Organizations handling payments or personal data are increasingly moving to cloud-based technology, and cyber criminals are taking advantage of that transition in finding new attack vectors.
Many organizations are advancing their technological capabilities, but not changing security strategies to reflect the risk, according to new research from cyber security firm Thales.
As many as 94% of organizations say they are using sensitive data through new digital channels in cloud, big data, blockchain or mobile, according to the 2018 Thales Data Threat Report. Up to 91% are working on or using mobile payments. However, 67% of respondents said they have been breached, with 36% saying it occurred in the past year. This was an increase over the 26% that reported a breach for the 2017 report.
Thales conducted online and phone interviews with 1,200 senior executives covering various industries, including retail and financial services, in Germany, Japan, India, the Netherlands, Sweden, South Korea, the U.K. and U.S. The executives had a major influence, or were the sole decision maker, for IT projects within their companies.
“From cloud computing to mobile devices, digital payments and emerging [Internet of Things] applications, organizations are reshaping how they do business – and this digital transformation is reliant on data," Peter Galvin, chief strategy officer for Thales eSecurity, said in a Thursday press release.
"We’re now at the point where we have to admit that data breaches are the new reality, with over a third of organizations suffering a breach in the past year," Galvin said. "In this increasingly data-driven world it is therefore hugely important to take steps to protect that data wherever it is created, shared or stored.”
That rush to new digital environments has created more places for criminals to probe or enter a network, the report said.
Forty-two percent of organizations use more than 50 software-as-a-service applications, while 57% use three or more infrastructure-as-a-service vendors, and 53% use three or more platform-as-a-service vendors.
Thales reported a "disconnect" between proven security measures in place and what organizations are spending on security strategies. While 77% of respondents cite data-at-rest security measures as being the most effective to prevent breaches, only 57% are spending the most on endpoint and mobile security technologies. For 50%, most security funding was going to analysis and correlation tools.
In a regional breakdown related to mobile payments, U.S. retail executives expressed the most concern about exposure of credit card information at 50% citing it as a top risk, while executives in India, at 54%, were most worried about security of personally identifiable information. In Germany, the biggest concern at 43% was account takeover by fraudsters.
The message should be clear to organizations dealing with massive digital change that they need to offset risks with data security controls, Garrett Bekker, principal security analyst with 451 Research, and author of the report, said in the release.
"But while times have changed, security strategies have not – security spending increases that focus on the data itself are at the bottom of IT security spending priorities, leaving customer data, financial information and intellectual property severely at risk," Bekker said. "If security strategies aren’t equally as dynamic in this fast-changing threat environment, the rate of breaches will continue to increase.”
As an example, the report indicated that organizations seem indifferent toward data encryption, a key security technology for payments and personal data in transit. Only 44% cite encryption as the top tool for increased cloud usage, while only 35% say it is necessary to drive big data adoption. The technology was cited as a top tool by 42% in meeting new privacy requirements of the European Union's General Data Protection Regulation, which takes hold in May.
Forty-four percent cited tokenization, a security measure to protect data at rest, as a top priority in the coming year.
The report encouraged organizations to leverage encryption and access controls as a primary defense for data, and to also select a data security platform that addresses multiple use cases in order to reduce complexity and costs. Security analytics and multi-factor authentication are needed to help organizations identify patterns of data use, the report added.
