Embed Size (px)
Citation preview
www.thales-esecurity.com
2017 THALES DATA THREAT REPORTTrends in Encryption and Data Security
RETAIL EDITION
2017 THALES DATA THREAT REPORTTRENDS IN ENCRYPTION AND DATA PROTECTION
U.S.
MEXICO
U.K.GERMANY
JAPAN
AUSTRALIABRAZIL
1,100+ SENIOR IT SECURITY EXECUTIVES SURVEYED GLOBALLY | 100 U.S. FEDERAL | 89 GLOBAL RETAIL
Copyright 2017 Thales
RESPONDENTS ORGANIZATIONS (ALL)73% - $500M OR MORE48% - $1B OR MOREALL US - $250M+ALL GLOBAL - $150M+
U.S. RETAIL DATA BREACH RATES IMPROVEBUT ARE STILL NOT GOOD NEWS
RATES OF DATA BREACHES IN THE LAST YEAR DROPPED FROM 22% TO 19%,WHILE ALL THE OTHER VERTICALS THAT WE MEASURED HAD INCREASES. BUT 1 IN 5 RETAILERS BEING BREACHED EACH YEAR IS STILL BAD NEWS
– COMPOUNDING THE PROBLEM –U.S. RETAILERS INCREASINGLY USE SENSITIVE DATA WITH CLOUD, BIG DATA AND OTHER ADVANCED, BUT OVER HALF DO SO WITHOUT DATA SECURITY
52%H A V E
E X P E R I E N C E D A D A T A B R E A C H
• 19% IN THE LAST YEAR (DOWN FROM 22% PREVIOUSLY)
• 11% MORE THAN ONCE
U . S . R E T A I L
60%H A V E
E X P E R I E N C E D A D A T A B R E A C H
• 43% IN THE LAST YEAR• 32% MORE THAN ONCE
G L O B A L R E T A I L
U.S. RETAIL – LEAST LIKELY TO BE BREACHEDOF U.S. VERTICALS
U.S. RETAIL DATA BREACHES
“Breach results were not so rosy for global retail, however - a staggering 43% of global retail respondents reported a breach in the past year alone, approaching twice the global average.”
Garrett BekkerPrincipal Analyst, Information Security, 451 Research
2017201768%
IN THE LAST YEAR2016 2016
19%22% 30% 44%
AT ANOTHER TIME IN THE PAST
2017 DATA BREACH RESULTS BY U.S. VERTICAL
HEALTHCARE FEDERAL GOVERNMENT
84%
FINANCIAL SERVICES
34%
65%
24%
42%
EVER
IN THE LAST YEAR
RETAIL
19%
52%47%
20%
Garrett BekkerPrincipal Analyst Information Security, 451 Research
“.. external attackers frequently masquerade as insiders by using stolen or compromised credentials to access all types of valuable data, including PII, PHI, financial data and intellectual property”
29% U.S. RETAIL
59% U.S. RETAIL
61% U.S. RETAIL
36% U.S. RETAIL
ORDINARY EMPLOYEES
EXECUTIVEMANAGEMENT
THE MOST DANGEROUS INSIDERS
PRIVILEGED USERS
CONTRACTORS
51% GLOBAL RETAIL
56% GLOBAL RETAIL
31% GLOBAL RETAIL
28% GLOBAL RETAIL
TOP EXTERNAL THREAT ACTOR SELECTIONS
IN SPITE OF ALL THE FUROR AROUND NATION STATE HACKING, CYBER CRIMINALS TOP THE LIST OF CONCERNS BY A WIDE MARGIN
6%CYBER CRIMINALS
HACKTIVISTSNATIONSTATES
CYBER-TERRORISTS
COMPETITORS
11%15%17%49%
U.S. RETAIL
GLOBAL RETAIL
9%CYBER CRIMINALS
HACKTIVISTSNATIONSTATES
CYBER-TERRORISTS
COMPETITORS
11%12%19%48%
U.S. RETAIL USING SENSITIVE DATA WITH ADVANCED TECHNOLOGIESWITHOUT DATA SECURITY TO PROTECT INFORMATION
53%OF U.S. RETAIL RESPONDENTS SURVEYED ARE
DEPLOYING NEW TECHNOLOGIES IN ADVANCE OF HAVING APPROPRIATE LEVELS
OF DATA SECURITY IN PLACE
95%WILL USE SENSITIVE DATA IN AT
LEAST ONE OF THESE ADVANCED TECHNOLOGY ENVIRONMENTS
39%
4%
41%
44%
13%
46%
56%
38%
BLOCKCHAIN
CONTAINERS
BIG DATA
IOT
PAAS
MOBILE
IAAS
SAAS
* U.S. RESULTS
WITH NATIONAL REGULATIONS LIKE GDPR COMING WORDWIDEDATA PRIVACY AND SOVEREIGNTY ARE MAKING WAVES EVERYWHERE
75% - U.K.72% - GLOBAL
Impacted by Data Privacy and Data Sovereignty
ADDRESSING REQUIREMENTS BY: U.K.
GLOBAL
TOKENIZING DATA
LOCAL HOSTING & CLOUD
33%57%
23%29%
ENCRYPTING DATA
MIGRATING DATA
TOKENIZING DATA
LOCAL HOSTING & CLOUD
40%64%
26%36%
ENCRYPTING DATA
MIGRATING DATA
JAPAN
U.S.A.
DATA PRIVACY/SOVEREIGNTY BEYOND GDPR
AIPP DATA PROTECTION AND
PRIVACY RULES GO LIVE MAY 2017
48 STATE LAWS PLUS FEDERAL REGULATIONS
MEXICO
LFPDPPP PRIVACY LAW WITH FINES UP
TO £ 1.5M
BRAZIL
NEW PRIVACY LEGISLATION PENDING FOR
APPROVAL
88%WERE VERY OR EXTREMELY VULNERABLE 19%
OF U.S. RETAIL RESPONDENTS FELT THEIR ORGANIZATIONS WERE VULNERABLE TO DATA THREATS
“Today’s unbroken string of high profile data breaches serves as stark proof that data on any system can be attacked and compromised.”
Garrett Bekker, Principal AnalystInformation Security, 451 Research
U.S. RETAIL AGENCIESFEELING LESS VULNERABLE
“More good news – Only 19% of U.S. retail respondents report feeling ‘very’ or ‘extremely’ vulnerable to security threats –the lowest of any respondent category and down from 39% in last year’s report, compared with 39% of global retail.
Garrett BekkerPrincipal Analyst, Information
Security, 451 Research
VERY OR EXTREMELY
VULNERABLE
SOMEWHAT OR MORE
VULNERABLE
HEALTHCARE
U.S. Verticals
16%
84%
RETAIL
19% 47%27%FEDERALFINANCIAL
SERVICES
88%86%85%
48% 37%
88%
44%
90%
29%
90% 96%
31%
88%
Global Verticals
HEALTHCARE RETAIL FEDERALFINANCIAL SERVICES
E X P E C T T H E I R S P E N D I N G O N I T S E C U R I T Y T O
I N C R E A S E
• UP FROM 61% IN 2016• GLOBAL AVERAGE 73%
77%73%
2016
2017
58.5%
77%
61%
BEST PRACTICES TOP COMPLIANCE ON U.S. RETAIL IT SECURITY SPENDING PRIORITY LISTS
IT SECURITY SPENDING PRIORITIES (RATES OF TOP 3 SELECTION) “GIVEN THE WIDESPREAD EFFECT OF PCI-DSS IN RETAIL, WE ARE SOMEWHAT ENCOURAGED TO SEE OTHER MOTIVATIONS FOR SPENDING GAINING GROUND. IT’S ALSO WORTH NOTING THAT U.S. RETAIL HAD THE LOWEST RATINGS (53%) FOR COMPLIANCE BEING ‘VERY’ OR ‘EXTREMELY’ EFFECTIVE AT SECURING DATA , A LARGE DROP FROM 65% A YEAR AGO AND BELOW THE 59% GLOBAL AVERAGE.”
Garrett Bekker, Principal AnalystInformation Security, 451 Research
37% - 2017 DATA BREACH PENALTIES
37% - 2017 REPUTATION AND BRAND PROTECTION
21% - 2017EXECUTIVE DIRECTIVE
41% - 2017 COMPLIANCE REQUIREMENTS
31% - 2017 PARTNER AND PROSPECT REQUIREMENTS
DATA BREACHES AT PARTNERS OR COMPETITORS
PREVIOUS DATA BREACH
47% - 2017 IT SECURITY BEST PRACTICES
COMPETITIVE/STRATEGIC CONCERNS
50% - 2016
61% - 2016
38% - 2016
40% - 2017
28% - 2016
34% - 201626% - 201725% - 2017
17% - 201717% - 2016
20% - 201720% - 2016
22% - 2017 INCREASING CLOUD USAGENot measured
DATA PRIVACY LAWSARE MAKING WAVES EVERYWHERE
80% - U.S. RETAIL72% - GLOBAL
Impacted by Data Privacy Lawsincluding 48 U.S. State Regulations
ADDRESSING REQUIREMENTS BY: U.S.
GLOBAL
TOKENIZING DATA
LOCAL HOSTING & CLOUD
37%71%
30%38%
ENCRYPTING DATA
MIGRATING DATA
TOKENIZING DATA
LOCAL HOSTING & CLOUD
40%64%
26%36%
ENCRYPTING DATA
MIGRATING DATA
JAPAN
EUROPE
100+ NATIONAL DATA PRIVACY/SOVEREIGNTY
REGULATIONS WORLDWIDE
AIPP DATA PROTECTION AND
PRIVACY RULES LIVE MAY 2017
GDPR GOESLIVE MAY 2018
MEXICO
LFPDPPP PRIVACY LAW WITH FINES UP
TO £ 1.5M
AUSTRALIA
NEW DATA BREACH DISCLOSURE
REQUIREMENT ENFORCEMENT
BEGINS FEBRUARY 2018
OLD HABITS DIE HARD – INVESTING HEAVILY IN NETWORK/END POINTSECURITY AS THEY BECOME LESS EFFECTIVE AND LESS RELEVANT
IT SECURITY DEFENSE SPENDING INCREASESNETWORK
ANALYSIS AND CORRELATIONDATA IN MOTION
END POINT AND MOBILE
67%
59%
44%
63%
49%DATA AT REST
NETWORK
ANALYSIS AND CORRELATIONDATA IN MOTION
END POINT AND MOBILE
88%
84%
78%
69%
80%DATA AT REST
BELIEVE NETWORK SECURITY VERY/ EXTREMELY EFFECTIVE AT PROTECTING DATA
88%+8% FROM 2016
“… spending on securing internal networks from external threats is less and less effective – and relevant – as both the data and the people accessing it are increasingly external.”
RATES OF EFFECTIVENESS FOR PROTECTING DATA
COMPLEXITY AND POTENTIAL PERFORMANCE IMPACTSTOP BARRIERS TO DATA SECURITY DEPLOYMENT
LACK OF STAFF TO MANAGE37%
LACK OF ORGANIZATIONAL BUY IN19%
44% COMPLEXITY
38% POTENTIAL PERFORMANCE IMPACTS
26% LACK OF PERCEIVED NEED
PERCEIVED BARRIERS TO ADOPTING DATA SECURITY
“…The lack of skilled security staff has been a consistent theme in 451’s research efforts the past few years, and in conjunction with complexity, makes a strong case for data security functionality delivered as a service”
Garrett Bekker451 Research
PERCEPTION OF COMPLEXITY
UNIVERSALLY THE TOP BARRIER
PERCEIVE COMPLEXITY AS THE TOP BARRIER TO ADOPTION DATA SECURITY SOLUTIONS
44%GLOBAL – 50%
31% LACK OF BUDGET
TOP RETAIL CONCERNS WITH CLOUD/SAAS ENVIRONMENTSRATES OF VERY OR EXTREMELY CONCERNED
57% – U.S. RETAIL SECURITY BREACHES / ATTACKS AT CSP67% – GLOBAL RETAIL
53% – U.S. RETAIL66% – GLOBAL RETAIL
SHARED INFRASTRUCTURE VULNERABILITIES
48% – U.S. RETAIL LACK OF DATA LOCATION CONTROL64% – GLOBAL RETAIL
52% – U.S. RETAIL LACK OF DATA PRIVACY POLICY / SLA64% – GLOBAL RETAIL
47% – U.S. RETAIL CLOUD PRIVILEGED USER ABUSE/THREATS67% – GLOBAL RETAIL
48% – U.S. RETAIL MEETING COMPLIANCE REQUIREMENTS54% – GLOBAL RETAIL
54% – U.S. RETAIL CUSTODIANSHIP OF ENCRYPTION KEYS65% – GLOBAL RETAIL
44% – U.S. FEDERAL LACK OF VISIBILITY INTO SECURITY PRACTICES56% – GLOBAL RETAIL
“For U.S. retail the top cloud security concern is security breaches/ attacks at the service provider (57%), which also ranked number one globally at 59%. Custodianship of encryption keys was second (54%) and vulnerabilities from shared infrastructure third at 53%.”
Garrett BekkerPrincipal Analyst, Information Security, 451 Research
WHAT CAN CSPS AND SAAS PROVIDERS DOTO INCREASE RETAIL CLOUD ADOPTION?
DETAILED PHYSICAL AND IT SECURITY IMPLEMENTATION
INFORMATION
DATA ENCRYPTION IN THE CLOUD WITH RETAILER
PREMISES KEY CONTROL
“For cloud security controls, both U.S. retail (65%) and global retail (63%) prefer encryption with local key storage by a wide margin over other options, and ahead of the overall global average of 61%.
Garrett BekkerPrincipal Analyst, Information Security, 451 Research
65%U.S.
63%GLOBAL
DATA ENCRYPTION IN THE CLOUD WITH CSP KEY
CONTROL
48%U.S.
52%GLOBAL
SLA AGREEMENTS AND LIABILITY TERMS FOR
DATA BREACHES
51%U.S.
43%GLOBAL
51%U.S.
43%GLOBAL
BIG DATA – TOP RETAIL DATA SECURITY CONCERNS AND STATS
TOP 5 CONCERNS
42% U.S.
43% U.S.
43% U.S.
36% U.S.
33% U.S.
49% GLOBALSECURITY OF REPORTS
THAT MAY INCLUDE SENSITIVE DATA
37% GLOBALSENSITIVE DATA MAY RESIDE ANYWHERE
36% GLOBAL
PRIVACY VIOLATIONS - DATA ORIGINATES IN MANY
COUNTRIES
27% GLOBALPRIVILEGED USER
ACCESS TO PROTECTED DATA
37% GLOBALLACK OF EFFECTIVE ACCESS
CONTROLS
USING ENCRYPTION TO PROTECT DATA
IN BIG DATA ENVIRONMENTS TODAY
35%
VERY CONCERNED THAT THEY ARE USING SENSITIVE
INFORMATION IN BIG DATA WITHOUT DATA SECURITY CONTROLS
USING SENSITIVE INFORMATION IN BIG
DATA ENVIRONMENTS
U.S.
34% GLOBAL
39% U.S.
52% GLOBAL
49% U.S.
39% GLOBAL
IOT ADOPTION IS HIGH FOR U.S. RETAILUSE OF SENSITIVE DATA A CONCERN
TOP 5 DATA SECURITY CONCERNS FOR IOT
28% - PRIVACY VIOLATIONS GENERATED BY IOT
26% - IMPACT OF ATTACKS ON IOT DEVICES
40% - PROTECTING SENSITIVE DATA GENERATED BY IOT
23% - LOSS OR THEFT OF IOT DEVICES
36% - PRIVILEGED USER ACCESSTO DATA AND DEVICES
93%ADOPTING IOT
41%ALREADY USING
SENSITIVE DATA IN IOT
45%VERY CONCERNED ABOUT
SENSITIVE DATA IN IOT
TOP 5 CONTROLS NEEDED TO INCREASE IOT ADOPTION
43% - ANOMALY DETECTION/BEHAVIORAL ANALYSIS
65% ENCYPTION OF DATA
58% - ANTI-MALWARE FOR DEVICES
36% - IOT NETWORK ISOLATION
54% SECURE ID & AUTHENTICATION
CONTAINERS: TOP SECURITY CONTROLS TO INCREASERETAIL INDUSTRY CONTAINER ADOPTION AND USE
46%
ENCRYPTION
39%
35%
40%
56%
ANTI-MALWARE
VULNERABILITY SCANNING
MONITORING TOOLS FOR CONTAINERS
DIGITAL SIGNATURE IMAGE VALIDATION
“Security concerns, the top barrier in most vertical and geographic segments, is a distant second (40%) in U.S. retail and in global retail (42%). Garrett Bekker451 Research
52%
ENCRYPTION
37%
38%
37%
42%
ANTI-MALWARE
VULNERABILITY SCANNING
MONITORING TOOLS FOR CONTAINERS
DIGITAL SIGNATURE IMAGE VALIDATION
56%BUDGET THE TOP BARRIER
TO DEPLOYMENT
52%
U.S. RETAIL
GLOBAL
U.S.
GLOBAL RETAIL
90%+ DEPLOYING CONTAINERS
THIS YEAR.
ENCRYPTION ENABLES DIGITAL TRANSFORMATION IN RETAILA KEY TOOL REQUIRED FOR ADVANCED TECHNOLOGY ADOPTION
ENCRYPTION ENABLING FURTHER ADOPTION OF CLOUD
CLOUD DATA ENCRYPTION IN THE CLOUD WITH AGENCYPREMISE KEY CONTROL
65% 63%
ENCRYPTION OFFSETS TOP SECURITY CONCERNS
BIG DATASENSITIVE DATA EVERYWHERE
SECURITY OF REPORTSPRIVACY VIOLATIONS
42%43%43%
IOT DATA ENCRYPTION66%SECURE DIGITAL IDENTITY
(AN ENCRYPTION TECHNOLOGY)54%
CONTAINERS
U.S. GLOBAL
ENCRYPTION A TOP CONTROL NEEDED TO ENABLE GREATER ADOPTION
U.S. GLOBAL37%49%36%
THE TOP TECHNOLOGIES NEEDED TO EXPAND USAGE48%54%
U.S. GLOBAL
U.S. RETAIL56%GLOBAL RETAIL45%
BEST PRACTICE RECOMMENDATIONSGARRETT BEKKER, 451 RESEARCH
Cloud and SaaS break legacy IT Security models – Data security with encryption and access controls across environments is required.Service-based solutions and platforms that include automation are preferred for reduced costs and simplicity.
Get a better handle on the location of sensitive data, particularly for Cloud, Big Data, Containers and IoT
Global and industry regulations can be demanding, but agencies should consider moving beyond compliance to greater use of encryption and BYOK, especially for cloud and other advanced technology environments.
Encryption and access control
Don’t just check off the compliance box
Discover and classify
Re-prioritize your IT security tool set
Encryption needs to move beyond laptops and desktops.Data center: File and application level encryption and access controlsCloud: Encrypt and manage keys locally, BYOK enables safe SaaS, PaaS and IaaSBig Data: Encryption and access control within the environmentContainers: Encrypt and control access to data both within containers and underlying data storage locationsIoT: Use secure device ID and authentication, as well as encryption of data at rest on devices, back end systems and in transit to limit data threats
OUR SPONSORS
ABOUT THALES E-SECURITY
Instilling trust across the data landscapeOur powerful technology platform provides advanced data security for more servers, applications, and environments than any other security alternative
What we doThales e-Security provides companies everything they need to protect and manage their data and scale easily to new environments and requirements—encryption, advanced key management, tokenization, authorization, privileged user control, and HSMs.
Our customersOur customers include 19 of the world’s 20 largest banks, four of the world’s five largest oil companies, 27 NATO country members and 15 of the Fortune 25.
Data Protection Platform
Key Management Encryption
Our solutions protect data while eliminating complexity, inefficiency and cost
DATA PROTECTIONHARDWARE
DATA PROTECTIONSOFTWARE
CustomerRecords
DB/ File Encryption
Secure Analytics
Big Data
PII
ApplicationEncryption
PCI,PHI
TokenizationData Masking
Internet of
Things
Public KeyInfra (PKI)
Use Cases
CloudMigration
Cloud Security
Payment related apps
TransactionSecurity
ScriptDevelopmen
t
Code Signing
www.thales-esecurity.com
2017 THALES DATA THREAT REPORTTrends in Encryption and Data Security
RETAIL EDITION
