451 Research Security Analyst Garrett Bekker thinks that IT executives' unwillingness to go above and beyond basic compliance is because security tends to be a “grudge spend."
451 Research Security Analyst Garrett Bekker thinks that IT executives' unwillingness to go above and beyond basic compliance is because security tends to be a “grudge spend."

In a survey of large enterprises, 64 percent of more than 1,100 senior IT executives believe that simply meeting cybersecurity compliance requirements, as opposed to striving for best practices, is “very” or “extremely” effective at preventing data breaches.

This contradicts many security experts' warnings that compliance standards do not constitute acceptable levels of cyberthreat prevention. Additional stats from the survey, detailed in a 2016 “Data Threat Report” issued yesterday by 451 Research and Vormetric, appear to bear out these experts' concerns. Indeed, 61 percent of survey-takers confirmed their organization has experienced a breach in the past—22 percent within the past year. This 61 percent figure represents a three percentage point increase over last year's version of the survey. The percentage of execs that cited compliance as highly effective also rose from 58 percent last year.

“Being compliant doesn't mean you're secure. I just think old habits tend to die hard in security and it's going to take some time to educate people that they need more to do more than just check off compliance boxes,” said 451 Research Security Analyst and report author Garrett Bekker in an interview with SC Magazine.

Bekker suggested that in some cases, the apparent unwillingness to go above and beyond basic compliance is because IT security is a “grudge spend. It's not necessarily something a CFO wants to spend their money on. It's kind of like life insurance,” said Bekker. “It's always been tough to get funds allocated to security because it doesn't necessarily give you a tangible benefit.”

Moreover, nearly one-third of IT executives said they felt “very” or “extremely” vulnerable about the safety of their sensitive data. And yet, only 21 percent cited a past data breach as a reason for securing sensitive data, while only 27 percent cited recent major breaches at competitors like Sony, Home Depot or Target as motivation.

The two most popular incentives for spending on IT security were meeting compliance standards and brand protection (46 percent for both).

On an encouraging note, the third most commonly cited reason to secure sensitive data was to follow best practices guidelines. This response experienced the largest year-over-year increase of any answer, from 39 percent to 44 percent—an indication that some businesses may be coming around. Also, 58 percent of respondents said that expenditures to protect against data threats would be at least “somewhat higher” this year—up from 56 percent in 2015.

Current IT spending priorities tended to lean toward classic, old-school network defenses (e.g. firewalls and intrusion prevention systems), which ranked first among intended spending categories at 48 percent. Conversely, products that directly mitigate theft of data in motion and at rest, such as encryption and data loss prevention, came in last (40 percent for data-in-motion defenses, 39 percent for data-at-rest defenses).

While the report suggests that executives may be spending less on encryption because their legacy hard drives and servers already have such built-in measures, “There's still room to do more for cloud applications, big data and IoT—things that encryption isn't used all that broadly for,” Bekker explained.

The report also found that the biggest internal data threats within business organizations were identified as privileged user accounts such as administrators (58 percent of respondents), and executive management accounts (45 percent, way up from 28 percent last year). Ordinary employees ranked fifth overall, suggesting that it's actually the policy-makers who are most guilty of flouting their own security policies.

A surprisingly high 43 percent of respondents claimed to have “complete knowledge” of the locations of their sensitive data. The report suggests that executives may be “in denial” about just how much sensitive data they have disseminated across their operations.

The biggest barriers inhibiting the adoption of data security are lack of staff (38 percent of respondents) and lack of budget (35 percent), the study found.