Confidential information continues to be extracted from organizations around the world, despite increases in security technology and security education spending. Essential tools, such as data loss prevention (DLP) and endpoint detection and response (EDR) that could stop a majority of these breaches remain stubbornly under-deployed or are running in monitor mode. The good news is that the increase in security education appears to have reduced the incidence of accidental and intentional insider data theft. Overall, IT professionals are now discovering the majority of these breaches and hold themselves responsible for data loss. Many also think that senior executives should lose their jobs if a breach occurs on their watch, possibly because those executives demand more open policies for themselves.
The IT security professionals we interviewed in December 2018 experienced an average of six significant data breaches over the course of their careers. In almost three quarters of these incidents, the data breach was serious enough to require public disclosure or have a negative financial impact on the company, an increase of five percentage points from our 2015 data exfiltration study.
This new study looks at the data breach realities and responses of commercial organizations (1,000 to 5,000 employees) and enterprise organizations (more than 5,000 employees) in Australia, Canada, France, Germany, India, Singapore, the United Kingdom, and the United States.
We surveyed 700 information technology and security professionals with decision-making authority in a wide range of industries who experienced at least one serious data breach in their careers. They were asked about breach and exfiltration details, insider versus external threats, and the people, processes, and technologies that helped prevent these breaches, or could have helped prevent them. Consistent with previous studies, theft of personally identifiable information (PII) is the number one concern. However, increases in intellectual property theft have raised it to a tie for first place, well ahead of appropriation of payment card information.