Protecting data: when confidence is overconfidence

According to the recently released annual Data Security Confidence Index (DSCI), many businesses today are guilty of feeling overconfident about keeping hackers at bay, while at the same time failing to keep data safe.

American author, engineer and billiards Hall of Famer, Robert Byrne, once noted “confidence is overconfidence.” According to the recently released annual Data Security Confidence Index (DSCI), many businesses today are guilty of this flawed mindset; feeling overconfident about keeping hackers at bay, while at the same time failing to keep data safe.

According to the 2016 Breach Level Index, last year saw nearly 1.4 billion data records being lost or stolen. The DSCI’s recent survey of 1,050 IT decision makers worldwide has revealed that businesses feel perimeter security is keeping them safe, with most (94 percent) believing it’s preventing unauthorized users from accessing their network. Ironically, 65 percent are not extremely confident their data would be protected should their perimeter be breached, a slight decrease on last year’s results (69 percent). Despite this, nearly six in 10 (59 percent) organizations report that they believe all their sensitive data is secure.

Misplaced focus, lack of understanding

Many businesses continue to prioritize perimeter security without realizing it’s only one piece of the arsenal you need to combat sophisticated cyberattacks. According to the DSCI findings, 76 percent said their organization had increased investment in perimeter security tech such as firewalls, IDPS, antivirus, content filtering and anomaly detection. Despite this investment, two thirds (68 percent) believe unauthorized users could access their network, rendering their perimeter security ineffective.

This suggests a lack of confidence in solutions used, especially when over a quarter (28 percent) of organizations have suffered perimeter security breaches in the past 12 months. Equally troubling is more than half of respondents (55 percent) don’t know where their sensitive data is stored. The reality of the situation worsens when considering that, on average, only 8 percent of the data breached was encrypted.

Over a third of businesses do not encrypt valuable information such as payment (32 percent) or customer (35 percent) data. This means that, should data be stolen, a hacker would have full access to this information, and can use it for crimes including identify theft, financial fraud or ransomware. All companies need to adopt a “secure the breach” mentality - one that doesn’t question “if” attackers will gain access, but “when”- and encryption makes stolen data unusable. 

On the whole, it’s clear there is a divide between organizations’ perceptions of the effectiveness of perimeter security and the reality. The result is that businesses are failing to prioritize the measures necessary to protect their data. Hackers are after a company’s most valuable asset – data. It’s important to focus on protecting this resource, otherwise reality will inevitably bite those that fail to do so.

Protect or pay the price

There are many ways a company can pay for not protecting data – damaged reputation, lost sales, customers, partners and more – and developments such as the General Data Protection Regulation (GDPR) aim to hold companies accountable.

The GDPR goes into effect in May 2018 and those that fail to comply, even U.S. businesses, face a fine potentially equal to 4 percent of their global revenues. Yet, over half of respondents (53 percent) in the DSCI survey say they do not believe they will be fully compliant when it goes into effect. With less than a year to go, businesses must begin adopting the correct security protocols now in order to comply with the GDPR. That means the inclusion of proven tools and approaches including encryption, two-factor authentication and key management strategies.

Content is being dangerously cocky

Investing in cybersecurity has become more of a focus for businesses in the past 12 months, and it should be. Hackers never rest and the appearance of new threats can be measured in hours. What is of utmost concern is so few companies aren’t doing the basics: adequately securing the most vulnerable and crucial data they hold or even understanding where it is stored.

That said, perhaps it’s a good time to reflect on another quote from Byrne: “Everything is in a state of flux, including the status quo.” When it comes to protecting data, being content with what you “think” is working now is being dangerously cocky, and that type of overconfidence is what makes a company a prime target for hackers.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful cybersecurity companies