What does ‘perimeter’ mean these days, in this world of mobile application access, remote working, employee use of cloud-based information sharing and other activities taking place beyond the corporate boundary? Even as organizations struggle with understanding the consequences, many still act as though the perimeter is the most important focus for information security.
According to our latest research of 1100 IT decision makers across the globe, 2015 is the year when organizations look to maintain a tight grip on their perimeter security, even as it becomes increasingly clear that securing the perimeter of the organization has become an impossible task.
Perimeter security is used in the large (81%) majority of respondents’ organizations, matching data security (82%) but far exceeding identity and access control (66%). Indeed, on average, more than 8% of the respondents’ organizations’ security budget is allocated to purchasing, deploying and maintaining perimeter security technology.
In the last five years, 86% of organizations have increased their investment in perimeter security and over two thirds (68%) plan to increase perimeter security investment in the coming twelve months. More (78%) organizations are adjusting their security strategies than two years ago (53%), due to high-profile breaches in the news. In other words, investment is already high, and it is going up.
Perhaps rightly so — over a quarter (27%) of respondent organizations suffered a perimeter security breach in the last twelve months, which is a strong incentive to invest more time, effort and money — to maintain the grip on the perimeter still tighter. Malware (21%), viruses (20%) and RansomWeb (20%) were the most likely causes, from both internal (65%) and external (79%) sources.
92% of respondents’ organizations that were breached, suffered commercial consequences. But at the same time, it is pretty clear that simply ‘doing things as they have always been done’ is no longer workable. Organizations can no longer hold their burgeoning data like grain in a sack, there are simply too many gaps in the periphery to make this approach viable.
Consider: 66% of our respondents claimed that unauthorized users could access their corporate networks, with 16% admitting that they could access the entire network. This is not a criticism of the organizations concerned, more a statement about the complexity of the problem and how difficult it is to solve.
The one and only, unique answer, the only cause for optimism is that organizations both can, and must think differently about the security, with a focus on the data they are trying to protect rather than the networking infrastructure used to transport it.
From the research we know this is not currently the case. Only around one in three (31%) respondents are extremely confident that their organization’s data would be secure if an unauthorized user penetrated their network, and the vast majority (89%) of respondents felt only 10% or less of data in the most recent breach was protected by encryption.
We’re not advocating the removal of perimeter security (though some, like Google with its BeyondCorp initiative, have taken this step). Rather, and as the research is telling us, we believe organizations should fundamentally change their thinking on information security, breaking with the idea that perimeter security should trump other priorities such as identity management and encryption.
Otherwise, as many high-profile businesses have found to their cost, we may get to market and find we have no business left to sell.
Alex Tay is Director for Identity and Data Protection, ASEAN region, Gemalto