U.S. Federal IT Security Professionals: 90 Percent Report Agencies Vulnerable to Data Threats 61 percent experienced a data breach
2016 Vormetric Data Threat Report – U.S. Federal Government Edition
SAN JOSE, Calif. – March 24, 2016 – Thales eSecurity, a Thales company, and a leader in enterprise data protection for physical, virtual, big data, public, private and hybrid cloud environments, today announced the results of the U.S. Federal Government Edition of the 2016 Vormetric Data Threat Report (DTR). The report is issued in conjunction with analyst firm 451 Research, polling for the report features the responses of 1,100 senior IT security executives at large enterprises worldwide, including over 100 in U.S. Federal Government organizations. This edition of the fourth annual report extends earlier findings in the global report, and cloud, big data and IoT edition with findings based on the responses from IT security leaders in U.S. federal agencies, detailing their perceptions of threats to data, rates of data breach failures, data security stances and IT security spending plans. Critical findings:
- 90 percent feel vulnerable to data threats.
- 61 percent have experienced a past data breach, with nearly one in five indicating a breach in the last year.
- Skill shortages at 44 percent, and budgets at 43 percent, are identified as top barriers to adoption of better data security.
- In spite of news stories highlighting nation state hacking, the top external threat actors identified were cybercriminals at 76 percent, with nation state hackers a distant fourth at 47 percent.
- Bright spots include 58 percent increasing spending to offset threats to data, and 37 percent increasing spending on data-at-rest defenses this year.
Investing in defenses for the last war
“The results showed that Federal IT Security professionals are like generals fighting today’s wars with the weapons of yesterday,” said, Garrett Bekker, senior analyst information security, 451 Research. “As an example, spending intentions reflected a tendency to stick with what has worked in the past, such as network and endpoint security technologies that offer little help in defending against multi-stage attacks. Clearly, there’s still a big disconnect between what we are spending most of our security budget on and what’s needed to ensure that our sensitive data remains secure.”
- The top categories for increased spending over the next 12 months among U.S. government respondents were network defenses at 53 percent, followed by analysis and correlation tools at 46 percent.
- 60 percent of respondents believe network defenses are ‘very’ effective at safeguarding data, more than any other vertical and well above the U.S. average of 53 percent.
- With data-at-rest defenses the most effective tools for protecting data once other defenses have failed, these defenses were ranked last in terms of U.S. federal spending plans, with just 37 percent planning to increase their spending on data-at-rest defenses, compared to the U.S. average of 45 percent.
Compliance is still a driver – But compliance is not enough
Slow moving compliance standards consistently fail to stop today’s multi-level, multi-phase attacks. As we have learned from data theft incidents at companies that had reportedly met compliance mandates (such as Target), being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen. Yet 57 percent of U.S. federal respondents view meeting compliance requirements as a ‘very’ or ‘extremely’ effective way to protect sensitive data.
Skill shortages and budgetary constraints loom large in U.S. federal agencies
A perception of complexity was identified as the number one barrier to adopting data security more widely, selected by 51 percent of federal respondents. To some extent, this may be a misconception, as modern data security solutions no longer have the deployment and maintenance problems of older solutions that respondents may be familiar with.
Complex deployments also typically require significant staffing, and ‘lack of staff to manage’ came in as the second highest barrier at 44 percent. In addition, budgetary constraints received the highest ranking as a data security adoption barrier in the federal government sector at 43 percent, well ahead of more ‘wealthy’ verticals like financial services at 26 percent.
Top internal and external threats – Privileged users and Cybercriminals
The biggest internal threat actors identified were privileged users at 64 percent. As a result of their roles, these users typically have access to all the data associated with the systems and applications that they manage, unless encryption and access controls are used to limit their actions. Contractor accounts were a distant second at 43 percent.
Surprisingly, despite reports of attacks from Iran, North Korea and China against federal targets such as the IRS, Department of State and others, U.S. federal respondents ranked nation state hackers as the fourth ranked external threat at 47 percent, while cybercriminals held the top spot at 76 percent.
Cloud, Big Data and the Internet of Things (IoT) represent big challenges for the Fed
Cloud: Top concerns included security breaches or attacks at the service provider and increased vulnerabilities from a shared infrastructure, each with 70 percent of responses. Even so, 84 percent of U.S. federal respondents are planning on storing sensitive data in some form of public cloud environment (IaaS, PaaS or SaaS) within the next 12 months. Encrypting data and maintaining local control over keys was the number one factor that would increase federal respondents’ willingness to use public cloud, at 47 percent of responses.
Big Data: 56 percent of respondents were planning to store sensitive data within these environments, but few were worried. Only 15 percent regard big-data implementations as presenting a top three risk for loss of sensitive information.
IoT: Security concerns seem to reflect IoT’s early stage of adoption. Securing sensitive data generated by IoT devices was the primary concern for respondents at 35 percent, followed by the loss or theft of IoT devices at 29 percent.
U.S. federal agencies are doing many of the right things—they just need to do more
A number of positive results from respondents indicate that U.S. federal agencies are taking steps in the right direction to recognize and deal with the problem.
- 58 percent are increasing spending to protect sensitive data.
- 37 percent of U.S. federal respondents plan to invest in data-at-rest defenses this year.
- 48 percent are looking to implement data security to follow industry best practices.
- Many are planning to implement ‘newer’ security tools that are more effective at protecting data even when other defenses have been compromised. These include cloud security gateways (40 percent), application encryption (34 percent), data masking (31 percent) and tokenization (27 percent).
“Albert Einstein’s oft-used quote is fitting – if doing the same thing over and over and expecting a different result isn’t the definition of insanity, it is certainly a recipe for placing our nation’s critical assets at risk,” said Vice President of Marketing for Thales eSecurity, Tina Stewart. “Public sector organizations need to realize that doing more of the same won’t help us achieve an improved data security posture. More attention must be paid to techniques that protect critical information even when peripheral security has failed, and data-at-rest security controls such as encryption, access control, tokenization and monitoring of data access patterns are some of the best ways to achieve this.”
The research report is available from Thales eSecurity and can be found here.
About 451 Research
451 Research is a preeminent information technology research and advisory company. With a core focus on technology innovation and market disruption, we provide essential insight for leaders of the digital economy. More than 100 analysts and consultants deliver that insight via syndicated research, advisory services and live events to over 1,000 client organizations in North America, Europe and around the world. Founded in 2000 and headquartered in New York, 451 Research is a division of The 451 Group.
About Vormetric, a Thales company
Thales eSecurity’s comprehensive high-performance data protection platform helps companies move confidently and quickly. Our seamless and scalable platform is the most effective way to protect data wherever it resides—any file, database and application, in any server environment. Advanced transparent encryption, powerful access controls and centralized key management let organizations encrypt everything efficiently, with minimal disruption. Regardless of content, database or application—whether physical, virtual or in the cloud—Vormetric Data Security enables confidence, speed and trust by encrypting the data that builds business. Vormetric Data Security was recently acquired by Thales Group and is now a Thales company.
Thales is a global technology leader for the Aerospace, Transport, Defence and Security markets. With 62,000 employees in 56 countries, Thales reported sales of €14 billion in 2015. With over 22,000 engineers and researchers, Thales has a unique capability to design and deploy equipment, systems and services to meet the most complex security requirements. Its exceptional international footprint allows it to work closely with its customers all over the world.
Positioned as a value-added systems integrator, equipment supplier and service provider, Thales is one of Europe’s leading players in the security market. The Group’s security teams work with government agencies, local authorities and enterprise customers to develop and deploy integrated, resilient solutions to protect citizens, sensitive data and critical infrastructure.
Drawing on its strong cryptographic capabilities, Thales is a global leader in data protection and one of the world leaders in cybersecurity products and solutions for defence, critical infrastructure and telecommunication operators, industrial and financial companies. Covering the entire cybersecurity chain, Thales offers a comprehensive range of services and solutions that includes: cybersecurity consulting and testing, cyber-secured software centric system design / development / integration and certification, provision and through-life management of data protection products and services, secured IT outsourcing and cloud computing solutions, as well as managed security services based on our network of Security Operation Centers in France, the United Kingdom and the Netherlands.
Thales eSecurity Media Relations
Thales Media Relations – Security
+33 (0)1 57 77 90 89
Thales eSecurity Media Relations
+44 (0)1223 723612