2016 Dell Data Security Survey FULL REPORT

Transcription

1 2016 Dell Data Security Survey FULL REPORT

2 INTRODUCTION Both IT and business decision makers are becoming more informed about the data security landscape, however more needs to be done for many businesses to adequately protect themselves. Data security is finally taking its rightful place in boardrooms around the world. For years it remained an afterthought, even as IT executives tried to convince business teams that data security should play a pivotal, up-front role in decision making. Now both IT and business decisions makers are carrying the banner of data security inside companies, recognizing not only the safety it brings but also the opportunity. But there is still work to be done. Even as companies recognize the benefits of data security, they are struggling to develop programs that effectively incorporate it without detracting from other business initiatives. They may have tools in place to address data security needs, yet companies still are reporting gaps in their comfort level with implementing or expanding programs that rely on these technologies. In November 2015, Dell commissioned a survey to obtain a comprehensive look at how IT decision makers in the mid-market as well as the C-suite view data security trends and the impact these are having on their businesses. The results included responses from more than 1,300 business and IT decision makers across seven countries. A few of the findings surprised us. Many others simply provided hard numbers to back up trends we ve observed among our own customers and partners. In this first-ever Dell Data Security Survey, we ve distilled those insights to share the specific data security concerns held by businesses in the mid-market. WE LL COVER SEVERAL KEY TRENDS, INCLUDING THE FOLLOWING: 1. Data security has become a priority for C-suite executives, however keeping ahead of threats remains a concern. 2. Despite increased buy-in from the C-suite, IT departments still need more business support to fully integrate data security Malware and weaponized attacks are keeping IT and business decision makers up at night. Employers feel they have to limit mobility in order to protect data. Respondents see their data at risk in public cloud platforms. METHODOLOGY Penn Schoen Berland conducted an online survey among 1,302 commercial respondents in the United States, Europe, and the Asia Pacific region, including Japan. Respondents represented both IT and business decision makers. Research was conducted from November 19 to December 8, Dell Data Security Survey 02

3 01/ Data security has become a priority for C-suite executives, however keeping ahead of the threats remains a concern. Although the C-suite might be more involved in data security than in the past, IT teams feel executives still are not allocating the energy or resources needed to properly address data security challenges. According to the survey, nearly three in four decision makers agree that data security is a priority for their organization s C-suite, but there are concerns that senior executives don t pay enough attention and aren t well informed about data security issues and tools. In fact, one in four decision makers don t find their C-suite to be informed about data security issues, according to nearly one-third (32 percent) of business decision makers and one in five IT decision makers. If business strategies and cybersecurity strategies are not developed in alignment, neither will succeed. For example, an IT team creates a thorough security strategy for its headquarters, ensuring the network is fully secured, employee devices are on a regular maintenance schedule, and training and communication are in place. However, if the CEO then announces that employees can work from home, a major security gap has arisen. Similarly, even if an IT program is fully secured against domestic threats, any business integration with foreign companies will pose a risk. In other words, cybersecurity is not purely a technical exercise it s a business imperative that must be baked into new initiatives from their inception. The findings also show that three in four decision makers say their C-suite plans to increase current security measures, and more than half expect to spend more money on data security over the next five years. However, cost is a concern when it comes to building on existing security programs 53 percent cite cost constraints for why they don t anticipate adding additional security features in the future, and only one in four decision makers are very confident in their C-suite s ability to budget enough for data security solutions over the next five years. These numbers suggest that the C-level has to be more engaged when it comes to integrating data security strategies into their business. They understand the need to invest in their security infrastructure, but that isn t translating into updating or expanding their current systems to adequately prevent modern attacks. This has IT teams concerned. Legacy infrastructure can provide a basic foundation for data security, but threats evolve and increase every year, as do the threat vectors inherent in the business environment. In today s complex, connected world, a multi-faceted, defense-in-depth security program is truly the only way to prevent breaches. For business and IT to become closer in alignment, the C-suite must move beyond a cursory understanding of data security to a mindset where security is incorporated in the planning stages. This is not to say that security should limit business initiatives. On the contrary, security teams should do everything possible to support business evolution. However, it s key to recognize that, in order to properly support business initiatives, IT teams need to be involved in business planning sessions and have access to modern infrastructure and solutions Dell Data Security Survey 03

4 02/ Despite increased buy-in from the C-suite, IT departments still need more business support to fully integrate data security. Staffing is a perpetual challenge for IT teams, who find themselves stretched increasingly thin as business initiatives demand more and more support. A lack of investment in streamlined technologies and a shortage of talent are both barriers to fine-tuning data security programs. The majority of decision makers (58 percent) believe that their company is being adversely affected by the shortage of trained security professionals currently on the market, which may be leading to antiquated security techniques and practices. Similarly, 69 percent of decision makers still view data security as a burden on their time and budget. This shows that businesses still see data security as an afterthought, and not as process which enables greater mobility. More than just a mindset however, the costs and time constraints which commonly accompany traditional antivirus solutions continues to have an adverse impact on IT departments Dell Data Security Survey 04

5 Despite this burdensome view of data security programs, nearly half (49 percent) of decision makers believe they need to spend more time securing their data in the next five years than they are today. IT teams know they need to attain a higher level of effectiveness, but getting there seems overwhelming. It s important to note that 76 percent believe their solutions would be less burdensome if provided through a single vendor. For companies with hundreds or thousands of employees, managing each endpoint separately using multiple consoles is extremely inefficient and leads to a high probability of user error. Implementing a single, integrated suite for IT management can drastically improve this process. 03/ Malware and weaponized attacks are keeping IT and business decision makers up at night. Nearly three in four (73 percent) decision makers are somewhat to very concerned about malware and advanced persistent threats, even though the majority already rely on anti-malware software to maintain their organization s data security. Concern over malware threats is highest in the United States (31 percent very concerned), France (31 percent very concerned) and especially India (56 percent very concerned) while it s a lesser concern in Germany (11 percent very concerned) and Japan (12 percent very concerned). Only one in five decision makers are very confident in their ability to protect against sophisticated malware attacks. Additionally, the lack of employee awareness is perceived as a great risk. Respondents are more worried about spear phishing attacks (73 percent are concerned) than any other breach method. There s a good reason companies are worried about malware and other external attacks cyber attacks are not decreasing in number or effectiveness. In fact, Dell SonicWALL identified twice as many unique malware signatures in 2015 as in 2014, and the average cost of data breaches increased by $300,000. Anti-malware software is ubiquitous, so what accounts for this gap in security? The answer is, once again, outdated or ineffective tools and misaligned strategies. When IT teams do not have the resources or business integration they need to implement preventative strategies, they are forced to play defense using threat detection alone. It s a risky game if a device is compromised, perhaps it won t affect the organization s other assets before the team can notice and eradicate the threat. However, imagine the CIO s device is compromised, and a competitor obtains product roadmaps. Imagine customer data or other sensitive information is saved on the device or accessible via the application. Even if the leakage stops there, the organization is facing a potential multi-million-dollar loss. Moreover, the effort needed to repair damage after an attack can be grueling, particularly given the volume of attacks taking place each month. Besides, the more malware that gets through IT s defenses, the more employees are calling the help desk for support, costing the company even more money and man hours. With today s elevated threat landscape, a reactive security program is not a cost-effective choice. Modern infrastructure is designed to identify and prevent malware attacks, protecting your organization s sensitive data, even in the event of a lost or stolen device. Of course, employee training also plays an essential role, as only awareness of common threats can help employees avoid falling victim to spear phishing scams or other risky behavior Dell Data Security Survey 05

6 04/ Employers feel they have to limit mobility in order to protect data. The common narrative is that all offices are becoming more mobile, but the truth is somewhat more complicated. It turns out that about 82 percent of decision makers have attempted to limit data access points to enhance security and only 18 percent are totally confident that their data is secure when employees access it remotely. In addition, 72 percent of decision makers believe that knowing where data is accessed will make their data-protection measures more effective. Businesses identify security as a higher priority than employee flexibility 67 percent are hesitant to introduce a bring-your-own-device (BYOD) program, and 65 percent are holding back plans to make their workforce more mobile for security reasons. In addition, 69 percent of respondents say they are still willing to sacrifice individual devices to protect their company against a data breach. Companies theoretically recognize the demand for a mobility program. Security concerns aside, two in five respondents are interested in allowing greater mobility for an enhanced employee user experience. However, they may not recognize that cracking down on mobile access might be akin to trying to put 2016 Dell Data Security Survey 06

7 toothpaste back in its tube. About half of millennials expect to have the ability to conduct business on mobile devices, and in fact, 43 percent of the workforce does so secretly, even if the company doesn t have a mobility program in place., So when companies opt out of creating sanctioned, secure mobility programs, they open themselves up to even greater risks. Even those that succeed at locking down data by removing workplace flexibility risk losing star employees. The challenge is that, with traditional data security solutions, companies can support the encryption of data when it s at rest on a PC or mobile device or in the cloud. However, data does more than just rest. It s moved, shared and utilized. Therefore, companies must encrypt data across all use cases (such as , file sharing, opening the file, etc.). The company also wants to retain rights management to control what information is copied and pasted, shared or printed and by whom. Security teams have to plan for protection throughout that entire lifecycle. The survey also found that 57 percent of respondents are still concerned about the quality of encryption used by their company. The solution is to use intelligent encryption software that can protect data whether it s at rest, in motion or in use. Intelligent encryption travels with the data, rather than just the device, making endpoint security much easier for companies. Because of this and other mobile-ready solutions, mobility and security can easily co-exist with modern data security technology. What can t co-exist today is unreasonable restrictions and worker satisfaction Dell Data Security Survey 07

8 05/ KEY FINDINGS Respondents see their data at risk in public cloud platforms. With more workers utilizing public cloud services like Box and Google Drive in the workplace, businesses feel unconfident in their ability to control risks posed by these applications. Nearly four in five respondents are concerned with uploading critical data to the cloud, and 58 percent are actually more concerned than they were a year ago. As we saw with mobility, companies are taking a limiting, rather than enabling, approach to this problem. Thirty-eight percent of decision makers have limited access to public cloud resources within their organization due to security concerns. Moreover, 57 percent of decision makers who are current cloud users and 45 percent of those planning to use public cloud platforms, will rely heavily on cloud vendors to provide security. In a worrying sign, despite the productivity and collaborative benefits many mid-market businesses can 2016 Dell Data Security Survey 08

9 glean from public cloud solutions, only one in three companies currently list improving secure access to public cloud environments as a key focus for their security infrastructure. That is despite 83 percent saying that employees are either using or will be using shortly public cloud environments to share and store valuable data. With intelligent data encryption, even if an attack were to succeed against Box or Google Drive, delivering the encrypted data into the hands of hackers, it would not be readable. If the company s security program follows best practices, hackers would also need the login credentials of an authorized employee, as well as that employee s work device to decrypt the information. Security programs must enable employees to be both secure and productive, and this means enabling, not restricting technology that helps them do their jobs. Companies can try to limit or prohibit public cloud use, but it s more proactive and effective to protect corporate data wherever it may go. Final Takeaway Perhaps what surprised us most among the survey s responses was the recurring theme of security as a burden, point of fear or imperative for which difficult sacrifices must be made. The reality is that data security solutions have evolved to co-exist harmoniously with other corporate goals, supporting rather than hindering productivity and profitability alike. The increased attention being paid to data security is a promising step. However, data security professionals must continue the work of educating their C-suite executives, dispelling misconceptions, and introducing their companies to the world of tools and opportunities available to them. IT S IMPORTANT TO START WITH THE BASICS: Ensure security teams are involved with business initiatives from their inception Only when business strategies and security strategies are aligned can they succeed. Employ modern threat prevention technologies Legacy systems or those built only to detect breaches will not be adept at protecting critical data in today s heightened threat environment. Protect data, not just endpoints Using intelligent encryption that travels with data dramatically reduces the chances that an attacker will be able to use compromised data. Invest in a single, integrated suite that offers best-of-breed capabilities Reducing the burden of endpoint management on your IT team will help reduce both costs and user errors. Just as business goals evolve, so should security programs. The challenges placed on IT teams are greater than ever before, but so is the technology available to help. Security does not have to preclude productivity, growth or the evolution of business opportunities. When approached knowledgeably and supported with appropriate budget and buy-in, security adds momentum to even the most innovative C-suite Dell Data Security Survey 09