Most organizations equate IT security compliance with actual strong defense, and are thus have a false sense of security, leaving their data at risk for cyber incidents.
That is the conclusion of the 2016 Vormetric Data Threat Report, released this week by analyst firm 451 Research and Vormetric, a firm that offers data security services.
The fourth annual report, which polled 1,100 senior IT security executives at large enterprises worldwide, details the rates of data breach and compliance failures, perceptions of threats to data, data security stances and IT security spending plans. The study looked at physical, virtual, big data and cloud environments.
The bad news: 91 percent of organizations are vulnerable to data threats by not taking IT security measures beyond what is required by industry standards or government regulation.
“Critical findings illustrate organizations continue to equate compliance with security in the belief that meeting compliance requirements will be enough, even as data breaches rise in organizations certified as compliant,” noted Garrett Bekker, senior analyst of enterprise security, at 451 Research and the author of the report.
“Investments in IT security controls were also shown to be misplaced, as most are heavily focused on perimeter defenses that consistently fail to halt breaches and increasingly sophisticated cyberattacks,” Bekker added.
He also stressed that “Compliance does not ensure security. As we learned from data theft incidents at companies that had reportedly met compliance mandates (such as Anthem, Home Depot and others), being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen.”
This message seems to be having a hard time getting through to many IT leaders, according to research included in the report.
“We found that organizations don’t seem to have gotten the message, with nearly two thirds (64 percent) rating compliance as very or extremely effective at stopping data breaches,” Bekker noted.
Among the study findings:
- Rates of data breaches are up, with 61 percent of respondents experiencing a breach in the past (22 percent within the last year, and 39 percent in a previous year)
- 64 percent believe compliance is very or extremely effective at preventing data breaches, up from 58 percent last year
- At 46 percent overall, compliance was also the top selection for setting IT security spending priorities. Industries particularly focused on compliance include healthcare (61 percent) and financial services (56 percent) organizations
“Organizations are also spending ineffectively to prevent data breaches, with spending increases focused on network and endpoint security technologies that offer little help in defending against multi-stage attacks,” Bekker added. “It’s no longer enough to just secure our networks and endpoints.”
The report also finds significant differences in the primary drivers for data security strategies around the world:
- Compliance requirements were top drivers in the U.S. (54 percent), Australia (51 percent) and Germany (47 percent)
- In Japan, requirements from business partners, customers or prospects were the highest priority (50 percent)
- Reputation and brand protection were the most important spending drivers in the U.K. (50 percent) and Mexico (58 percent)
Some of the greatest differences identified were in organizations planned spending increases on data-at-rest defenses, the most effective solutions for protecting data from multi-phase, multi-layer attacks, Bekker explained. These differences suggest again that many organizations are less concerned about preventing data breaches than they are with checking the compliance box, he suggested.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access