Oh, my, just the start of the year and here’s some depressing reading for you. Thales, along with analyst firm 451 Research has just released the results of the global edition of their Data Threat Report and, not to put too fine a point to it, it makes for horrid reading.

The context of the report is, of course, the ever-increasing tendency for organizations to leverage digital technologies to gain and maintain a competitive edge. That’s all good, and those of us in the technology industry would be happy to see our wares helping them compete. But alas the flip side of that is that these organizations, often times less than IT-savvy, are taking some big risks.

The first finding and the headline for the report is alas a meaningless metric. “94% of organizations use cloud, IoT and other transformative technologies” the report screams. Which, of course, means very little without some context of how, where, the degree of spread within the organization.

Critiques aside, however, there are some interesting findings in the report. Diving into the details, Thales found that:

  • 42% of organizations use more than 50 SaaS applications, 57% use three or more IaaS vendors, and 53% use three or more PaaS environments
  • 99% are using big data
  • 94% are implementing IoT technologies
  • 91% are working on or using mobile payments

With much power, comes much responsibility

But all of this excitement about the value that new technologies can bring has a flipside. This rush to embrace new environments has created more attack surfaces and new risks for data that need to be offset by data security controls. The extent and impact of increased threats are most clearly shown in levels of data breaches and vulnerability:

  • In 2018, 67% of respondents were breached, with 36% breached in the last year – a marked increase from 2017, which saw 26% breached in the last year
  • Consequently, 44% of respondents feel “very” or “extremely” vulnerable to data threats

SecOps behind the ball

And if you thought that the SecOps folks have this sorted, and we’re all good, you’d be wrong. While times have changed with respect to technological advancements, security strategies have not – in large part because spending realities do not match up with what works best to protect data:

  • 77% of respondents cite data-at-rest security solutions as being most effective at preventing breaches, with network security (75%) and data-in-motion (75%) following close behind
  • Despite this, 57% of respondents are spending the most on endpoint and mobile security technologies, followed by analysis and correlation tools (50%)
  • When it comes to protecting data, the gap between perception and reality is apparent, with data-at-rest security solutions coming in at the bottom (40%) of IT security spending priorities

Is encryption the answer?

Well, at least organizations are starting to think about the issues, if not act upon them. This disconnect between where money is being spent and what actually works in this new age of cybersecurity is also reflected in organizations’ attitude towards encryption. While spending decisions don’t reflect its popularity, respondents still express a strong interest in deploying encryption technologies:

  • 44% cite encryption as the top tool for increased cloud usage
  • 35% believe encryption is necessary to drive big data adoption – only three points behind the top perceived driver, identity technologies (38%), and one point behind the second (improved monitoring and reporting tools, at 36%)
  • 48% cite encryption as the top tool for protecting IoT deployments and 41% as the top tool for protecting container deployments
  • In addition, encryption technologies top the list of desired data security purchases in the next year, with 44% citing tokenization capabilities as the number one priority, followed by encryption with “bring your own key” (BYOK) capabilities
  • Encryption is also cited as the top tool (42%) for meeting new privacy requirements such as the European Union General Data Protection Regulation (GDPR)

MyPOV

New technologies and new ways of working produce a parallel requirement to change the way we protect data. All of the focus on digital transformation is creating new risks and ways that bad folks can attack organizations. Security strategies need to change to better meet these new requirements. Bottom line is that security practitioners, and security strategies need to be as dynamic as the user-facing IT assets they’re designed to protect. At the moment they’re not and that’s a risk.

Of course, many security practitioners will use this research to justify battening down the hatches and delivering a more controlled and prescriptive security stance. That, of course, is problematic as the very reason that organizations are deploying digital transformation is that it is a core requirement of their success and survival. Sorry security pros, the ball is in your court and you need to change things.

Ben Kepes

Ben Kepes is a technology evangelist, an investor, a commentator and a business adviser. Ben covers the convergence of technology, mobile, ubiquity and agility, all enabled by the Cloud. His areas of interest extend to enterprise software, software integration, financial/accounting software, platforms and infrastructure as well as articulating technology simply for everyday users.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.