The 2017 Thales Data Threat Report was published last week. It was compiled by 451 Research for Thales eSecurity. Based on a survey of more than 1,100 senior security executives all over the world, it found that nearly three-quarters (73%) of respondents say they are increasing spending on cyber security in the next year. That is up from 58% reporting increases last year. You can download the entire report here.
It’s certainly good news that businesses are spending more on security, since that indicates more of them recognize its importance. But I think the report otherwise offers four big pieces of bad news.
- Breaches are on the increase. Last year, 21.7% of respondents said they had suffered a data breach in the past year. This year, 26.1% said they had. Organizations reporting that they had been breached “at some time in the past” were at 67.8%, up from last year’s 61.1%. I think we can assume from this that the threats to data security are on the increase.
- We’re buying security for the wrong reasons. The primary reason for spending on data security, reported by 44% of respondents, is “Compliance.” This is despite less than two-thirds of them (59.5%) reporting compliance requirements are “very or extremely effective.” Only 38% reported security spending is to implement security best practices. It was the second most reported reason, but these numbers nevertheless suggest that most businesses spend on security because they are required to and not necessarily because they are committed to protecting their data.
- Organizations are not prepared. This year’s survey asked a new question of the respondents: “63% of respondents to a new question in this year’s survey indicated that their organizations deploy new technologies in advance of having appropriate levels of data security in place.” In other words, nearly two-thirds of respondents are rolling out unprotected technologies and leaving security as an afterthought.
- Training still takes the backseat. The word “train” does not appear anywhere in the 20-page report. Here is what it says about the security skills shortage: “The lack of skilled security staff has been a consistent theme in 451’s research efforts the past few years, and in conjunction with complexity, makes a strong case for data security functionality delivered as a service, particularly those functions that are perceived to be labor intensive and require substantial resources and expertise to keep up and running, such as encryption key management or DLP.”
“A strong case for data security functionality delivered as a service” reflects the same mindset that makes so many companies vulnerable. If you believe that security is simply something provided by security professionals, you’re never going to be safe. The attackers are constantly searching for employees who will let them in, and every day they get better at it. That means security is everybody’s job. Everyone in the organization needs to know how to browse the web safely, use email securely, use social networking securely, and use cloud services securely.
If you have any concerns about your organization’s vulnerability, the Logical Operations CyberSAFE Readiness Test can help determine your particular users’ level of sophistication and vulnerability to attack. You can access the test at no charge. Contact us at +1.800.889.8350.