A vast majority of companies report feeling vulnerable to data breaches and security threats, according to a recent report published by a data security provider and information technology advisory company. It is predicted that companies are planning on spending more than ever before to protect themselves in 2018.

The report, published by Thales eSecurity and 451 Research, summarizes the surveyed responses of more than 1,200 senior security executives employed in the U.S., U.K., Germany, Japan, Sweden, the Netherlands, Korea, and India. Of these respondents, more than one-third had major influence on security-decision making, and nearly half had sole-decision making authority.

Data Breaches

The number of data breaches nearly doubled in 2017, with 46 percent of U.S. respondents reporting that they experienced a data breach in the past year, as compared to 24 percent in 2016.  More than one-third of the global respondents reported having experienced a data breach in 2017. Citing a fear of financial penalties, 78 percent reported plans to increase spending on data security and IT in 2018, including nearly 86 percent of U.S. respondents.

In light of the increasing amount of data breaches, it is perhaps not surprising that 91 percent of global respondents reported feeling vulnerable to security threats and attacks going forward. Companies most frequently cited “privileged user” (or those persons within a company who are given unfettered access to data and IT systems) attacks as being the top threat they are fearful of, with cybercriminals being the second most frequently cited threat.

Spending Paradox

The report notes that although securing data-at-rest—namely data that is archived and accessed infrequently—was perceived by most respondents as being the most effective method of data defense, most respondents planned on spending more money on defense aimed at protecting the network when accessed by devices remotely, otherwise known as endpoint security.

Notably, most respondents perceived endpoint security defense as being the least effective means of data defense. Thus, it appears that although companies are aware that unsecured data at rest exposes them to significant threat and liability, they are not devoting resources in a way that reflects this awareness. This may be in part due to the perceived complexity and effects of implementing such changes. The report notes that 43 percent of global respondents cite the complexity of data as being the main barrier to data security. Further, nearly 42 percent of global respondents cited concerns about performance and the impact of implementation on business process as being the largest barrier.

Compliance versus Security

The report states that nearly 64 percent of respondents reported feeling that compliance with relevant laws is an effective means of preventing security threats. Yet, the report notes, while compliance with existing laws may be helpful, compliance will not prevent data breaches because regulations are generally reactive. Conversely, data and security threats and vulnerabilities continue to change and evolve at a far more rapid pace. The increase in the number of breaches is likely demonstrative of this, as it appears that one-third of the respondents still experienced data breaches in 2017 (assuming those respondents were in compliance with the relevant regulations).

Respondents to the survey represented a number of industries, including automotive, energy, government, financial services, healthcare, IT, manufacturing, retail, and telecommunications. Of the respondents, more than one-third had major influence on security-decision making, and nearly half had sole-decision making authority.

The 2018 Thales Data Threat Report-Global Edition can be downloaded here.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.