2018 thales data threat reportgo.thalesesecurity.com/rs/480-lwa-970/images/2018-data... ·...

#2018DataThreat

2018THALESDATA THREATREPORT

Trends in Encryption and Data Security

EUROPEAN EDITIONEXECUTIVE SUMMARY

2 2018 THALES DATA THREAT REPORT • EUROPEAN EDITION

In Europe, as in the rest of the world, reports of major security breaches continue unabated, despite global efforts to fight back with increased IT security spending. This suggests that either the attackers are managing to stay a step ahead of cybersecurity efforts – or worse, that the increased funding is not being deployed most effectively to counteract evolving threats and new compute environments. Regardless, doing what we have been doing for decades is no longer working. The more relevant question on the minds of IT and business leaders is: “What will it take to stop the breaches?”

THE TOPLINE

Data under siege across Europe

ENCRYPTION IS CRITICAL TO SOLVING DATA SECURITY PROBLEMS

Encryption drives digitally transformation and traditional data security

43% 37%48% 44%

Cloud:Data encryptionis the top tool

needed for more cloud use

Big Data: Encryption needed to enable greater usage of big data

IoT:Encryption the

top tool neededto increase

IoT adoption

Containers: Availability

of encryption increases adoption

DATA BREACHES ARE THE NEW REALITY DIGITAL TRANSFORMATION EXPANDS DATA THREAT LANDSCAPES

—Garrett Bekker, 451 Research Principal Analyst, Information Security

“AS ORGANISATIONS INCREASINGLY ENGAGE WITH MULTIPLE CLOUD PROVIDERS, WHO MAINTAINS CONTROL OVER ENCRYPTION KEYS HAS BECOME A HUGE POTENTIAL ISSUE, PARTICULARLY FOR THOSE WHO TAKE ADVANTAGE OF NATIVE ENCRYPTION SERVICES.”

—Garrett Bekker, 451 Research Principal Analyst, Information Security

“FIRMS SHOULD CONSIDER GREATER USE OF ENCRYPTION ANDBYOK, ESPECIALLY FOR CLOUD AND OTHER ADVANCED TECHNOLOGY ENVIRONMENTS TO BOTH ADDRESS GROWING COMPLIANCE MANDATES AND ALSO TO MOVE CLOSER TO INDUSTRY BEST PRACTICES."

NOT PUTTING THEIR MONEY WHERE THEIR DATA IS

Breached ever(almost threeout of four)

Breached in the last year

71% 32%

Breached multiple timeshave been breached both in the last year and previously

14%

How will organisations mitigate these risks?

72%

27%

Increasing ITsecurity spending

Overall Muchhigher

44%

21%12% 11%

Meeting data privacy requirements

Encrypting personal

data

Tokenising personal

data

Migrating data

Using local cloud and

hosting providers

99% use digital transformation technologies with sensitive data

(cloud, big data, IoT, containers, blockchain or mobile payments)

Use 3 or more IaaS vendors

Using 3 or more PaaS environments

Use more than25 SaaS

applications

56% 55% 63%

Multi-cloud usage is high, bringing additional risks

Respondents report their organisations increasing spending the least on the most effective tools for protecting data

Rated very or extremely effective Spending Increase

73%36%

68%44%

69%44%

72%42%

60%51%

Endpoint & mobiledevice defences

Analysis &correlation tools

Data at restdefences

Data in motiondefences

Most effective but lowest spending increases

Networkdefences

32018 THALES DATA THREAT REPORT • EUROPEAN EDITION

The new computing environments that virtually every enterprise is leveraging for digital transformation are as large a component of the problem as evolving threats, or even more so. The benefits of this transformation are substantial, but the many different categories and implementation models being used need specific attention to data security by both type and instance, making the problem of safely using sensitive data within them complex and difficult if the right solutions are not identified and used to meet this need.

Moreover, as readers are no doubt aware, this is also the year when Europe’s General Data Protection Regulation (GDPR), among the most sweeping and comprehensive data privacy/information security regulations ever implemented, begins to be enforced. Combining GDPR with the realities of unabated data breaches, digital transformation and expanding threat landscapes results in the potential for business disruption and costly penalties as enterprises struggle to adjust.

DIGITAL TRANSFORMATION REQUIRES A NEW DATA SECURITY APPROACH

Digital transformation drives efficiency and scale for existing products and services, while also making possible new business models that drive growth and profitability. Enterprises across Europe are embracing the opportunity by leveraging all that digital technology offers, but can leave the security of their sensitive data at risk in the rush to deployment.

We found that the overall adoption of cloud, big data, IoT, containers, mobile payments and blockchain technologies by enterprises is at very high levels to drive this transformation. Cloud adoption is now universal, creating the new problem of how to securely use and manage multi-cloud deployments. Big Data usage is now at 97%, and blockchain, mobile payments, and IoT usage are all at more than 90% adoption rates. With 99% of respondents also identifying that their organisations are using sensitive data within these environments these massive rates of adoption make the problem of data security hypercritical. Not only do each of these environments have unique data security problems, but enterprises must also deal with compliance with GDPR requirements for data security wherever the personal information of EU citizens is deployed.

Digital transformation initiatives have high usage of sensitive data

Implementations levels and sensitive data usage with digital transformation technologies

Using or planning to use the technology Using sensitive data with the technology

100%77%

97%41%

92%39%

94%33%

92%26%

94%25%

Cloud

Big Data

Mobile Payments

IoT

Blockchain

Containers

99% use digital transformation technologies with sensitive data

(cloud, big data, IoT, containers, blockchain or mobile payments)

40% The top driver for IT security spending decisions is the adoption of cloud computing


Multi-cloud operations creating big concerns

We found that 63% of respondents identified that their enterprise uses more than twenty-five Software as a Service (SaaS) offerings, 56% were also using three or more Infrastructure as a Services (IaaS) offerings and 55% three or more platform as a service (PaaS) offerings. This level of cloud service usage drives innovation and efficiency, but comes at a price for data security – and it can be measured in the potential for increased levels of complexity driven by the unique requirements for protecting, and retaining control of, data within this range of environments.

In a traditional data centre, not only is data physically secured within the four walls of the enterprise, but all of the infrastructure underlying implementation tools and networks are also under the direct control of the organisation. Now, for IaaS, a specific data security plan must be created for each deployment and environment, then enforced by policy, operational methods and tools. For SaaS and PaaS environments, the case is more complex. In many of these environments, organisations are given little control over how their data is stored or protected, and in some cases where data security controls are available (such as AWS S3 storage buckets or Salesforce implementations) managing encryption keys, and access controls become a new task, requiring new expertise and tools. Third party offerings that reduce this complexity with integrated management of encryption technologies for multiple environments are starting to become available, but are not yet widely recognised. Organisations are going to need them – A basic security maxim is that whoever controls the keys, controls the data. Encryption – with encryption key control either local or remote from the cloud environment managed – is required.

Multi-cloud usage brings additional risks

Use 3 or more IaaS vendors

56% Using 3 or more PaaS environments

55%Use more than 25SaaS applications

63%

Top concerns with cloud computing

Top it security tools need to expand cloud computing use

57%

55%

54%

52%

Security breaches/attacks at the service provider

Lack of control over data location/data residency concerns

Managing monitoring and deployingmultiple cloud native security tools

Custodianship of encryption keys

42%

43%

39%

39%

39%

Encryption with enterprise key management

Encryption with CSP key management

SLAs for a data breach from the CSP

Compliance commitments

Detailed physical and IT security information


DATA BREACHES ARE THE NEW REALITY

With the enforcement phase of GDPR underway, it’s long been the expectation that enterprises will start to take their data security very seriously. The bad news is that even with this incentive looming reports of data breaches last year were substantially up in Europe. On average, roughly one-third (32%) of European respondents report being breached in the previous year, slightly less than the global average (36%). This rate is also well below the U.S. (46%), though both the UK (37%) and Germany (33%) showed sizable increases in the number of those reporting breaches in the past year, up from 22% (UK) and 25% (Germany). Similarly, nearly three-fourths in the Netherlands (74%) and Sweden (78%) have experienced a data breach at any point in the past, well ahead of the global average of 67%.

Another sign that troubled times may be ahead for many enterprises are the rates of failure “in the last year” for data security compliance audits – More than one in three (35%) of respondents polled in European enterprises reported a failed compliance audit in the last year. Moreover, this level of failure was measured before enforcement began. In every country polled except for the UK, this rate of compliance audit “failure in the last year” was higher than all “failures at another time in the past”, sometimes by more than a four to one ratio. We do not have data to show whether this level of audit failure is a result of preparation to meet the new standards, but let’s hope so for the sake of citizen’s private data.

Rates of data breaches “in the last year” accelerate in the UK and GermanyData breaches are the new reality

A rising tide of breaches is rolling across Europe. Few enterprises are spared, and the advent of GDPR increases the resulting risks for organisations.

22%20172018

2017201837% 33%

25%

Breached ever(almost threeout of four)

Breached in the last year

71% 32%

Breachedmultiple times

have been breached both in the last year

and previously

14%

UK Germany

Data security compliance audit failures

Total Europe Germany The Netherlands Sweden UK

35%33%

38%49%

19%

17%18%

17%13%

20%

In the last year

At another time in the past


One other result of this seemingly endless onslaught of successful breaches and failed compliance audits has been elevated feelings of vulnerability to data threats. On average, 41% of European respondents report feeling either ‘very’ or ‘extremely’ vulnerable to data threats, slightly below the global average of 44%. Sweden (50%) and the Netherlands (47%) were notably at the high end, while Germany (36%) and the UK (31%) were somewhat surprisingly at the low end, despite having each experienced large jumps in breaches from the prior year.

However, our results also show good news as well. IT security budgets are starting to expand to counteract these threats. 72% are increasing their IT security spending, with 27% reporting that IT security spending will be much higher this year.

—Garrett Bekker, 451 Research Principal Analyst, Information Security Author of the 2018 Thales Data Threat Report

“As organisations increasingly engage with multiple cloud providers, who maintains control over encryption keys has become a huge potential issue, particularly for those who take advantage of native encryption services.”

6

How will organisations mitigate these threats?

44%

21%

12%

11%

Encrypting personal data

Tokenising personal data

Migrating data

Using local cloud and hosting providers

72%

27%

Increasing IT security spending Meeting data privacy requirements

Overall

Muchhigher


ORGANISATIONS NEED TO CHANGE HOW THEY PROTECT THEIR DATA

Respondents report biggest spending increases in tools that no longer protect data effectively

We found that respondents clearly recognise the defences designed specifically for protecting data are the most effective tools for doing so. Data-at-rest defences were rated as the most effective tools for protecting data, with 72% responding that they were either ‘very’ or ‘extremely’ effective. However, data-at-rest security tools are not getting a high priority in spending increases. In fact, the data-at-rest defences that are the most effective at protecting large data stores are the lowest priority for increases in IT security spending, at only 36%.

At the same time, increases in IT security spending are greatest for endpoint (51%) and network (44%) defences, even as these tools become are no longer wholly effective against attacks designed to compromise data. The combination of spear phishing with zero-day exploits available to criminal hackers makes it almost impossible to keep intruders away from critical data stores solely with network and endpoint-based security controls. As respondents recognise, the most effective solutions are security controls that provide an additional layer of protection directly around data sets. Data-at-rest and data-in-motion security tools can reduce attack surfaces, and provide the information needed to quickly find and stop attacks designed to mine critical data while in progress. Cloud computing also makes network security tools less relevant as increasingly infrastructure is no longer implemented within the four walls of the enterprise. In fact, the vast majority of new projects are implemented using cloud resources.


“Data security offers increased protection to known and unknown sensitive data found

within advanced technology environments.”

Not putting their money where their data is

Respondents report their organisations increasing spending the least on the most effective tools for protecting data

Rated very or extremely effective Spending Increase

73%36%

Data at restdefences

Most effective but lowest spending increases

72%42%

Data in motiondefences

69%44%

Analysis &correlation tools

68%44%

Networkdefences

60%51%

Endpoint & mobiledevice defences


51%

“Despite ranking dead last in terms of effectiveness, endpoint and mobile defences sit at the top of spending priorities for 2018 at 51%, while data-at-rest security – ranked as most effective – is at the bottom in terms of spending plans (36%).”

8


ENCRYPTION IS A CRITICAL TOOL FOR PROTECTING SENSITIVE DATA – WHEREVER IT RESIDES

Protects data in traditional data centres, cloud, big data, and wherever sensitive information is used or stored

Good news. Not only did respondents in Europe identify that encryption technologies are the most effective way to protect data, but in spite of low spending levels, projects are underway to implement encryption for data protection at fairly high levels. Respondents identified that four of the top five data security tools planned this year are encryption technologies – BYOK, enabling cloud-native encryption capabilities, tokenisation and hardware security modules (HSMs). Last, 44% plan to encrypt data to meet global data privacy and sovereignty requirements.

9


“Look for data security toolsets that offer services-based deployments, platforms, and

automation that reduce usage and deployment complexity for an additional layer of

protection for data.”

Encryption is the top tool planned to meet global privacy requirements

44%

Encryption technologies are 4 of the top 5 data security tools that are planned this year (but not yet implemented):

Enabling cloud-nativeencryption capabilities

41%BYOK44%

Tokenisation 43%

Hardware Security Modules

42%Data accessmonitoring

43%

43% 37%48% 44%

Cloud:Data encryption

is the top tool needed for more cloud use

Big Data: Encryption needed to enable greater usage

of big data

IoT:Encryption the top tool needed to increase

IoT adoption

Containers: Availability of encryption

increases adoption

“Despite ranking last in terms of effectiveness, endpoint and mobile defences sit at the top of spending priorities for 2018 at 51%, while data-at-rest security – ranked as most effective – is at the bottom in terms of spending plans (36%) … Meanwhile, despite high effectiveness rankings, data-at-rest defences are ranked last across Europe in terms of spending plans (36%).”

“With increasingly porous networks, and expanding the use of external resources (SaaS, PaaS, and IaaS most especially) traditional endpoint and network security are no longer sufficient. When implemented as a part of the initial development (for ease of implementation versus retrofitting at a later date), data security offers increased protection to known and unknown sensitive data found within advanced technology environments.”

“Look for data security toolsets that offer services-based deployments, platforms, and automation that reduce usage and deployment complexity for an additional layer of protection for data.”


10


ENCRYPTION IS THE SOLUTION

Encryption technologies are critical to protecting data at rest, in motion and in use. Encryption secures data to meet compliance requirements, best practices and privacy regulations. It’s the only tool set that ensures the safety and control of data not only in the traditional data centre, but also with the technologies used to drive the digital transformation of the enterprise.

ABOUT THALES

Thales eSecurity is the leader in advanced data security solutions and services that deliver trust wherever information is created, shared or stored. We ensure that the data belonging to companies and government entities is both secure and trusted in any environment – on-premises, in the cloud, in data centres or big data environments – without sacrificing business agility. Security doesn’t just reduce risk, it’s an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and with the internet of things (IoT) even household devices. Thales provides everything an organisation needs to protect and manage its data, identities and intellectual property and meet regulatory compliance – through encryption, advanced key management, tokenisation, privileged user control and high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organisation’s digital transformation. Thales eSecurity is part of Thales Group.

OUR SPONSORS GEOBRIDGE

TO READ THE FULL REPORT VISIT: DTR.THALESESECURITY.COM

URL: https://thalesesecurity.co.uk/2018/euro-data-threat-report

2018 thales data threat reportgo.thalesesecurity.com/rs/480-lwa-970/images/2018-data... ·...

Documents