Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure – Stockpiling Cryptocurrency? Save Your Money.

For years, organizations have heard the drumbeat of building digital security perimeters to protect their data. And to the best of their ability, they’ve listened to the experts, followed best practices and spent billions on strategies to prevent data losses and breaches.

Unfortunately, that strategy is no longer working and companies know it. In an increasingly complex digital threat landscape, cybercriminals are constantly evolving, waging successful ransomware attacks even on organizations that have well-established breach-prevention profiles. Our recently released Data Exposure Report, which surveyed nearly 1,700 security, IT and business leaders across the U.S., U.K. and Germany, tells this story in stark relief.

Playing defense in an unpredictable threat landscape

I wasn’t surprised to read in the report that 64 percent of CISOs believe their company will have a breach in the next 12 months that will go public. Furthermore, 61 percent say their company has already been breached in the last 18 months. What is surprising to me is the narrow window of time in which these breaches are happening, demonstrating the increasing severity of the threat.

Even more concerning is the growing number of companies that are reacting to ransomware by purchasing cryptocurrency. Nearly three-quarters of the CISOs we surveyed admitted to stockpiling or having stockpiled cryptocurrency in the last 12 months to pay off cybercriminals. Worse yet, 79 percent of them have actually paid ransoms to regain access to their corporate data.

“ Nearly three-quarters of the CISOs we surveyed admitted to stockpiling or having stockpiled cryptocurrency in the last 12 months to pay off cybercriminals. ”

Get hit, get back up

Security and IT leaders estimate that 39 percent of their organization’s data is only held on endpoint devices — making it more difficult to track. As we discussed in our previous blog, “The Risks of Playing Data Hide-and-Seek,” this lack of visibility over endpoint-only data puts valuable company IP at risk — and updating a company security policy will not change the outcome because some employees simply don’t follow the rules.

In business, time is money. This is especially true in the seconds, minutes, days and weeks after a security breach. Yet according to about one-third of security and IT leaders, it would take up to one week to enact their recovery plan.

There is another way

While companies might think that they have no choice but to pay cybercriminals, they do actually have other options. And the overwhelming majority of CISOs agree. Nearly three-quarters (72 percent) reported that their company must improve its breach recovery ability in the next 12 months. And 75 percent stated that their company needs to shift the focus away from prevention-only security to a prevention-and-recovery strategy.

So what does that mean?

Recovery and prevention

From an IT perspective, prevention is only a single facet of a robust security approach. Possessing the capability to find out how a breach occurred — then being able to recover in real time — is the ultimate definition of resilience. With a comprehensive data recovery tool that includes visibility and recovery for endpoints, companies wouldn’t have to a pay a ransom to regain access to their data. They would simply restore their data using their recovery solution.

Code42 can help organizations regain control post-breach. To find out more, click here.

In case you missed them, get the full Code42 Data Exposure Report blog series:

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure–The Risks of Playing Data Hide-and-Seek

With cybersecurity threats continuing to evolve, even organizations wielding security tools and policies are at risk from a potential breach. In fact, 20 percent of security and IT leaders admit they do not have full visibility to where their data lives and moves—leaving their organizations with a data security blind spot.

According to the findings of our new Data Exposure Report, which surveyed nearly 1,700 security, business and IT leaders, 80 percent of CISOs agree that, “You cannot protect what you cannot see.”

It seems business leaders, on the other hand, are not always aware of the challenges security and IT leaders face to protect data. The overwhelming majority (82 percent) of business leaders believe IT can protect data they cannot see. This disconnect has major implications for data security, as business leaders often determine the budgets that security and IT need to do their jobs.

“ Keeping track of company data is not as straightforward as it may initially seem. Today, it goes beyond simply monitoring traditional sanctioned storage—even in the cloud. ”

Data at risk

With the rise of flexible working practices and the ongoing digitization of information, the importance of data visibility and forensics across employee endpoints cannot be underestimated. In modern enterprises, with data flowing freely in and out of the organization, traditional security perimeters are no longer enough to prevent breaches.

Without the right tools, endpoint data is particularly vulnerable. In fact, 86 percent of security and IT leaders believe saving files outside of company storage—for example on an employee laptop—puts their organization at risk. This is a significant concern considering that 73 percent of security and IT leaders believe that some company data only exists on endpoints. And this is critical data: Security leaders revealed that losing endpoint-only could be business-destroying.

Data hide-and-seek

Keeping track of company data is not as straightforward as it may initially seem. Today, it goes beyond simply monitoring traditional sanctioned storage—even in the cloud.

While business leaders recognize that saving their data outside official storage causes unnecessary risk for their organization, they aren’t going to change their work habits. More than two-thirds (68 percent) of CEOs think there’s a risk to their company if they store data on devices such as laptops without keeping a copy in centralized storage—but they do it anyway.

Security must include recovery

Businesses need a safety net that will allow them to keep track of data stored on endpoints, regardless of employee behavior or communication breakdowns. To minimize risk to valuable IP, companies should have a security strategy that includes not only data recovery in the event of a breach, but also prevention tools to help prevent breaches from happening.

Coming up in the final post in this four-part series, we will explore why companies must shift their security strategy away from prevention-only to a prevention-and-recoverystrategy that effectively deals with an increasingly unpredictable threat landscape. To read the Code42 Data Exposure Report in its entirety, go to code42.com/2018DataExposureReport.

In case you missed them, get part one and two of Code42’s Data Exposure Report blog series.

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure Report: A Must-Read for Security Decision-Makers

We’re thrilled to announce the release of our Data Exposure Report. It reveals some startling truths about how human behavior drives data security vulnerabilities, despite the billions companies spend on data loss prevention.

IT leaders and CISOs will find some of their suspicions validated by the findings, particularly that CEOs are among the worst offenders at violating data security policy. But many of the disconnects we found between current data security strategies and the reality of the threat landscape will be surprising and sobering:

  • Almost three-quarters (72 percent) of CEOs admit they’ve taken valuable intellectual property from a former employer. Yet 78 percent of CEOs agree that ideas, in the form of IP, are still the most precious asset in the enterprise.
  • As many as 80 percent of CISOs agree that “you cannot protect what you cannot see.” Business leaders, however, have a different perspective. Among business leaders, 82 percent believe that IT can somehow protect data they cannot see.
  • Among CISOs, 64 percent believe their company will have a breach in the next 12 months that will go public, which has led nearly 73 percent of CISOs to stockpile cryptocurrency to pay cybercriminals.

The report, based on surveys of nearly 1,700 security, IT and business leaders from the U.S., U.K. and Germany, provides a comprehensive view of attitudes toward data security in this age of rapidly evolving cyber threats. This is the first in a series of four blog posts. Each post will delve into one of these key areas:

  • Emotional drivers of employee behavior that can put a company’s data at risk.
  • The importance of data visibility for security to do its job of safeguarding company data.
  • How to recover from a data breach while maintaining continuity.

Potentially most valuable for IT and security leaders, this report provides insights on ways to build business continuity and resilience in the face of an increasingly complex threat landscape. The upshot: resilience comes from companies evolving their data security strategies to include recovery from data breaches as well as prevention of those breaches in the first place.

“ To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats. ”

“The time has come for the enterprise to make itself resilient. IT, security and business leaders need to arm themselves with facts about how the emotional forces that drive employee work styles impact data security policy,” said Rob Westervelt, research director for the security products group at IDC. “To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats.”

Data is precious, but talk is cheap

The report reveals that, while most CEOs say their IP is one of their most valuable assets, they are the very people who put IP at risk through data practices they admittedly know are unsafe. Some key findings:

  • Among CEOs, 59 percent admit to downloading software without knowing whether it is approved by corporate security. The majority of business leaders (77 percent) believe their IT department would view this behavior as a security risk, but disregard the warning.
  • The majority of CEOs (93 percent) admit to keeping a copy of their work on a personal device, outside of officially sanctioned company storage. More than 68 percent of CEOs think there’s risk in keeping data solely outside of company storage, but they do so anyway.

So even though they know it’s risky—and they may have even lost work as a result of it —C-suiters continue to put their companies at risk by defying company policies and data security best practices.

The risks of playing data hide-and-seek

In this digital age, more flexible workplaces result in employees saving data on their endpoints, making it increasingly difficult for security departments to see data to protect it during a breach. Some key findings from the report:

  • Nearly three-quarters (73 percent) of security and IT leaders believe that some company data only exists on endpoints, such as desktops or laptops.
  • As many as 71 percent of security and IT leaders and 70 percent of business leaders believe that losing all corporate data held on the endpoint devices would be business-destroying or seriously disruptive.
  • In addition, 86 percent of security and IT leaders believe employees saving files outside of corporate storage poses a serious risk to the organization.

While clear and strong company policy about data security is critical, clearly it’s no match for the reality of human behavior. Companies must resign themselves to employees working and saving precious IP on their endpoints—not to mention engaging in other risky behavior that could result in a data loss incident.

Playing defense in an unpredictable threat landscape

In the evolving threat landscape, companies that experience a ransomware attack are increasingly faced with the untenable choice of paying off cybercriminals or losing precious data. Some key findings from the report:

  • Among CISOs, 61 percent say their company has been breached in the past 18 months.
  • The threat of cyberattack has led 73 percent to stockpile cryptocurrency to pay cybercriminals; of those, 79 percent have paid a ransom.

The most sobering part about these particular findings is the unnecessary use of resources to react to cyberthreats in this way. If a data loss event strikes, a comprehensive data security strategy that includes visibility provides companies with the ability to understand what happened and when. As a result, they are positioned to recover much faster.

An ounce of prevention no longer worth a pound of cure

“ Three-quarters of CISOs (75 percent) and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention-and recovery-driven security. ”

Despite the disconnect between what they practice and what they preach, the report indicates that business leaders understand the need for a multi-pronged security approach in today’s complex threat landscape.

  • Three-quarters of CISOs (75 percent) and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention-and recovery-driven security.

To read the Code42 Data Exposure Report in its entirety, go to code42.com/2018DataExposureReport.

Read Part Two of our blog series on the Code42 Data Exposure Report, “Is Your C-Suite Putting Your Data Security at Risk,” to learn how emotional drivers contribute to poor data security habits among employees.

Facebook Twitter Google LinkedIn YouTube