90 Percent of IT Security Pros in Financial Services Feel Vulnerable to a Data Breach, 44 Percent already Experienced One
Spending to protect data increasing, but concentrated in least effective security controls 2016 Vormetric Data Threat Report – Financial Services Edition
SAN JOSE, Calif. – May 12, 2016 – Thalesesecurity, a Thales company, and a leader in enterprise data protection for physical, virtual, big data, and cloud environments, today announced the results of the Financial Services Edition of the 2016 Vormetric Data Threat Report (DTR). The report is issued in conjunction with analyst firm 451 Research, reporting responses from 1,100 senior IT security executives at large enterprises worldwide, including over 100 in U.S. financial services organizations. This edition of the fourth annual report extends earlier findings of the global report, focusing on responses from IT security leaders in financial services, which details IT security spending plans, perceptions of threats to data, rates of data breach failures and data security stances.
“Something doesn’t add up in the plans of financial services organizations for protecting data,” said Garrett Bekker, senior analyst, information security, at 451 Research and the author of the 2016 Vormetric Data Threat Report. “Spending to protect data is increasing fastest in areas that have been shown to be ineffective at protecting against multi-stage attacks - Network defenses (65 percent) and end point and mobile device defenses (58 percent) - still see the highest increase in spending, while approaches like data-at-rest defenses that have been proven to be effective at protecting data after perimeter defenses have been bypassed, are at the bottom (48 percent).”
Other key findings:
- 90 percent feel vulnerable to data threats
- 44 percent have already experienced a data breach, with nearly one in five (19 percent) indicating a breach in the last year
- At 56 percent, meeting compliance requirements was the top IT security spending priority, but preventing data breaches at 50 percent and best practices, also at 50 percent, were close followers
- Complexity at 68 percent, and lack of staff at 35 percent, are identified as top barriers to adoption of better data security
- Bright spots include 70 percent increasing spending to offset threats to data and 48 percent increasing spending on data-at-rest defenses this year
Top external and internal threat actors
As the primary repositories and conduits of the world’s financial data, financial services enterprises have always known that they are a primary target for cybercriminals and malicious insiders. Unsurprisingly, the top external threat actors identified were cybercriminals, a top selection for 42 percent of respondents, and a top three selection for 88 percent. The top internal threat actors identified were privileged users, a top three selection for 68 percent of respondents. Privileged user accounts typically have access to all the resources and systems they manage, unless restrained by additional security controls, and their accounts are primary targets for compromise in cyberattacks.
Compliance continues to drive financial services organizations – But compliance is not enough
With adherence to a myriad of regulations and compliance required to do business, it’s no surprise that IT security professionals in financial services are focused on meeting these mandates.
- Compliance (56 percent)
- Data breaches (50 percent)
- Implementing security best practices (50 percent)
The problem? 66 percent view meeting compliance requirements as a ‘very’ or ‘extremely’ effective way to protect sensitive data, yet slow moving compliance standards consistently fail to stop today’s multi-level attacks.
Big Data a big deal in financial services – Cloud usage and concerns are high
Big Data: Financial service reported the highest use of sensitive data within Big Data, with 59 percent of respondents planning to use sensitive data within these environments. In spite of this high level of use, only 33 percent regard Big Data implementations as presenting a top three risk for loss of sensitive information.
Cloud: Financial services organizations have high levels of concern with using cloud usage, but nevertheless, 91 percent are using sensitive data within these environments. Top concerns include:
- Security breaches at the cloud provider level (75 percent)
- Increased vulnerabilities from shared infrastructure (72 percent)
Even so, 54 percent will use Software as a Service (SaaS) environments, 48 percent Infrastructure as a Service (IaaS) and 48 percent Platform as a Service (PaaS) resources within the next 12 months.
Encrypting data and maintaining local control over keys was the number one factor that would increase willingness to use public cloud, at 51 percent of responses.
Getting some things right
A number of positive results indicate that financial services organizations are taking steps in the right direction to recognize and deal with the problem.
- 70 percent are increasing spending to protect sensitive data
- 48 percent, plan to invest in data-at-rest defenses this year
- 62 percent are looking to implement data security for brand and reputation protection
- Many are planning to implement ‘newer’ security tools that are more effective at protecting data even when other defenses have been compromised. These include tokenization (42 percent), application encryption (33 percent), Security Event and Information Management (SIEM) systems (29 percent) and privileged user access management (29 percent)
“Financial services organizations continue to feel the heat from cyber attackers,” said Tina Stewart, vice president of marketing for Thales eSecurity. “They are investing to help solve the problem, but surprisingly, are failing to connect the dots about the best solutions to use. With the world’s financial data in their custody, the most effective way to protect this information, once networks and systems are penetrated, is to enhance data protection investments.”
The research report is available from Thales eSecurity and can be found here.
About 451 Research
451 Research is a preeminent information technology research and advisory company. With a core focus on technology innovation and market disruption, we provide essential insight for leaders of the digital economy. More than 100 analysts and consultants deliver that insight via syndicated research, advisory services and live events to over 1,000 client organizations in North America, Europe and around the world. Founded in 2000 and headquartered in New York, 451 Research is a division of The 451 Group.
About Vormetric, a Thales company
Thales eSecurity’s comprehensive high-performance data protection platform helps companies move confidently and quickly. Our seamless and scalable platform is the most effective way to protect data wherever it resides—any file, database and application, in any server environment. Advanced transparent encryption, powerful access controls and centralized key management let organizations encrypt everything efficiently, with minimal disruption. Regardless of content, database or application—whether physical, virtual or in the cloud—Vormetric Data Security enables confidence, speed and trust by encrypting the data that builds business. Vormetric Data Security was recently acquired by Thales Group and is now a Thales company.
Thales is a global technology leader for the Aerospace, Transport, Defence and Security markets. With 62,000 employees in 56 countries, Thales reported sales of €14 billion in 2015. With over 22,000 engineers and researchers, Thales has a unique capability to design and deploy equipment, systems and services to meet the most complex security requirements. Its exceptional international footprint allows it to work closely with its customers all over the world.
Positioned as a value-added systems integrator, equipment supplier and service provider, Thales is one of Europe’s leading players in the security market. The Group’s security teams work with government agencies, local authorities and enterprise customers to develop and deploy integrated, resilient solutions to protect citizens, sensitive data and critical infrastructure.
Drawing on its strong cryptographic capabilities, Thales is a global leader in data protection and one of the world leaders in cybersecurity products and solutions for defence, critical infrastructure and telecommunication operators, industrial and financial companies. Covering the entire cybersecurity chain, Thales offers a comprehensive range of services and solutions that includes: cybersecurity consulting and testing, cyber-secured software centric system design / development / integration and certification, provision and through-life management of data protection products and services, secured IT outsourcing and cloud computing solutions, as well as managed security services based on our network of Security Operation Centers in France, the United Kingdom and the Netherlands.
Thales eSecurity Media Relations
Thales Media Relations – Security
+33 (0)1 57 77 90 89
Thales eSecurity Media Relations
+44 (0)1223 723612