7 minute read
Into the Unknown
Europe’s c-suites struggle to maintain cyber security levels while their organisations are wrestling digital transformation challenges.
THE EUROPEAN EDITION OF DATA THREAT REPORT – RESEARCHED BY IDC ON BEHALF OF THALES – REFLECTS BROAD CHANGES IN DATA SECURITY APPLICATION IN SELECTED NATIONS. It provides important insights into the nature of cyber security deployment aIt provides key insights into the nature of cyber security deployment and readiness across the region, and is one of the few sources of pan-European intelligence that contains information for both technology-facing executives and non-techies. It’s based on a survey by IDC of 1,200 high-rank executives with responsibility for/influence over, data security decision-making. The European edition of the report focuses on the findings from 400 European respondents (100 each from the UK, Germany, Sweden, and the Netherlands), and provides comparisons and contrasts between regional markets. Respondents represent a range of vertical sectors, public and private. They also represent a broad range of organisational sizes, with the majority ranging from 500 to 10,000 employees. The report highlights how digital transformation (sometimes shortened to just ‘DX’) now fundamentally impacts the pan-European economy. Digital transformation facilitates new and innovative ways to provide an improved customer experience and drive greater efficiencies and productivity gains. Some 36% of European respondents say they are either ‘aggressively disrupting’ the markets they participate in aim to embed digital capabilities that enable greater organisational agility. Digital transformation is also likely complex and risky, as it introduces new difficulties for information security professionals. Not only must security professionals deal with a very dynamic threat environment, in which 61% of European respondents say they have been breached at some point in their company’s life, but they must also function in an increasingly restrictive regulatory environment. Together, these compounding issues should, however, implore organisations to implement the data management best practices that give them the foundation for high-quality, secure transformational efforts. Most European companies have cleared the initial challenge of GDPR (General Data Protection Regulation) compliance, the report says, and stacked their security inventory up using extra budget allocation caused by GDPR ‘fear’, Brexit concerns, and the need to ‘digest’ new technologies and processes recently acquired and built. Forty-one per cent of the European companies in the Data Threat Report sample say their spending will increase over the coming year, down from 72% last year, even while threat vectors are increasing: cyber criminals, cyber terrorists, and hacktivists top the concerns list concerns for all European companies. European data environments are now increasingly complex, and this complexity is proving to be a barrier to data security.
Just like in other geographies, European companies are moving workloads to multiple cloud environments, even as they work to maintain traditional onpremises infrastructures. European companies are adopting cloud options for sensitive data and critical applications (see Cyber Security Europe, Spring 2019 issue), which means they must get cloud security right, but not overcomplicate IT strategies. Organisations must take a multi-layered approach to security, and the Data Threat Report study shows European executives working toward this goal. European respondents are placing an about equal amount of focus on network, application, and data security with 35% of their focus on network, 34% on data, and 31% on application security; these figures map closely to the global total. Respondents have lengthy ‘to do’ lists with plans to implement a variety of technologies over the coming 12 months, but they struggle to implement their plans, and rate complexity as their greatest barrier to data security implementation, followed by lack of budget and staff. Meanwhile, the risks of digital transformation remain an overarching challenge. This is because digital transformation entails a risk of a disconnect between more advanced organisations that run hybrid cloud-based modern infrastructures, and organisations that retain a dependency on legacy, perimeter-centric infrastructure. While it may seem that organisations further along the transformation process are in a better place than the laggards, they still have their own challenges to address. They must apply security architectures across legacy infrastructures while they simultaneously roll-out hybrid cloud-based, digitally-transformative technologies. Ironically, this can lead to IT security professionals aiming at the wrong target. These security professionals believe that they are secure as they roll out new technologies, but they may face more extensive challenges as they look to secure a wider variety of IT infrastructure. Put another way, the greater the data distribution across an ever-increasing number of environments, the less organisational focus is available to protect data in any single environment. ‘Companies require smarter, better ways to approach data security and to implement modern, hybrid, and multi-cloud-oriented technologies,’ the report concludes. The UK had the greatest sense of having ‘adequate security’, and the Netherlands had the least. Asked about factors impacting IT security spending decisions, 31% of European respondents said they work to ‘avoid financial penalties resulting from a data breach’, and the same percentage confirm they are ‘motivated’ by a past incident. Instead, the topcited security spend driver is ‘implementing security best practices’, cited by 41% of Euro respondents. With many organisations having achieved GDPR compliance, they may feel they are at a ‘good enough’ level for data security, and have now reset aspirations to achieve a ‘best practice’ level of security the report suggests. The report zeros in on several specific aspects of data security practice factors that respondents in Germany, Sweden, the UK and the Netherlands are confronted by. here are some selected examples...
GROWTH IN SECURITY SPEND The percentage of European respondents polled who report that their security spend is increasing was only 41% for the 2019 survey, which is down significantly from the 2018 Data Threat Report, in which 72% of organisations reported an expected increase in their security budget. European respondents who say their security budget will decrease more than doubled (18% compared to 8%) and the number saying their spend will stay the same doubled (42% compared to 21%) as well. Notably, the 41% who say spending is increasing is lower than the global total, 50% of which said their spend is increasing, indicating that slowing spending is more acute in Europe than in other geographies. Clearly, GDPR has been a watershed initiative, providing global leadership surrounding the issue of privacy and data sovereignty. The question of ‘Who owns data?’ is relevant. The sharp decline of those reporting an increase in security spend though begs the question of whether companies are looking to implement best practice approaches to data security, or are simply looking to achieve compliance through ‘good enough’ approaches, the report says. In many cases European organisations surveyed have sought a stepped approach to GDPR compliance. In the first instance, they have developed consistent data security and compliance processes in order to demonstrate readiness. However, these have often been developed on a manual basis, with plenty of scope remaining to achieve compliance on an automated basis. In other words, data security and GDPR compliance are yet to become operationalised into business-as-usual.
THREAT VECTORS SHIFT FIGURE Some 61% of European respondents to the Data Threat Report that have been breached at some point in their past. Sweden reported the highest breach incident rates at 77%, while Germany was the lowest at 54% (see Figure headed ‘Vulnerability to Data Security Threats’). In contrast, 27% of European respondents believe they are vulnerable or very vulnerable to data security issues, much lower than the global total of 34% within the European countries studied, Swedish respondents felt the most vulnerable with 42% saying they were very or extremely vulnerable to security threats, and Germans felt the least with 17% saying they were ‘very vulnerable’ or ‘extremely vulnerable’. IDC believes this is a reflection of Germany (along with the UK) being one of Europe’s most mature security markets, with Sweden (along with other Nordic countries and the Netherlands) behind. Arguably, this means that Swedish organisations have more room for improvement than their counterparts in Germany or the UK. In addition, smaller nations like Sweden and the Netherlands have traditionally been perceived to be less of a target for malicious actors than organisations in Germany or the UK. Countries like Sweden and the Netherlands must now bring their security up to the level of their global counterparts. Europeans here see the greatest threats overall to be cyber criminals, cyber terrorists, and hacktivists. Insider threats are the lowest-perceived risk factors, although this is somewhat at
odds with other threat type ranking surveys published over the last five years (see Cyber Security Europe Autumn 2018 issue). While the incidence rate of cyber terrorism is quite low relatively, respondents’ concern over it is high. This includes proliferation of state-sponsored cyber attacks and uncertainty about cyber warfare. While few cyber terrorist activities have been occured to date, indications are that the preparation for such activities is quite considerable.
ADEQUATE SECURITY Within the European countries studied in the Data Threat Report, the UK had the greatest sense of having ‘adequate security’, while the Netherlands had the least. As mentioned earlier, asked about factors impacting IT security spending decisions, 31% of European respondents said they are working to ‘avoid financial penalties resulting from a data breach’, and the same percentage confirm they are ‘motivated’ by a past. Instead, the top-cited security spending driver is ‘implementing security best practices’, cited by 41% of European respondents. With many organisations now having achieved GDPR compliance, they may feel they are at a ’good enough‘ level when it comes to data security, and have now set their aspirations higher to achieve a ‘best practice’ level of security.
CLOUD ADOPTION FIGURE Sixty-seven per cent of the European respondents to the Data Threat Report say they use at least one of the three flavours of cloud – Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) – to store sensitive or regulated data. Ninety eight per cent of European companies are storing sensitive data in digitally transformative environments across at least one of the technologies they were surveyed about.
INCREASED COMPLEXITY Data environments are increasingly complex. Workloads that used to be handled by a single on-premises environment are now augmented with multiple IaaS and PaaS environments, as well as many SaaS hosted applications. A new wave of ‘serverless computing’ or ‘function-as-a-service’ adds to this complexity. Even as they relocate new workloads to cloud, enterprises must still maintain mission-critical applications that run on onpremises environments. While the number of European organisations that now run a very large number of IaaS/PaaS environments is lower than the global total (9% of Europeans polled report respondents say they are running four or more IaaS, and 8% are running four or more PaaS environments), the number running two or more IaaS/PaaS environments tracks closely with the global total. Managing multiple cloud instances introduces new challenges for European IT departments. It is enough of a challenge to provide encryption, tokenisation, visibility and access to sensitive data within a single cloud instance, let alone dozens. European respondents rate complexity, lack of budget, and lack of staff to manage as their top concerns over data security.
PERIMETER-, DATA- AND APPLICATION SECURITY In the past, when most data was located on-premises, enterprises placed a great amount of security focus on network security. The focus was on protecting the perimeter, backed up by device-level defences within the firewall. There used to be a ‘two for one’ spending effect in that the money spent on network security also protected the organisation’s data. Now we are seeing a global trend toward more focus on application and data security. No longer is network security ’sucking all the oxygen out of the room’.
COMPLIANCE AND REGULATORY CHALLENGES In many respects, Europe has long played a leading role in requiring data privacy and sovereignty, most notably with the EU’s GDPR regulation. Not surprisingly, the study found that European firms are among the most prepared to handle regulatory requirements. Europe had a higher percentage of companies that are using encryption and tokenisation on personal data than the global total, and fewer saying they are not impacted by privacy/sovereignty regulations. Within the countries studied, the UK and Germany are most likely to encrypt personal data, while respondents from the Netherlands are most likely to use tokenisation.
ACCREDITATION: Words | IDC/Thales Data Threat Report / James Hayes, Photography | Shutterstock
