IT and security leaders face challenges on multiple fronts today. On the one hand, there are insatiable business demands for more digital transformation to support. These gathered pace during the pandemic. But in the face of strong economic headwinds, they continue today as a means to drive greater efficiencies and competitive advantage. Yet on the other hand, these same projects threaten to expose organizations to greater cyber risk. As always, the threat of data leakage and theft remains acute.
To find out how IT and security leaders in the UK, Germany and France are coping with these pressures, comforte recently commissioned Censuswide to conduct an industry survey. It polled 503 IT security specialists and Chief Information Officers (CIOs) across these three key European markets.
Perception and reality
What we found straight away is that the cyber threat remains at an elevated level. Over half (54%) of respondents say their company has suffered a cyberattack 1-3 times in the past 24 months, and a fifth (20%) claim to have been attacked 4-6 times in the same time period. Only 18% say they have not encountered such a threat. Geopolitical events are also taking their toll: nearly two-thirds (63%) of respondents say they have noticed an increased cyber risk due to the war in Ukraine, rising to 69% in the UK.
Yet here’s where things get a bit murkier. Despite the experience of most organizations over the past two years, the vast majority (85%) are somewhat or very confident they’ll avoid an attack over the coming 24 months. This bullish attitude extends to threat detection. Most respondents claim they’ll be able to identify a cyber-attack within an hour (48%), in 1-2 hours (29%) or in 2-6 hours (13%). This perception of their detection and response abilities stands at odds with reality. In fact, attacker dwell time – the length of time threat actors go undetected inside networks – stands at a median of 21 days globally, and 48 days in EMEA.
The truth is that it’s increasingly simple for attackers to get past perimeter defenses, often by using breached credentials or brute-forcing logins with automated software. And they are past masters at staying hidden. So what happens when an organization finally realizes it’s been breached? The good news is that nearly three-quarters (72%) have a contingency plan in place for business continuity which they’ve tested. But a quarter (26%) of respondents to our survey have not tested such plans, rising to 29% in Germany and 31% in the UK. Once again, they could be operating under a dangerous false sense of security.
Missing the mark on compliance
There are more reasons to be concerned. Data is the number one asset most organizations hold. Customer and employee information including health data is highly regulated under the GDPR, while financial data or IP could incur significant business risk if leaked or stolen. Yet only 66% of respondents agree customer data is “risky.” Even fewer say the same about financial data (63%), IP (45%) and health-related data (28%).
In fact, when it comes to GDPR compliance, most (76%) admit they’re taking a tick-box approach, which involves doing the bare minimum on data privacy and security. That’s not just disappointing, it could also unwittingly expose the organization to additional risk, if the bare minimum turns out not to be enough in an ever-changing threat and regulatory landscape.
Why are these organizations not doing more? Perhaps because only a quarter (25%) have been fined in the past due to data breaches. Sometimes, the only thing that persuades unengaged boards to get proactive with cybersecurity is experiencing first-hand the financial and reputational repercussions of negligent policy.
The data-centric security opportunity
There are some positives to take from the study. Nearly nine in 10 (87%) respondents expect their security budget to increase next year. And most (95%+) claim to know their corporate data security policies well regarding proper use, processing and storage. Yet it’s also telling that for 64% of organizations, data protection is viewed as a hurdle to digital transformation.
In fact, it should be a seamless enabler of opportunity. This is where data-centric security offers much. By applying strong protection, such as encryption or tokenization, to the data itself, organizations can reduce the scope of some compliance requirements and minimize their cyber risk. Even if an attacker succeeds in exfiltrating sensitive customer, employee or IP-related data, they will not be able to use it. But on the other hand, organizations will still be able to extract value from the data via cloud-based analytics and other tools of business growth.
Data-centric security is ultimately a business opportunity, not a roadblock.