The very nature of data security is one couched in discretion: As a matter of routine, processes are classified, and specialists in this area rarely share their company’s state secrets.
Against the premise that the very nature of data security and its associated risks keep organizations from sharing critical solution steps, insurance and financial services organizations lack the metrics and raw collection capabilities necessary to objectively measure and manage this growing problem.
So say the authors of a new
“There is a huge gap in the security industry, forcing us to rely more on anecdote and perceptions than hard measurements,” notes the report. The study also notes some disparities between the common perception that security breaches are on the rise and the reality of breach incidence. "Nearly two-thirds of organizations either didn't know if they suffered any data breach incidents, or stated that they didn't experience any," the survey says. "Of those that did, 46% saw a decline in breaches, while 27% reported the same number of breaches from the previous year."
The survey results indicate that organizations do not invest equally in data security- financial services and government invest most in data security personnel, with healthcare, retail, and manufacturing investing relatively less (note that the authors only performed this analysis for some of the verticals surveyed).
Other Key Findings
• On average, most data security controls are in at least some stage of deployment in 50% of responding organizations. When deployed, controls tend to have been in use for 2 years or more.
• Most responding organizations still rely heavily on “traditional” security controls such as system hardening, email filtering, access management, and network segregation to protect data.
• When deployed, 40-50% of participants rate most data security controls as completely eliminating or significantly reducing security incident occurrence.
• The same controls rated slightly lower for reducing incident severity (when incidents occur), and still lower for reducing compliance costs.
• 88% of survey participants must meet at least 1 regulatory or contractual compliance requirement, with many having to comply with multiple regulations.
• Despite this, “to improve security” is the most cited primary driver for deploying data security controls, followed by direct compliance requirements and audit deficiencies.
• 46% of participants reported about the same number of security incidents in the most recent 12 months compared to the previous 12, with 27% reporting fewer incidents, and only 12% reporting a relative increase.
• Organizations are most likely to deploy USB/portable media encryption and device control or data loss prevention in the next 12 months.
• E-mail filtering is the single most commonly used control, and the one cited as the overall least effective.
• Our overall conclusion is that even accounting for potential response bias, data security has transitioned past early adopters and significantly penetrated the early mainstream of the security industry.
Top Rated Controls (Perceived Effectiveness):
• The top 5 rated controls for reducing the number of incidents are network data loss prevention, full drive encryption, web application firewalls, server/endpoint hardening, and endpoint data loss prevention.
• The top 5 rated controls for reducing incident severity are network data loss prevention, full drive encryption, endpoint data loss prevention, email filtering, and USB/portable media encryption and device control. (Web application firewalls nearly tied to make the top 5).
• The top 5 rated controls for reducing compliance costs are network data loss prevention, endpoint data loss prevention, storage data loss prevention, full drive encryption, and USB and portable media encryption and device control. (Very closely followed by network segregation and access management).
