2017 THALES DATA THREAT REPORT

Transcription

1 2017 THALES DATA THREAT REPORT Trends in Encryption and Data Security FINANCIAL SERVICES EDITION

2 2017 THALES DATA THREAT REPORT TRENDS IN ENCRYPTION AND DATA PROTECTION U.S. U.K. GERMANY JAPAN MEXICO RESPONDENTS ORGANIZATIONS (ALL) 73% - $500M OR MORE 48% - $1B OR MORE ALL US - $250M+ ALL GLOBAL - $150M+ Copyright 2017 Thales BRAZIL AUSTRALIA 1,100+ SENIOR IT SECURITY EXECUTIVES SURVEYED GLOBALLY 100 U.S. FINANCIAL SERVICES 90 GLOBAL FINANCIAL SERVICES

3 U.S. FINANCIAL SERVICES IT SECURITY SPEND INCREASES AND SO DO THE BREACHES 78% OF U.S. FINANCIAL SERVICES RESPONDENTS REPORTED THAT THEIR ORGANIZATIONS SPENDING ON IT SECURITY WILL BE INCREASED, BUT RATES OF BREACHES IN THE LAST YEAR INCREASED FROM 19% LAST YEAR TO 24% THIS YEAR CLEARLY, THERE S STILL A BIG DISCONNECT BETWEEN WHAT WE ARE SPENDING THE MOST OF OUR SECURITY BUDGET ON AND WHAT S NEEDED TO ENSURE THAT OUR SENSITIVE DATA REMAINS SECURE. GARRET BEKKER SENIOR ANALYST, INFORMATION SECURITY

4 U.S. FINANCIAL SERVICES INCREASINGLY A TARGET FOR DATA BREACHES 24% of U.S. financial firms reported a breach last year, slightly lower than the overall global average of 26%, but higher than most other U.S. verticals and also up markedly from 19% the previous year the implication is that U.S. financials are becoming more of a target. Garrett Bekker Principal Analyst, Information Security, 451 Research U.S. FINANCIAL SERVICES DATA BREACHES 2017 DATA BREACH RESULTS BY U.S. VERTICAL 84% 47% 52% 42% 65% EVER IN THE LAST YEAR 19% 24% 25% 42% 68% IN THE LAST YEAR AT ANOTHER TIME IN THE PAST 20% HEALTHCARE 19% RETAIL 24% 34% FINANCIAL FEDERAL SERVICES GOVERNMENT

5 U.S. FINANCIAL SERVICES 42% HAVE EXPERIENCED A DATA BREACH 24% IN THE LAST YEAR (UP FROM 19% PREVIOUSLY) 12% MORE THAN ONCE $ GLOBAL FINANCIAL SERVICES 49% HAVE EXPERIENCED A DATA BREACH 28% IN THE LAST YEAR 21% MORE THAN ONCE

6 .. external attackers frequently masquerade as insiders by using stolen or compromised credentials to access all types of valuable data, including PII, PHI, financial data and intellectual property Garrett Bekker Principal Analyst Information Security, 451 Research THE MOST DANGEROUS INSIDERS 40% U.S. FINANCIAL SERVICES 48% GLOBAL FINANCIAL SERVICES 61% U.S. FINANCIAL SERVICES 60% GLOBAL FINANCIAL SERVICES 34% U.S. FINANCIAL SERVICES 38% GLOBAL FIN. SERV. 33% U.S. FIN. SERV. 35% GLOBAL FIN. SERV EXECUTIVE MANAGEMENT PRIVILEGED USERS CONTRACTORS ORDINARY EMPLOYEES

7 FINANCIAL FIRMS ARE A PRIME TARGET OF ATTACKERS, BECAUSE, IN THE INFAMOUS WORDS OF WILLIE SUTTON, THAT S WHERE THE MONEY IS. TOP EXTERNAL THREAT ACTOR SELECTIONS U.S. FINANCIAL SERVICES 52% CYBER CRIMINALS GLOBAL FINANCIAL SERVICES 40% CYBER CRIMINALS HACKTIVISTS 12% HACKTIVISTS 16% 12% CYBER- TERRORISTS NATION STATES CYBER- TERRORISTS 18% 18% NATION STATES 14% 4% COMPETITORS 13% COMPETITORS

8 U.S. FINANCIAL SERVICES USING SENSITIVE DATA WITH ADVANCED TECHNOLOGIES WITHOUT DATA SECURITY * U.S. RESULTS 47% OF U.S. FINANCIAL SERVICES RESPONDENTS SURVEYED ARE DEPLOYING NEW TECHNOLOGIES IN ADVANCE OF HAVING APPROPRIATE LEVELS OF DATA SECURITY IN PLACE 96% WILL USE SENSITIVE DATA IN AT LEAST ONE OF THESE ADVANCED TECHNOLOGY ENVIRONMENTS 61% 45% 39% 40% 58% 35% 23% 14% SAAS IAAS PAAS MOBILE BIG DATA IOT CONTAINERS BLOCKCHAIN

9 WITH NATIONAL REGULATIONS LIKE GDPR COMING WORDWIDE DATA PRIVACY AND SOVEREIGNTY ARE MAKING WAVES EVERYWHERE ADDRESSING REQUIREMENTS BY: 70% 49% 38% 28% 66% 54% 33% 21% 75% - U.S. 72% - GLOBAL Impacted by Data Privacy and Data Sovereignty U.S. Fin Serv. ENCRYPTING DATA TOKENIZING DATA MIGRATING DATA LOCAL HOSTING & CLOUD ENCRYPTING DATA TOKENIZING DATA MIGRATING DATA LOCAL HOSTING & CLOUD GLOBAL FINANCIAL SERVICES 100+ NATIONAL DATA PRIVACY/SOVEREIGNTY REGULATIONS WORLDWIDE EUROPE JAPAN MEXICO AUSTRALIA GDPR GOES LIVE MAY 2018 AIPP DATA PROTECTION AND PRIVACY RULES LIVE MAY 2017 LFPDPPP PRIVACY LAW WITH FINES UP TO 1.5M NEW DATA BREACH DISCLOSURE REQUIREMENT ENFORCEMENT BEGINS FEBRUARY 2018

10 86% OF U.S. FINANCIAL SERVICES RESPONDENTS FELT THEIR ORGANIZATIONS WERE VULNERABLE TO DATA THREATS 27% WERE VERY OR EXTREMELY VULNERABLE Today s unbroken string of high profile data breaches serves as stark proof that data on any system can be attacked and compromised. Garrett Bekker, Principal Analyst Information Security, 451 Research

11 FINANCIAL SERVICES ORGANIZATIONS FEELING VULNERABLE Just 27% of U.S. respondents said they feel very or extremely vulnerable to data threats, slightly below the global average of 30%. Global financial respondents, however, show a much greater degree of concern, with a full 43% indicating very or extremely vulnerable. Garrett Bekker Principal Analyst, Information Security, 451 Research U.S. Verticals Global Verticals SOMEWHAT OR MORE VULNERABLE 84% 90% 85% 86% 96% 88% 88% 90% 88% VERY OR EXTREMELY VULNERABLE 16% 29% HEALTHCARE 19% 27% 48% 47% 37% RETAIL FINANCIAL SERVICES FEDERAL 44% 31% HEALTHCARE RETAIL FINANCIAL FEDERAL SERVICES

12 $ 78% % 73% EXPECT THEIR SPENDING ON IT SECURITY TO INCREASE % 58.5% UP FROM 70% IN 2016 GLOBAL AVERAGE 73%

13 COMPLIANCE THE TOP PRIORITY FOR U.S. FINANCIAL SERVICES IT SECURITY SPENDING IT SECURITY SPENDING PRIORITIES (RATES OF TOP 3 SELECTION) 49% % COMPLIANCE REQUIREMENTS 45% REPUTATION AND 62% BRAND PROTECTION 41% % % % % % DATA BREACH PENALTIES IT SECURITY BEST PRACTICES 31% INCREASING CLOUD USAGE Not measured 25% % % % % % % % EXECUTIVE DIRECTIVE PARTNER AND PROSPECT REQUIREMENTS COMPETITIVE/STRATEGIC CONCERNS PREVIOUS DATA BREACH DATA BREACHES AT PARTNERS OR COMPETITORS ONCE AGAIN OWING TO HEAVY REGULATIONS, COMPLIANCE REQUIREMENTS ARE THE TOP REASON FOR SECURITY SPENDING AT 49% FOR U.S. FINANCIAL RESPONDENTS, WITH REPUTATION AND BRAND SECOND AT 45%, FOLLOWED BY PENALTY AVOIDANCE WHICH IS CLEARLY RELATED TO COMPLIANCE AT 41%. Garrett Bekker, Principal Analyst Information Security, 451 Research

14 OLD HABITS DIE HARD INVESTING HEAVILY IN NETWORK/END POINT SECURITY AS THEY BECOME LESS EFFECTIVE AND LESS RELEVANT 89% +4% FROM 2016 AT BELIEVE NETWORK SECURITY VERY/ EXTREMELY EFFECTIVE PROTECTING DATA The sad truth is that as the data breaches continue to pile up, we continue to spend the bulk of our resources on the same old solutions, while approaches like data security that could arguably do a better job of protecting data, particularly among new technologies like cloud, Big Data and IoT, continue to lag. IT SECURITY DEFENSE SPENDING INCREASES RATES OF EFFECTIVENESS FOR PROTECTING DATA NETWORK END POINT AND MOBILE ANALYSIS AND CORRELATION DATA IN MOTION 73% 54% 59% 50% NETWORK END POINT AND MOBILE ANALYSIS AND CORRELATION DATA IN MOTION 89% 66% 81% 81% DATA AT REST 52% DATA AT REST 79%

15 COMPLEXITY AND POTENTIAL PERFORMANCE IMPACTS TOP BARRIERS TO DATA SECURITY DEPLOYMENT U.S. FINANCIAL SERVICES The lack of skilled security staff has been a consistent theme in 451 s research efforts the past few years, and in conjunction with complexity, makes a strong case for data security functionality delivered as a service Garrett Bekker 451 Research PERCEPTION OF COMPLEXITY UNIVERSALLY THE TOP BARRIER 56% COMPLEXITY 40% POTENTIAL PERFORMANCE IMPACTS 24% 15% 56% GLOBAL 50% PERCEIVE COMPLEXITY AS THE TOP BARRIER TO ADOPTION DATA SECURITY SOLUTIONS LACK OF STAFF TO MANAGE 24% LACK OF BUDGET 24% LACK OF PERCEIVED NEED LACK OF ORGANIZATIONAL BUY IN PERCEIVED BARRIERS TO ADOPTING DATA SECURITY

16 TOP CONCERNS WITH CLOUD/SAAS ENVIRONMENTS RATES OF VERY OR EXTREMELY CONCERNED FINANCIAL SERVICES 53% U.S. 57% GLOBAL 53% U.S. 50% GLOBAL SHARED INFRASTRUCTURE VULNERABILITIES LACK OF DATA LOCATION CONTROL 52% U.S. SECURITY BREACHES / 55% GLOBAL ATTACKS AT CSP 49% U.S. 58% GLOBAL 47% U.S. 52% GLOBAL CLOUD PRIVILEGED USER ABUSE/THREATS LACK OF DATA PRIVACY POLICY / SLA 43% U.S. MEETING COMPLIANCE 50% GLOBAL REQUIREMENTS With tidal volumes of data and applications moving to the cloud, global respondents are most concerned about attacks on the cloud service provider (59%). However, for U.S. financial respondents, 53% are most concerned with security vulnerabilities from shared infrastructure, while slightly less (52%) are concerned with security breaches and attacks at the cloud service provider level. 42% U.S. LACK OF VISIBILITY INTO 55% GLOBAL SECURITY PRACTICES 35% U.S. CUSTODIANSHIP OF 52% GLOBAL ENCRYPTION KEYS Garrett Bekker Principal Analyst, Information Security, 451 Research

17 WHAT CAN CSPS AND SAAS PROVIDERS DO TO INCREASE FINANCIAL SERVICES CLOUD ADOPTION? 60% U.S. 49% GLOBAL 51% U.S. 54% GLOBAL 50% U.S. 40% GLOBAL 52% U.S. 42% GLOBAL DATA ENCRYPTION IN THE CLOUD WITH ENTERPRISE PREMISES KEY CONTROL DATA ENCRYPTION IN THE CLOUD WITH CSP KEY CONTROL SLA AGREEMENTS AND LIABILITY TERMS FOR DATA BREACHES DETAILED PHYSICAL AND IT SECURITY IMPLEMENTATION INFORMATION U.S. financial services organizations that would choose encryption of their data in public cloud services also have a preference towards the storage of encryption keys locally. Garrett Bekker Principal Analyst, Information Security, 451 Research

18 BIG DATA TOP FINANCIAL SERVICES DATA SECURITY STATS TOP 5 CONCERNS 41% U.S. 46% GLOBAL 39% U.S. 43% GLOBAL SENSITIVE DATA MAY RESIDE ANYWHERE SECURITY OF REPORTS THAT MAY INCLUDE SENSITIVE DATA 42% U.S. 35% GLOBAL USING ENCRYPTION TO PROTECT DATA IN BIG DATA ENVIRONMENTS TODAY 37% U.S. 39% GLOBAL 36% U.S. 30% GLOBAL 29% U.S. 38% GLOBAL PRIVACY VIOLATIONS - DATA ORIGINATES IN MANY COUNTRIES LACK OF EFFECTIVE ACCESS CONTROLS PRIVILEGED USER ACCESS TO PROTECTED DATA 58% U.S. 39% GLOBAL 53% U.S. 39% GLOBAL USING SENSITIVE INFORMATION IN BIG DATA ENVIRONMENTS VERY CONCERNED THAT THEY ARE USING SENSITIVE INFORMATION IN BIG DATA WITHOUT DATA SECURITY CONTROLS

19 IOT ADOPTION IS HIGH FOR U.S. FINANCIAL SERVICES USE OF SENSITIVE DATA A CONCERN 84% ADOPTING IOT 35% ALREADY USING SENSITIVE DATA IN IOT 32% VERY CONCERNED ABOUT SENSITIVE DATA IN IOT TOP 5 DATA SECURITY CONCERNS FOR IOT 37% - IDENTIFYING WHICH DATA IS SENSITIVE 35% - PROTECTING SENSITIVE DATA GENERATED BY IOT 25% - PRIVACY VIOLATIONS GENERATED BY IOT 25% - LOSS OR THEFT OF IOT DEVICES 24% - PRIVILEGED USER ACCESS TO DATA AND DEVICES TOP 5 CONTROLS NEEDED TO INCREASE IOT ADOPTION 54% - ANTI-MALWARE FOR DEVICES 49% ENCYPTION OF DATA 49% SECURE ID & AUTH 33% - ANOMALY DETECT/ BEHAV ANALYSIS 33% - IOT NETWORK ISOLATION

20 CONTAINERS: TOP SECURITY CONTROLS TO INCREASE FINANCIAL SERVICES CONTAINER ADOPTION AND USE U.S. 84% DEPLOYING CONTAINERS THIS YEAR. SECURITY THE TOP BARRIER TO DEPLOYMENT 45% 48% U.S. GLOBAL 54% ENCRYPTION 44% ANTI-MALWARE 43% MONITORING TOOLS FOR CONTAINERS 38% VULNERABILITY SCANNING 26% DIGITAL SIGNATURE IMAGE VALIDATION GLOBAL 53% ANTI-MALWARE 42% ENCRYPTION 38% VULNERABILITY SCANNING 36% MONITORING TOOLS FOR CONTAINERS 29% DIGITAL SIGNATURE IMAGE VALIDATION

21 ENCRYPTION ENABLES DIGITAL TRANSFORMATION IN FINANCIAL SERV. A KEY TOOL REQUIRED FOR ADVANCED TECHNOLOGY ADOPTION CLOUD ENCRYPTION ENABLING FURTHER ADOPTION OF CLOUD DATA ENCRYPTION IN THE CLOUD WITH ENTERPRISE PREMISE KEY CONTROL 60% U.S. GLOBAL 49% BIG DATA U.S. ENCRYPTION OFFSETS TOP SECURITY CONCERNS 37% 39% 41% PRIVACY VIOLATIONS SECURITY OF REPORTS SENSITIVE DATA EVERYWHERE 39% 43% 46% GLOBAL IOT U.S. THE TOP TECHNOLOGIES NEEDED TO EXPAND USAGE 49% 49% DATA ENCRYPTION SECURE DIGITAL IDENTITY (AN ENCRYPTION TECHNOLOGY) 58% 55% GLOBAL CONTAINERS ENCRYPTION A TOP CONTROL NEEDED TO ENABLE GREATER ADOPTION 42% GLOBAL 54% U.S.

22 BEST PRACTICE RECOMMENDATIONS GARRETT BEKKER, 451 RESEARCH Re-prioritize your IT security tool set Cloud and SaaS break legacy IT Security models Data security with encryption and access controls across environments is required. Service-based solutions and platforms that include automation are preferred for reduced costs and simplicity. Discover and classify Get a better handle on the location of sensitive data, particularly for Cloud, Big Data, Containers and IoT Don t just check off the compliance box Encryption and access control Global and industry regulations can be demanding, but agencies should consider moving beyond compliance to greater use of encryption and BYOK, especially for cloud and other advanced technology environments. Encryption needs to move beyond laptops and desktops. Data center: File and application level encryption and access controls Cloud: Encrypt and manage keys locally, BYOK enables safe SaaS, PaaS and IaaS Big Data: Encryption and access control within the environment Containers: Encrypt and control access to data both within containers and underlying data storage locations IoT: Use secure device ID and authentication, as well as encryption of data at rest on devices, back end systems and in transit to limit data threats

23 OUR SPONSORS

24 ABOUT THALES E-SECURITY Instilling trust across the data landscape Our powerful technology platform provides advanced data security for more servers, applications, and environments than any other security alternative What we do Thales e-security provides companies everything they need to protect and manage their data and scale easily to new environments and requirements encryption, advanced key management, tokenization, authorization, privileged user control, and HSMs. Our customers Our customers include 19 of the world s 20 largest banks, four of the world s five largest oil companies, 27 NATO country members and 15 of the Fortune 25.

25 Our solutions protect data while eliminating complexity, inefficiency and cost DB/ File Encryption Application Encryption Big Data Code Signing Tokenization Data Masking Transaction Security Public Key Infra (PKI) Cloud Security Customer Records PII Secure Analytics Script Developmen t PCI, PHI Payment related apps Internet of Things Cloud Migration Use Cases Key Management Encryption Data Protection Platform DATA PROTECTION HARDWARE DATA PROTECTION SOFTWARE

26 2017 THALES DATA THREAT REPORT Trends in Encryption and Data Security FINANCIAL SERVICES EDITION