A survey of more than 1,000 Forcepoint customers finds that cybersecurity professionals are concerned about privacy, cloud and infrastructure security, while also trying to find the balance between ensuring security and enabling access. Meeting these challenges is made more difficult by the ever-evolving cyber threats IT professionals must address and the ongoing risk of human error.
In preparation for our upcoming 2019 Forcepoint Cybersecurity Predictions Report (check out the 2018 report here), Forcepoint surveyed our customers to discover the security issues they’ve experienced this year and their concerns for 2019. Over two weeks in early October, we worked with TechValidate to survey 1,023 customers from 75 countries around the world. The respondents’ titles ranged from IT Professionals to CIOs and CEOs in 40 industries from Agriculture to Telecom to Government.
Privacy and GDPR were Big in 2018
When asked about their cybersecurity issues in 2018, “privacy” was named as the top concern with 56% of respondents citing this[i]. Additionally, 59% said their customers or employees raised privacy concerns.[ii] Yet, while privacy was the top issue, it’s not universal among our customers or their users and clients. That could change with the ongoing privacy concerns around social media companies, such as the Facebook breach in September 2018.
Potentially one reason companies focused on privacy in 2018 was that it was the “year of GDPR.” “Getting ready for GDPR or other legislation” came in third and was cited by 37% of respondents as a security issue they faced in 2018. When asked about preparation for GDPR, 86% stated they were at least “prepared.”[iii] 14% were “not prepared” and if they haven’t addressed that issue by the end of 2018 it will likely be an ongoing concern in 2019.
[Suggested resource: GDPR Resource Pack]
We also asked if workplace monitoring was discussed in their organizations and 84% said it was. [iv] The top concern raised in those discussions was “who sees the data that is collected” with 49%, and 38% were concerned about “infringement of personal privacy”—further demonstrating the focus on privacy.
Cloud Migration Continues to Cause Concern
The second most common security issue experienced in 2018 was “security when moving assets or data to the cloud” with 41%. It looks to be a continuing concern with 94% of respondents saying it’s an important issue for their organization.[v]
When asked about the level of security provided by cloud vendors, 92% said they were concerned and 58% are looking for trustworthy providers with a strong reputation for security – this contingent will be unlikely to choose unproven or unknown cloud startups for their data.[vi]
Surprisingly, almost 20% were not concerned about security in their cloud providers, stating that “most or all cloud vendors provide the security we need for our data.” This confidence may be misplaced as we’ve seen companies and government entities that use cloud storage experience data leaks like the exposure of millions of customers’ personal information by Dow Jones & Co. after a public cloud configuration error or the recent Salesforce Marketing Cloud API glitch. While vendors may deliver basic security, it’s still up to companies to ensure that their data is safe. This is even more critical as additional regulations around data privacy are enacted.
[Suggested resource: Step by step guide to defining policies for cloud compliance]
Worries about Critical Infrastructure
While cloud storage and applications are becoming more and more central to companies’ operations, some infrastructure has always been business critical, and often outside IT’s control. After 2017’s devasting NotPetya attack affected infrastructure across the globe, we found that 88% of respondents are concerned about potential attacks on the critical infrastructure (CI) their organization relies on (such as manufacturing facilities, transportation systems, financial services or energy supplies). [vii] 8% are not concerned which could be a function of the fact that IT has traditionally not been responsible for infrastructure security or confidence that their CI is secure.
Finding Balance in the Cybersecurity Future
Between responding to new regulations, enacting controls to ensure privacy, migrating data and operations to the cloud, and worrying about future attacks on infrastructure, many professionals are still grappling with daily IT challenges. We heard numerous comments about the ongoing difficulty of balancing the access their employees need to be productive with maintaining security.
A director at a medium enterprise financial services company said, “We keep our network locked down by default, but the new generation of employees (and product vendors) seem to think that the entire internet is open and available at all times, social media, cloud, etc. There is a constant struggle of allowing just enough access to get work done but keep everything monitored and access blocked where necessary.”[viii] “In 2019, we are concerned with keeping our organization secure without limiting our ability to provide seamless access to data and applications that our users need,”[ix] said a senior systems engineer from a mid-size healthcare facility.
Adapting to Evolving Threats and the Ongoing Challenge of Human Behavior
The constant pace of change in attacks, such as more sophisticated ransomware and phishing attacks, is making this balance more difficult. 99% of our respondents identified “evolving cyber attacks” as an important security issue for their organization.[x]
A senior IT architect at an S&P 500 hospitality company said, "I am concerned about APT and insider threats, because they are constantly evolving."[xi] We also heard that “Hacker attacks are changing with each passing day”[xii] and concern about the rise of phishing emails targeting specifically the finance department. In order to address these threats respondents are looking for agile security tools that can adapt to the pace of change.
They’re also struggling with how to ensure their employees and users not fall victim to the bait. We heard multiple comments about human error. An engineer from a medium enterprise health care company said, “Data theft and ransomware seem to still be high on our priority list. User education on social engineering seems to be the weakest point. It is hard to protect against the human element.”[xiii] Another respondent said, “Human mistakes are the biggest challenge and will always be a major issue.”[xiv]
With the multitude of demands and responsibilities cybersecurity professionals told us they face, we expect our customers to rely on solutions that provide the ability to scale and adapt. 99% of respondents say “understanding employee behavior is important to ensuring security”[xv] which is one way to make security functions more efficient and effective. Forcepoint’s human-behavior-focused cybersecurity strategies help our customers address the challenges they face today and prepare for the threats yet to come.