Businesses in Australia and New Zealand are innovating rapidly by evolving their organisational models to remain competitive – moving to the cloud, offering multiple touchpoints for employees and customers, and building new applications to connect and engage with customers. At the heart of this evolution is the proliferation of sensitive data that is created, collected and shared. At the same time, cybercriminals are looking at all this data as a gold mine to be monetised. So how can businesses adapt to these changes safely?
To find out, electrical systems and services company Thales engaged technology research and advisory firm Ecosystm to conduct market research on the state of data security in the region. Responses were obtained from 150 senior managers across various industries and the public sector. The key findings were that 70 per cent of organisations in the Asia-Pacific region have little or no cybersecurity program, and 50 per cent focus on cybersecurity only after an incident or data breach.
Digital transformation, emerging technologies (such as the IOT and AI) and industry compliance were named as the top drivers for investments in cybersecurity, but is important for organisations to develop a robust risk management programme that goes beyond compliance. The major challenges with deploying cybersecurity solutions were concerns with integration with existing technologies, the complexity of security solutions and the lack of skilled IT staff.
The journey to protect sensitive data starts with data classification. However, many organisations fail to identify sensitive data beyond intellectual property and legal. While organisations have numerous ways to control access to sensitive data, less than half of those surveyed use multi-factor authentication.
A similar number are storing their sensitive data in the public cloud, driven by the less mature organisations leveraging the public cloud for operational cost and growth elasticity benefits. Just over half say that their public cloud provider has sufficient security to protect their data, while 29 per cent say that their organisation has to complement their provider’s security measures. But over two thirds of the organisations that encrypt their data in the cloud have their encryption keys held by their cloud provider, which is a risky approach.
“Whoever holds the encryption keys owns the data,” the report stresses. “If a breach occurs but data was encrypted and keys were protected, a cyber attacker would be unable to decrypt the data and access the actual information.”
The report concludes with recommendations for addressing data protection, including identifying where sensitive data is stored, who has access to it, how many different data types need to be secured, and how it is transmitted; minimising the number of data repositories where possible; safeguarding encryption and key management; and controlling access.