#2018DataThreat
2018THALESDATA THREATREPORT
Trends in Encryption and Data Security
EUROPEAN EDITIONEXECUTIVE SUMMARY
2 2018 THALES DATA THREAT REPORT • EUROPEAN EDITION
In Europe, as in the rest of the world, reports of major security breaches continue unabated, despite global efforts to fight back with increased IT security spending. This suggests that either the attackers are managing to stay a step ahead of cybersecurity efforts – or worse, that the increased funding is not being deployed most effectively to counteract evolving threats and new compute environments. Regardless, doing what we have been doing for decades is no longer working. The more relevant question on the minds of IT and business leaders is: “What will it take to stop the breaches?”
THE TOPLINE
Data under siege across Europe
ENCRYPTION IS CRITICAL TO SOLVING DATA SECURITY PROBLEMS
Encryption drives digitally transformation and traditional data security
43% 37%48% 44%
Cloud:Data encryptionis the top tool
needed for more cloud use
Big Data: Encryption needed to enable greater usage of big data
IoT:Encryption the
top tool neededto increase
IoT adoption
Containers: Availability
of encryption increases adoption
DATA BREACHES ARE THE NEW REALITY DIGITAL TRANSFORMATION EXPANDS DATA THREAT LANDSCAPES
—Garrett Bekker, 451 Research Principal Analyst, Information Security
“AS ORGANISATIONS INCREASINGLY ENGAGE WITH MULTIPLE CLOUD PROVIDERS, WHO MAINTAINS CONTROL OVER ENCRYPTION KEYS HAS BECOME A HUGE POTENTIAL ISSUE, PARTICULARLY FOR THOSE WHO TAKE ADVANTAGE OF NATIVE ENCRYPTION SERVICES.”
—Garrett Bekker, 451 Research Principal Analyst, Information Security
“FIRMS SHOULD CONSIDER GREATER USE OF ENCRYPTION ANDBYOK, ESPECIALLY FOR CLOUD AND OTHER ADVANCED TECHNOLOGY ENVIRONMENTS TO BOTH ADDRESS GROWING COMPLIANCE MANDATES AND ALSO TO MOVE CLOSER TO INDUSTRY BEST PRACTICES."
NOT PUTTING THEIR MONEY WHERE THEIR DATA IS
Breached ever(almost threeout of four)
Breached in the last year
71% 32%
Breached multiple timeshave been breached both in the last year and previously
14%
How will organisations mitigate these risks?
72%
27%
Increasing ITsecurity spending
Overall Muchhigher
44%
21%12% 11%
Meeting data privacy requirements
Encrypting personal
data
Tokenising personal
data
Migrating data
Using local cloud and
hosting providers
99% use digital transformation technologies with sensitive data
(cloud, big data, IoT, containers, blockchain or mobile payments)
Use 3 or more IaaS vendors
Using 3 or more PaaS environments
Use more than25 SaaS
applications
56% 55% 63%
Multi-cloud usage is high, bringing additional risks
Respondents report their organisations increasing spending the least on the most effective tools for protecting data
Rated very or extremely effective Spending Increase
73%36%
68%44%
69%44%
72%42%
60%51%
Endpoint & mobiledevice defences
Analysis &correlation tools
Data at restdefences
Data in motiondefences
Most effective but lowest spending increases
Networkdefences
32018 THALES DATA THREAT REPORT • EUROPEAN EDITION
The new computing environments that virtually every enterprise is leveraging for digital transformation are as large a component of the problem as evolving threats, or even more so. The benefits of this transformation are substantial, but the many different categories and implementation models being used need specific attention to data security by both type and instance, making the problem of safely using sensitive data within them complex and difficult if the right solutions are not identified and used to meet this need.
Moreover, as readers are no doubt aware, this is also the year when Europe’s General Data Protection Regulation (GDPR), among the most sweeping and comprehensive data privacy/information security regulations ever implemented, begins to be enforced. Combining GDPR with the realities of unabated data breaches, digital transformation and expanding threat landscapes results in the potential for business disruption and costly penalties as enterprises struggle to adjust.
DIGITAL TRANSFORMATION REQUIRES A NEW DATA SECURITY APPROACH
Digital transformation drives efficiency and scale for existing products and services, while also making possible new business models that drive growth and profitability. Enterprises across Europe are embracing the opportunity by leveraging all that digital technology offers, but can leave the security of their sensitive data at risk in the rush to deployment.
We found that the overall adoption of cloud, big data, IoT, containers, mobile payments and blockchain technologies by enterprises is at very high levels to drive this transformation. Cloud adoption is now universal, creating the new problem of how to securely use and manage multi-cloud deployments. Big Data usage is now at 97%, and blockchain, mobile payments, and IoT usage are all at more than 90% adoption rates. With 99% of respondents also identifying that their organisations are using sensitive data within these environments these massive rates of adoption make the problem of data security hypercritical. Not only do each of these environments have unique data security problems, but enterprises must also deal with compliance with GDPR requirements for data security wherever the personal information of EU citizens is deployed.
Digital transformation initiatives have high usage of sensitive data
Implementations levels and sensitive data usage with digital transformation technologies
Using or planning to use the technology Using sensitive data with the technology
100%77%
97%41%
92%39%
94%33%
92%26%
94%25%
Cloud
Big Data
Mobile Payments
IoT
Blockchain
Containers
99% use digital transformation technologies with sensitive data
(cloud, big data, IoT, containers, blockchain or mobile payments)
40% The top driver for IT security spending decisions is the adoption of cloud computing
4 2018 THALES DATA THREAT REPORT • EUROPEAN EDITION
Multi-cloud operations creating big concerns
We found that 63% of respondents identified that their enterprise uses more than twenty-five Software as a Service (SaaS) offerings, 56% were also using three or more Infrastructure as a Services (IaaS) offerings and 55% three or more platform as a service (PaaS) offerings. This level of cloud service usage drives innovation and efficiency, but comes at a price for data security – and it can be measured in the potential for increased levels of complexity driven by the unique requirements for protecting, and retaining control of, data within this range of environments.
In a traditional data centre, not only is data physically secured within the four walls of the enterprise, but all of the infrastructure underlying implementation tools and networks are also under the direct control of the organisation. Now, for IaaS, a specific data security plan must be created for each deployment and environment, then enforced by policy, operational methods and tools. For SaaS and PaaS environments, the case is more complex. In many of these environments, organisations are given little control over how their data is stored or protected, and in some cases where data security controls are available (such as AWS S3 storage buckets or Salesforce implementations) managing encryption keys, and access controls become a new task, requiring new expertise and tools. Third party offerings that reduce this complexity with integrated management of encryption technologies for multiple environments are starting to become available, but are not yet widely recognised. Organisations are going to need them – A basic security maxim is that whoever controls the keys, controls the data. Encryption – with encryption key control either local or remote from the cloud environment managed – is required.
Multi-cloud usage brings additional risks
Use 3 or more IaaS vendors
56% Using 3 or more PaaS environments
55%Use more than 25SaaS applications
63%
Top concerns with cloud computing
Top it security tools need to expand cloud computing use
57%
55%
54%
52%
Security breaches/attacks at the service provider
Lack of control over data location/data residency concerns
Managing monitoring and deployingmultiple cloud native security tools
Custodianship of encryption keys
42%
43%
39%
39%
39%
Encryption with enterprise key management
Encryption with CSP key management
SLAs for a data breach from the CSP
Compliance commitments
Detailed physical and IT security information
52018 THALES DATA THREAT REPORT • EUROPEAN EDITION
DATA BREACHES ARE THE NEW REALITY
With the enforcement phase of GDPR underway, it’s long been the expectation that enterprises will start to take their data security very seriously. The bad news is that even with this incentive looming reports of data breaches last year were substantially up in Europe. On average, roughly one-third (32%) of European respondents report being breached in the previous year, slightly less than the global average (36%). This rate is also well below the U.S. (46%), though both the UK (37%) and Germany (33%) showed sizable increases in the number of those reporting breaches in the past year, up from 22% (UK) and 25% (Germany). Similarly, nearly three-fourths in the Netherlands (74%) and Sweden (78%) have experienced a data breach at any point in the past, well ahead of the global average of 67%.
Another sign that troubled times may be ahead for many enterprises are the rates of failure “in the last year” for data security compliance audits – More than one in three (35%) of respondents polled in European enterprises reported a failed compliance audit in the last year. Moreover, this level of failure was measured before enforcement began. In every country polled except for the UK, this rate of compliance audit “failure in the last year” was higher than all “failures at another time in the past”, sometimes by more than a four to one ratio. We do not have data to show whether this level of audit failure is a result of preparation to meet the new standards, but let’s hope so for the sake of citizen’s private data.
Rates of data breaches “in the last year” accelerate in the UK and GermanyData breaches are the new reality
A rising tide of breaches is rolling across Europe. Few enterprises are spared, and the advent of GDPR increases the resulting risks for organisations.
22%20172018
2017201837% 33%
25%
Breached ever(almost threeout of four)
Breached in the last year
71% 32%
Breachedmultiple times
have been breached both in the last year
and previously
14%
UK Germany
Data security compliance audit failures
Total Europe Germany The Netherlands Sweden UK
35%33%
38%49%
19%
17%18%
17%13%
20%
In the last year
At another time in the past
6 2018 THALES DATA THREAT REPORT • EUROPEAN EDITION
One other result of this seemingly endless onslaught of successful breaches and failed compliance audits has been elevated feelings of vulnerability to data threats. On average, 41% of European respondents report feeling either ‘very’ or ‘extremely’ vulnerable to data threats, slightly below the global average of 44%. Sweden (50%) and the Netherlands (47%) were notably at the high end, while Germany (36%) and the UK (31%) were somewhat surprisingly at the low end, despite having each experienced large jumps in breaches from the prior year.
However, our results also show good news as well. IT security budgets are starting to expand to counteract these threats. 72% are increasing their IT security spending, with 27% reporting that IT security spending will be much higher this year.
—Garrett Bekker, 451 Research Principal Analyst, Information Security Author of the 2018 Thales Data Threat Report
“As organisations increasingly engage with multiple cloud providers, who maintains control over encryption keys has become a huge potential issue, particularly for those who take advantage of native encryption services.”
6
How will organisations mitigate these threats?
44%
21%
12%
11%
Encrypting personal data
Tokenising personal data
Migrating data
Using local cloud and hosting providers
72%
27%
Increasing IT security spending Meeting data privacy requirements
Overall
Muchhigher
72018 THALES DATA THREAT REPORT • EUROPEAN EDITION
ORGANISATIONS NEED TO CHANGE HOW THEY PROTECT THEIR DATA
Respondents report biggest spending increases in tools that no longer protect data effectively
We found that respondents clearly recognise the defences designed specifically for protecting data are the most effective tools for doing so. Data-at-rest defences were rated as the most effective tools for protecting data, with 72% responding that they were either ‘very’ or ‘extremely’ effective. However, data-at-rest security tools are not getting a high priority in spending increases. In fact, the data-at-rest defences that are the most effective at protecting large data stores are the lowest priority for increases in IT security spending, at only 36%.
At the same time, increases in IT security spending are greatest for endpoint (51%) and network (44%) defences, even as these tools become are no longer wholly effective against attacks designed to compromise data. The combination of spear phishing with zero-day exploits available to criminal hackers makes it almost impossible to keep intruders away from critical data stores solely with network and endpoint-based security controls. As respondents recognise, the most effective solutions are security controls that provide an additional layer of protection directly around data sets. Data-at-rest and data-in-motion security tools can reduce attack surfaces, and provide the information needed to quickly find and stop attacks designed to mine critical data while in progress. Cloud computing also makes network security tools less relevant as increasingly infrastructure is no longer implemented within the four walls of the enterprise. In fact, the vast majority of new projects are implemented using cloud resources.
—Garrett Bekker, 451 Research Principal Analyst, Information Security Author of the 2018 Thales Data Threat Report
“Data security offers increased protection to known and unknown sensitive data found
within advanced technology environments.”
Not putting their money where their data is
Respondents report their organisations increasing spending the least on the most effective tools for protecting data
Rated very or extremely effective Spending Increase
73%36%
Data at restdefences
Most effective but lowest spending increases
72%42%
Data in motiondefences
69%44%
Analysis &correlation tools
68%44%
Networkdefences
60%51%
Endpoint & mobiledevice defences
8 2018 THALES DATA THREAT REPORT • EUROPEAN EDITION
51%
“Despite ranking dead last in terms of effectiveness, endpoint and mobile defences sit at the top of spending priorities for 2018 at 51%, while data-at-rest security – ranked as most effective – is at the bottom in terms of spending plans (36%).”
8
9 2018 THALES DATA THREAT REPORT • EUROPEAN EDITION
ENCRYPTION IS A CRITICAL TOOL FOR PROTECTING SENSITIVE DATA – WHEREVER IT RESIDES
Protects data in traditional data centres, cloud, big data, and wherever sensitive information is used or stored
Good news. Not only did respondents in Europe identify that encryption technologies are the most effective way to protect data, but in spite of low spending levels, projects are underway to implement encryption for data protection at fairly high levels. Respondents identified that four of the top five data security tools planned this year are encryption technologies – BYOK, enabling cloud-native encryption capabilities, tokenisation and hardware security modules (HSMs). Last, 44% plan to encrypt data to meet global data privacy and sovereignty requirements.
9
—Garrett Bekker, 451 Research Principal Analyst, Information Security Author of the 2018 Thales Data Threat Report
“Look for data security toolsets that offer services-based deployments, platforms, and
automation that reduce usage and deployment complexity for an additional layer of
protection for data.”
Encryption is the top tool planned to meet global privacy requirements
44%
Encryption technologies are 4 of the top 5 data security tools that are planned this year (but not yet implemented):
Enabling cloud-nativeencryption capabilities
41%BYOK44%
Tokenisation 43%
Hardware Security Modules
42%Data accessmonitoring
43%
43% 37%48% 44%
Cloud:Data encryption
is the top tool needed for more cloud use
Big Data: Encryption needed to enable greater usage
of big data
IoT:Encryption the top tool needed to increase
IoT adoption
Containers: Availability of encryption
increases adoption
“Despite ranking last in terms of effectiveness, endpoint and mobile defences sit at the top of spending priorities for 2018 at 51%, while data-at-rest security – ranked as most effective – is at the bottom in terms of spending plans (36%) … Meanwhile, despite high effectiveness rankings, data-at-rest defences are ranked last across Europe in terms of spending plans (36%).”
“With increasingly porous networks, and expanding the use of external resources (SaaS, PaaS, and IaaS most especially) traditional endpoint and network security are no longer sufficient. When implemented as a part of the initial development (for ease of implementation versus retrofitting at a later date), data security offers increased protection to known and unknown sensitive data found within advanced technology environments.”
“Look for data security toolsets that offer services-based deployments, platforms, and automation that reduce usage and deployment complexity for an additional layer of protection for data.”
—Garrett Bekker, 451 Research Principal Analyst, Information Security Author of the 2018 Thales Data Threat Report
10
112018 THALES DATA THREAT REPORT • EUROPEAN EDITION
ENCRYPTION IS THE SOLUTION
Encryption technologies are critical to protecting data at rest, in motion and in use. Encryption secures data to meet compliance requirements, best practices and privacy regulations. It’s the only tool set that ensures the safety and control of data not only in the traditional data centre, but also with the technologies used to drive the digital transformation of the enterprise.
ABOUT THALES
Thales eSecurity is the leader in advanced data security solutions and services that deliver trust wherever information is created, shared or stored. We ensure that the data belonging to companies and government entities is both secure and trusted in any environment – on-premises, in the cloud, in data centres or big data environments – without sacrificing business agility. Security doesn’t just reduce risk, it’s an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and with the internet of things (IoT) even household devices. Thales provides everything an organisation needs to protect and manage its data, identities and intellectual property and meet regulatory compliance – through encryption, advanced key management, tokenisation, privileged user control and high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organisation’s digital transformation. Thales eSecurity is part of Thales Group.
OUR SPONSORS GEOBRIDGE
TO READ THE FULL REPORT VISIT: DTR.THALESESECURITY.COM
©2018 Thales