Businesses in a wide swath of industries across the globe place too much trust in perimeter security solutions like firewalls, IDPS and content filtering, even though 28% of them suffered a breach in the past 12 months, according to a survey of 1,050 decisions makers. And new EU legislation will soon demand companies protect customer data, or else.
With nearly 1.4 billion data records lost or stolen in 2016 at the hand of cybercriminals, it is unnerving that 94% of IT professionals feel perimeter security is effective at keeping unauthorized users out of their networks.
The situation worsens considering that 65% are not extremely confident their data would be secure if perimeter defenses were breached. Almost two thirds (68%), in fact, say unauthorized users can access their networks.
The findings are from a Gemalto survey of IT decision makers in the US, the UK, France, Germany, India, Japan, Australia, Brazil, Benelux the Middle East and South Africa. The industries polled included Manufacturing, Healthcare, Financial Services, Government, Telecoms, Retail, Utilities, Consultation and Real Estate, Insurance and Legal, IT and others.
Six in 10 (59%) organizations report that they believe all their sensitive data is secure, but at the same time a daunting 55% don’t know where their sensitive data is stored. The bad news doesn’t end here. Over a third of businesses do not encrypt payment data (32%) or customer data (35%).
“This means that, should the data be stolen, a hacker would have full access to this information, and can use it for crimes including identify theft, financial fraud or ransomware,” according to the survey organizers.
Some 28% of organizations reported perimeter breaches in the past 12 months and only an average of 8% of data breached was protected with encryption.
In IT, perimeter security refers to firewalls, intrusion detection and prevention systems (IDPS), antivirus, content filtering, anomaly detection, and other technologies designed to protect against external attackers.
However, according to Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto, even that’s not enough to secure intellectual property and sensitive customer data.
"It is clear that there is a divide between organizations' perceptions of the effectiveness of perimeter security and the reality," said Hart. "By believing that their data is already secure, businesses are failing to prioritize the measures necessary to protect their data. Businesses need to be aware that hackers are after a company's most valuable asset - data. It's important to focus on protecting this resource, otherwise reality will inevitably bite those that fail to do so."
General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR), effective May 25, 2018, will affect every organization that processes personally identifiable information of an EU resident.
The GDPR was put forward by the European Commission in January 2012 in an effort to make member countries fit for the digital age. The Commission took these steps after learning that 90% of Europeans expressed a dire need for unified data protection rights, regardless of where their data is ultimately processed.
More than half (53%) of the companies surveyed are in murky waters as they admit they likely don’t comply with the General Data Protection Regulation (GDPR) to be enforced from May 2018.
Only by properly securing personal data will these organizations avoid administrative fines and reputational damage, according to the surveyors. GDPR compliance will demand defenses like encryption, two-factor authentication (2FA) and key management strategies, among others.
"Investing in cybersecurity has clearly become more of a focus for businesses in the last 12 months,” Hart continued. “However, what is of concern is that so few are adequately securing the most vulnerable and crucial data they hold, or even understand where it is stored. This is standing in the way of GDPR compliance, and before long the businesses that don't improve their cybersecurity will face severe legal, financial and reputational consequences."
A similar survey last month showed that consumer product businesses worldwide are overly confident they can fight cybercrime and protect their reputation, intellectual property, payments and human capital.
As many as 82% of the CTOs surveyed by Deloitte said their company had not documented or tested cyber response plans involving business stakeholders within the past year. 25 percent reported lack of funding and 21 percent reported lack of clarity on mandates, roles and responsibilities.
Ransomware pandemics like the Wannacry attack in May and the GoldenEye/Petya attack in Ukraine last month confirm these worrying estimates, and indeed our own – that big-scale cyberthreats are quickly becoming the norm, making it imperative for companies to become GDPR compliant.