Todd Moore | VP Encryption Products, Thales
As we look back at 2020 and the impacts of the pandemic that have carried over into 2021, it is important for organizations to look back and reflect what they did right and how they could improve their processes to become more resilient. The 2021 Thales Data Threat Report serves exactly this purpose – it is a crucial reflection of 2020.
Organizations not prepared to meet the data security challenges of the pandemic
The pandemic forced organizations to adapt overnight to the new normal and adopt new technologies or accelerate existing digital transformation initiatives. But, were they prepared for the cybersecurity challenges that emerged with evolving technology? Unfortunately, the answer is no.
According to the 2021 Thales DTR findings only a fifth of respondents (20%) indicated that their security infrastructure was very prepared to deal with the disruption. The shift to remote working was a large contributor to that disruption. Almost 82% of respondents were somewhat or very concerned about the security risks and threats that a greatly increased remote workforce poses. Almost half (44%) were not confident that their remote access security systems could effectively secure remote work.
Broken security controls – increased attacks
While the level of technology absorption is high, 31% of respondents said that 41-50% of their workloads and data resides in the cloud, and 24% reported more than half of these organizations are failing to adequately protect their data in the cloud. Only 17% indicated that they have protected more than 50% of their sensitive cloud data with encryption. That contradicts the finding that 38% of respondents believe encryption is the most effective technology in preventing cyberattacks. Some industries, like the healthcare and financial sectors, are paying more attention to encrypting their data at rest or in transit – possibly because of strict regulatory requirements – but overall, there is still work to be done.
The lack of effective and robust controls leaves organizations susceptible to emerging vulnerabilities and criminals are increasingly exploiting these security gaps. In fact, of those who have ever experienced a breach, two in five (41%) have happened in the past year. This number has nearly doubled from 21% in 2019, marking a significant shift in the threat posed.
The top vector of cyber-attacks was malware (54%), followed by ransomware (48%), and phishing (41%). The 2021 Thales DTR report indicates the top threats were not from external attackers; internal threats and human error are still of great concern. A third of businesses stated that malicious insiders (35%) and human error (31%) are the greatest risks to them, followed by external attackers (22%).
Unchanged security mindset
Despite the expanding threat landscape, the security mindset seems to remain unchanged. Although the survey results indicate that there is reasonable awareness of the risks present in today’s environments, most organizations are not deploying security technologies such as encryption and multi-factor authentication to the extent required to improve their security posture. This misalignment between risk perception and risk mitigation might be an issue of policy gaps and disconnect between the Board and the security teams. This gap leads to indecision and wrong investments.
An example of lack of adequate security controls is the fact that only 24% of the survey respondents indicated that they have complete knowledge of where their data is stored. As more data is distributed and stored across hybrid and cloud environments, data discovery is becoming a greater issue. In addition, when discussing security controls to restrict the access to this data, just 55% have implemented MFA in any form. The lack of MFA will become a major compliance problem, especially for businesses operating in the United States, considering the requirements of the recent Biden Executive Order.
Zero Trust gaining traction
These findings indicate that security needs to evolve with technology, otherwise challenges and risks will evolve into cyber-attacks. The report findings indicate that businesses are beginning to invest in that direction. Almost half (44%) of respondents selected Zero Trust network access (ZTNA)/software-defined perimeter (SDP) as the leading technology to invest, followed by cloud-based access management (42%) and conditional access (41%). In fact, a third (30%) of global respondents claim to have a formal Zero Trust strategy and, interestingly, those with a formal Zero Trust strategy are less likely to also report having been breached.
Adapting your security practices and policies is also required to be better prepared for future challenges, such as quantum computing. 85% of global respondents are concerned about the security threats of quantum computing, a threat exacerbated by the increasing complexity of cloud environments.
Conclusion
One of the overarching conclusions that was driven by lessons learned from the pandemic is that security strategists need to increase the agility of their security controls. Infrastructure will become more hybrid, and security teams must have the capabilities to address this more complex environment efficiently. Security controls and security management will have to extend closer to the data and the users accessing the data, especially in cloud, in such a way as to keep each cloud environment from being an isolated operational realm.
You can view the 2021 Thales Data Threat Report in full HERE.