Are most business ‘behind the curve’ when it comes to data security and protection strategies? The obvious answer is, yes, of course they are. It is more a matter of by how much are most companies ‘behind the curve,’ and what are they doing about it. That’s a far more complex question, which a recent survey conducted by Peak 10 technology partner, EMC, sought to answer in its in-depth Global Data Protection Index. The report is chock-full of interesting data that, by and large, paints a distressing picture about data security.
EMC reported that, by its estimation, 87 percent of businesses are behind the curve for data protection maturity and 71 percent are not fully confident of restoring their data. Other key findings noted that 62 percent of respondents said at least one of the following is ‘difficult’ or ‘very difficult’ to protect: big data, hybrid cloud and mobile devices. Not too surprisingly, adopting advanced data protection tools leads to reduced data loss (note the word “reduced”).
Worldwide, the report estimates that only 13.7 percent of enterprises are ahead of the curve. In the U.S., which spends a greater percentage of IT budget (8.91 vs. 7.7 percent) on data protection than other countries, it’s one in five. Leading enterprises spend 9.6 percent.
As a consequence of this poor showing, enterprises globally are losing as much as $1.7 trillion through data loss and unplanned downtime.
The fact of the matter is, the more you invest in data security, the more secure your data is likely to be … but never totally. It’s a matter of degrees. Did Anthem believe that it was protected as thoroughly as it could be? Most likely. But facts tell us that organizations like Anthem, or major universities or banks or you name it, are subjected to hundreds of thousands of hacking attempts weekly … millions in some cases.
Size or industry does not preclude be victimized. A 2013 study conducted by Verizon reported that 18 percent of the security incidents with confirmed data loss happened to “small” companies (defined as having fewer than 1,000 employees). Criminals search for security vulnerabilities and do not stop until they find them. Chances are excellent that they will find a way in eventually, which brings us to another interesting industry study.
In its 2014 report, Capabilities and Maturity of Cyber Defense Organizations, the Security Intelligence and Operations Consulting (SIOC) practice of HP found that 24 percent of the companies assessed do not meet minimum requirements to provide consistent security monitoring. The wake-up call is often associated with a direct financial lost, like installing a security alarm in your home after you’ve been robbed.
The report went on to say that 60 percent of enterprises globally spend more time and money on reactive measures than on proactive risk management. That is, something bad happens and the company installs a fix. Another bad thing happens, and they install a fix. After several years, the company has lots of individual fixes, none of which come together nor is the information shared in order to form a cohesive defense perimeter that can proactively see trends and initiate actions to thwart next attacks.
With one out of four companies not even addressing minimum security requirements, not only are they threatened but the companies with which they do business are made more vulnerable as well (like failing to get a measles vaccine places others at risk).
In an earlier post about the Anthem breach, Peak 10’s vice president for governance, risk and compliance, David Kidd, reminded readers that, regardless of the sophistication of a data protection program, a solid foundation and effectiveness foundation always begin with the basics:
- Restrict data access to only those employees who need it.
- Screen personnel that have access to personally identifiable information (PI) and other critical data.
- Train employees to effectively protect data and to respond in the event of a data breach.
- Keep information systems and anti-virus software up to date, and operating systems and applications properly patched.
- Encrypt important data to prevent access by unauthorized parties.
There is an interesting corollary to this discussion on data protection that has to do with trust. One of the world’s leading public relations firms, Edelman, has been reporting on its Global Trust Barometer since 2000. The trust index has been trending down in recent years as people have become less tolerant of what they perceive as too much technology, too fast and too untested.
The 2015 barometer report that general distrust of new technologies is of concern, especially as it relates to personal data. To quote: “There must be a new relationship of equality between the company and the individual, who agrees to surrender elements of privacy in order to achieve better service while maintaining the right to opt out. The broader objective should be a better world, as seen in the 81 percent of respondents who believe that business can both make a proﬁt and improve society.”
No doubt, diminished trust is a contributing factor to that $1.7 trillion dollar loss due to unplanned downtime and data losses. People will not recommend of do business with companies they do not trust. People will not invest in companies they do not trust. It’s not that they expect perfection; an open, honest, sincere and sustained effort will suffice.