they cope with these changes, and make decisions about where to invest to protect their environments, customers and sensitive information.”
Thales recently signed a definitive agreement to acquire Vormetric which, when completed, will extend Thales’ data protection and key management solutions to further protect enterprises against cybersecurity threats.