Enterprises Overconfident About Perimeter Security, Gemalto Finds

The 2017 Data Security Confidence Index Report reveals gaps between organizations' perceptions of what keeps them secure and what actually works.

Gemalto breach index

There is a measurable gap between organizations' perceptions of what keeps them secure and what is actually working to mitigate cyber-security risks, according to a new report from Gemalto.

The Gemalto report surveyed 1,050 IT decision-makers globally and found some surprising results. Among the high-level findings is that 94 percent of IT professionals reported that in their view perimeter security is effective at keeping unauthorized users out of their networks. Yet despite that apparent confidence, 65 percent reported that they are not extremely confident that their data would be protected in the event of a perimeter breach.

"One of the things that continues to show up every year, and I would have expected it to change, is the investment and perception of perimeter security versus the reality of its effectiveness," Jason Hart, vice president and chief technology officer for data protection at Gemalto, told eWEEK. "As security professionals, I find it interesting we can know something doesn't work but are willing to do it for the perceived security value."

Hart added that sometimes a perceived sense of security is the motivation for unwarranted investments in perimeter security. He noted that Gemalto's report found that only 8 percent of organizations encrypt data, which actually is a more effective security mechanism because it reduces the value of data if it's stolen.

Another surprise in the report noted by Hart is the amount of companies that do not believe they will be compliant with the European Union's General Data Protection Regulation (GDPR). The survey found that 54 percent of respondents do not believe they will be fully compliant with GDPR when it becomes enforceable in May 2018.

"GDPR is not an easy fix—it is a process and the rationale is privacy-by-design," Hart said. "In order to adopt this, you need to start from scratch and re-engineer and document security policies, which orgs have not done in the past."

Compliance requires a multistep approach—it is not something done overnight with a single solution, Hart explained. Further complicating the challenge of GDPR adoption is the fact that there has yet to be a benchmark or reference, making it harder for companies to prepare, he said. Understanding risk is a part of GDPR as well as good security hygiene overall, and a key part of that is knowing where data resides. Hart noted that the report found that more than half (55 percent) of companies do not know where all their sensitive data is stored.

"Being situationally aware and knowing where your data resides is the first step in protecting it," he said.

While organizations might not know where all their sensitive data resides, they are reading the news and taking note of high-profile data breaches. In fact, the Gemalto report found that 33 percent of organizations have adjusted their security strategy as a result of high-profile breaches. Hart said he's not surprised by that finding as it makes sense that companies would adjust their security strategy following news of a high-profile breach.

"Most likely, they are adding additional layers of security and a more detailed response plan, but each company's needs and strategy will be different and based on the type of breach and information targeted," he said.

When looking at those additional layers of security, 44 percent of survey respondents reported that new innovative technology poses the biggest security risk. From Gemalto's experience, new technologies are typically perceived as riskier since the vulnerabilities are sometimes unknown and there are additional uncertainties, Hard said. But that's the perception, not necessarily the reality, he added.

"It is why companies need to adopt a 'secure the breach' strategy and mindset, one that recognizes it's not if a breach will occur, it's when—because it will most certainly happen," Hart said. "You cannot anticipate or estimate everything, so proactively reducing risk and minimizing the negative impact, maliciousness and breadth of an attack are paramount."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.