A majority of organizations equate IT security compliance with actual strong defense, and are thereby leaving their data at risk to cyber incidents through a false sense of security.
That is the conclusion of the 2016 Vormetric Data Threat Report, released today by analyst firm 451 Resarch and Vormetric, a leader in enterprise data security.
The fourth annual report, which polled 1,100 senior IT security executives at large enterprises worldwide, details thee rates of data breach and compliance failures, perceptions of threats to data, data security stances and IT security spending plans. The study looked at physical, virtual, big data and cloud environments.
The bad news: 91 percent of organizations are vulnerable to data threats by not taking IT security measures beyond what is required by industry standards or government regulation.
“Critical findings illustrate organizations continue to equate compliance with security in the belief that meeting compliance requirements will be enough, even as data breaches rise in organizations certified as compliant,” noted Garrett Bekker, senior analyst, enterprise security, at 451 Research and the author of the report. “Investments in IT security controls were also shown to be misplaced, as most are heavily focused on perimeter defenses that consistently fail to halt breaches and increasingly sophisticated cyberattacks.”
Bekker stressed that “Compliance does not ensure security. As we learned from data theft incidents at companies that had reportedly met compliance mandates (such as Anthem, Home Depot and others), being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen.”
This message seems to be having a hard time getting through to many IT leaders.
“We found that organizations don’t seem to have gotten the message, with nearly two thirds (64%) rating compliance as very or extremely effective at stopping data breaches,” Bekker noted.
Among the study findings:
- Rates of data breaches are up, with 61% experiencing a breach in the past (22% within the last year, and 39% in a previous year)
- 64% believe compliance is very or extremely effective at preventing data breaches, up from 58% last year
- At 46% overall, compliance was also the top selection for setting IT security spending priorities. Industries particularly focused on compliance include healthcare (61%) and financial services (56%) organizations
“Organizations are also spending ineffectively to prevent data breaches, with spending increases focused on network and endpoint security technologies that offer little help in defending against multi-stage attacks,” added Bekker. “It’s no longer enough to just secure our networks and endpoints.”
The report also finds significant differences in the primary drivers for data security strategies around the world:
- Compliance requirements were top drivers in the U.S. (54%), Australia (51%) and
- In Japan, requirements from business partners, customers or prospects were the highest
- Reputation and brand protection were the most important spending drivers in the U.K. (50%) and Mexico (58%)
Some of the greatest differences identified were in organizations planned spending increases on data-at-rest defenses, the most effective solutions for protecting data from multi-phase, multi-layer attacks, Bekker explained. These differences suggest again that many organizations are less concerned about preventing data breaches than they are with checking the compliance box, he suggested.