Todd Moore | VP Encryption Products, Thales
Amid ongoing economic uncertainty and a progressively complex threat landscape, businesses are trying to navigate increasingly stringent regulatory requirements while bolstering their security posture.
The 2024 Thales Global Data Threat Report, conducted by S&P Global Market Intelligence, which surveyed almost 3,000 respondents from 18 countries and 37 industries, revealed how decision-makers navigate new threats while trying to overcome old challenges. The report explores their experiences, hurdles, approaches, and achievements and offers insights into the security implications of new technologies and the organizational adaptations necessary for future success.
Compliance and Residency Are Key
The study revealed that although risk is volatile and cyber regulations constantly change, nearly half (43%) of businesses did not pass a compliance audit in the past year. Among those failing audits, 31% suffered a breach in the same period, compared to a mere 3% among compliant businesses. This highlights a significant link between compliance adherence and data security.
Challenges also persist in managing operational complexity, leading to data-related issues. A substantial number of organizations struggle to identify and classify their at-risk systems, applications, and data, with only a third (33%) achieving full classification. Alarmingly, 16% admitted to hardly classifying any of their data.
The rampancy of multi-cloud usage across services, along with evolving global data privacy regulations, has underscored the importance of data sovereignty for businesses. According to the report, 28% of respondents consider mandatory external key management as the primary method to achieve sovereignty.
A Matter of Trust
The Report also revealed that most customers (89%) are willing to share their data with organizations, but this willingness comes with certain non-negotiable conditions. Nearly nine out of ten (87%) expect some level of privacy rights from the companies they engage with online. In addition to these high consumer privacy expectations, respondents highlighted that many customers access their organization's internal systems or assets. They indicated that up to 16% of those accessing corporate cloud, network, and device resources could be customers.
Similarly, external vendor and contractor access accounted for an average of 15% and 12% of users, respectively. Given the combination of heightened consumer privacy expectations and extensive external user access, Customer Identity and Access Management (CIAM) emerged as one of the primary emerging security concerns.
However, while improvements in CIAM, such as passkeys and password deprecation, enhance user experience, they also introduce new challenges like deepfake attacks from generative AI, and simplifying this complexity is crucial to reducing opportunities for adversaries and improving usability and engagement.
Emerging Tech: Threats and Opportunities
The report also delved into the emerging technologies that security practitioners are eyeing. More than half (57%) cited Artificial Intelligence (AI) as a major worry, with IoT hot on its heels with 55%. Next came Post Quantum Cryptography with 45%.
Having said that, these technologies also promise a host of benefits. Some 22% of respondents said they were planning to integrate generative artificial intelligence (GenAI) into their security solutions and services over the next year, and another third (33%) plan to experiment with the technology.
Ubiquitous Connectivity, Pervasive Threats
In the era of ubiquitous connectivity, IoT and 5G bring about pervasive threats too. While operational technology (OT) deployments have been criticized for their lax security focus, this year's survey reveals that 75% of IT security teams prioritize OT as a defense against IoT threats.
OT devices like power meters and "smart" sensors in various distributed physical plants are often designed for minimal oversight and reduced operational costs, exacerbating security risks. This means proactive security measures are essential. Despite the increasing connectivity options, traditional methods like physical or network isolation ("air gapping") are less favored for securing IoT/OT environments.
Reflecting zero-trust principles, respondents show reluctance to rely solely on carrier security, with only 33% expressing concern about carrier network security in the context of 5G. However, IoT and OT devices face persistent security challenges.
Establishing Centrally Defined Principles
As enterprises expand, so too will their use and integration of these technologies. This is why establishing centrally defined security principles can improve the likelihood of successful delegation and implementation, mainly when rooted in the fundamental concepts of guidance and agreement.
Like how the rule of law thrives in societies where individuals and institutions understand their rights and obligations, enterprise data security risks can be mitigated by empowering and entrusting other stakeholders to adhere to these principles voluntarily.
Download the full Thales 2024 Thales Data Threat Report now.