IT decision makers are dangerously over-confident in the ability of perimeter security to keep key assets safe from hackers, with UK professionals even more self-assured than the global average, according to new data from Gemalto.
The security firm polled over 1,000 IT leaders worldwide and found 94% felt their perimeter security is effective in keeping unauthorized users out of their networks.
In the UK that figure rose to 96%, with over half (58%) of respondents “extremely confident” that their data would be secure in the event of a breach; more than in any other country.
However, nearly half of UK firms (46%) said they’re only protecting systems with passwords, making it far easier for hackers to crack, hack or guess their way into key accounts.
What’s more, three-quarters (75%) of the data stolen from UK businesses on average was not encrypted.
Globally, just 8% of breached data had been encrypted over the report period, Gemalto claimed.
The confidence of IT leaders in perimeter security tools like IDS/IPS, AV and firewalls seems to run counter to another global finding of the research: 68% of respondents claimed that unauthorized users can access their networks.
The findings are particularly concerning given the EU General Data Protection Regulation (GDPR) will mandate 72-hour breach notifications and maximum fines for non-compliance of 4% of global annual turnover or €2m, whichever is higher.
Encryption of sensitive customer data is therefore a must, yet over half of respondents (55%) said they didn’t even know where such data is stored, while over a third claimed not to encrypt payment (32%) or customer (35%) data.
Given these findings its perhaps not surprising that over half of IT leaders (53%) admitted their organization won’t be fully ready for the new regulation when it comes into force on 25 May 2018.
Joe Pindar, strategy director at Gemalto, argued that IT pros are still thinking about cybersecurity as they do physical security.
“This is something that infosecurity professionals are taught from the beginning – even consumers know they need a firewall on their laptops. However, despite these efforts, breaches are occurring regardless, and unauthorized users are able to infiltrate networks,” he told Infosecurity Magazine.
“This conflict between ways of thinking about physical and cybersecurity is at the heart of the infosecurity industry today.”
IT teams need to focus on data protection by first understanding what they have and where it’s stored, he added.
“It’s important for a business to understand who can access this data, and what the consequences are of unauthorized users having access to it,” Pindar continued. “Once these steps have been completed, they then need to apply strong security controls, such as encryption and two-factor authentication, to protect the data at its source and ensure it can’t be used by hackers.”