Eighty-one percent of senior IT security executives at healthcare organizations anticipate IT security spending increases in the next 12 months, yet, at the same time, successful data breaches are also up significantly. These were the findings of a recent survey conducted by Thales, a data security and information systems solutions provider, which point to an ongoing disconnect between the security solutions organizations spend money on and the ability of those solutions to protect sensitive data.
The report findings present a glass half-full or half-empty dilemma. The projected increase in IT security spending could potentially be good news for healthcare IT leaders dealing with budget constraints, however, the findings seem to indicate that organizations continue to focus their spending on strategies and tools that are not effectively preventing data breaches.
Findings from the Thales 2017 Data Threat Report, issued in conjunction with analyst firm 451 Research, indicate that, across all industries, companies are still prioritizing network and endpoint solutions over encryption despite the rise in data breaches. While 30 percent of respondents classify their organizations as ‘very vulnerable’ or ‘extremely vulnerable’ to data attacks (and the number of breaches continues to rise) the two top spending priorities are network (62 percent) and endpoint (56 percent) protection solutions. In contrast, spending on data-at-rest solutions (46 percent) comes last.
For the report, researchers polled 1,100 senior IT security executives’ at large enterprises around the world. While some of the respondents represent the healthcare IT industry, the survey encompasses respondents from other industries as well, including federal government, retail and telecommunications.
Overall, 68 percent of survey respondents, across all industries, have experienced a breach with 26 percent experiencing a breach in the last year – both numbers that rose from last year. According to Andy Kicklighter, director of product strategy at Thales e-Security, within the healthcare segment, the number of organizations that reported having a breach in the past year increased from 18 percent to 20 percent. “So, that’s one in five who said they had been breached just in the last year,” he said.
Paradoxically, overall security spending is also up; in 2017 73 percent of organizations, across all industries, increased IT security spending – a marked jump from 58 percent in 2016. And, as mentioned above, eight out of ten healthcare IT respondents to the survey plan to increase IT security spending, the highest of any industry segment.
“So we are seeing a trend of both increasing IT security spending—the spending overall has gone up three years in a row—but the breaches are going up in parallel,” he said.
One possible explanation for this troubling state, according to Garrett Bekker, senior analyst, information security at 451 Research and author of the report, is that organizations keep spending on the same solutions that worked for them in the past but aren’t necessarily the most effective at stopping modern breaches. “Data protection tactics need to evolve to match today’s threats,” Bekker says. “It stands to reason that if security strategies aren’t equally as dynamic in this fast-changing threat environment, the rate of breaches will continue to increase.”
The survey results indicate that old habits die hard. “Organizations tend to increase spending on things that they’ve used in the past, but are not the most effective at protecting against data breaches. For example, network security spending again was up in the last year, but the people who try to attack organizations to get access to the data find that they are able to get past those defenses and able to get onto networks and get access to the things that are not protected and are behind those outside barriers,” Kicklighter says.
He adds, “Part of the challenge may be that many IT security professionals have been in the business for a while, and they may have spent most of their careers putting in a firewall, putting in network tools for intrusion protection and putting in place anti-virus and the tools that go with that, and making sure they have good control over their users internally, but, at this point, that’s not enough if you don’t do something specifically around protecting the data.”
The cybersecurity threat landscape continues to evolve and is becoming more sophisticated with the prevalence of spear phishing attacks combined with the availability of malware for use by cybercriminals. “Zero-day malware is not detectable with anti-virus, and you can buy it on a black market website for $4,000 or $5,000. So, if you are really determined, you are going to find a way to get credentials and get inside. If you don’t put in place technology that enables you to safeguard and control access to the sensitive data inside your organization, that’s a problem,” Kicklighter says.
Another finding from the Data Threat Report indicates that, in the U.S., compliance continues to be the top driver for IT security spending. Almost half (44 percent) of all respondents, across all industries, list meeting compliance requirements as their top spending priority, followed by best practices (38 percent) and protecting reputation/brand (36 percent).
“There is a big contrast between what the healthcare organizations in the U.S. have as a driver for their spending versus what you have outside the U.S.,” Kicklighter says. “In the U.S., compliance in the first on the list, but it drops to the bottom when you talk about our global healthcare compatriots. They are more worried about preventing data breaches and protecting their brand and reputation or doing best practices than they are about meeting a compliance requirement with their spending.”
The survey results also indicated that 59 percent of respondents, across all industries, believe compliance is ‘very’ or ‘extremely’ effective at preventing data breaches. Compliance regulations provide a data security blueprint, Kicklighter says, “but it’s more of a means to an end, and not the end itself when you talk about protecting data.” He continues, “Its only one component of solving the problem. So that troubling belief that compliance will solve your data breach problem is another part of the challenge.”
If data security is so effective at preventing threats, why does it still trail both network and endpoint security in terms of spending plans? To answer this question, the survey report also looked at top perceived barriers to adopting data security. About half of survey respondents cited complexity as the top barrier, followed by lack of skilled staff.
“Looking at the skills shortage for IT security professionals in the U.S., there’s between 500,000 and 1 million positions in the U.S. that remain open and it typically takes a year to hire a good IT security professional with the right skill set that you need. That applies to healthcare as much as the rest of the enterprise organizations. It’s hard to get people with the right skills,” Kicklighter says.
The lack of skilled security staff in conjunction with complexity makes a strong case for data security functionality delivered as a service, according to Kicklighter, particularly those functions that are perceived to be labor intensive and require substantial resources and expertise to keep up and running, such as encryption key management or data loss prevention (DLP).
The report authors point out that one of the fundamental challenges of cybersecurity is dealing with the speed of change. With each new computing paradigm shift – cloud, Big Data and IoT –come new capabilities and possibilities, and new security vulnerabilities to be exploited. To this point, the security industry overall now tallies in excess of 1,400 vendors by 451 Research’s count, with as many as nine new startups per month and roughly 10 new security categories created each year, according to the report.
To offset the data breach trend and take advantage of new technologies and innovations, the report authors advise that organizations should leverage encryption and access controls as a primary defense for data and consider an ‘encrypt everything’ strategy, and select data security platform offerings that address a variety of use cases and emphasize ease-of-use. Additionally, the report authors recommend organizations implement security analytics and multi-factor authentication solutions to help identify threatening patterns of data use.