Insights from Gartner Security & Risk Management Summit Industry Survey
While attending the Gartner Security & Risk Management Summit in June, HPE Security – Data Security conducted an industry survey about the use and protection of sensitive data. Attendees came to the summit with one goal in mind: learn the best and most recent technologies and solutions for data security.
During the three day summit over 150 attendees representing industries such as financial institutions, health care providers, and service providers were surveyed about their data security habits and interests. The questions ranged from inquiring about the company’s current sensitive data use to whether or not the company is planning projects involving sensitive data.
The first questions that respondents were asked centered around the use of sensitive data. Data is referred to as sensitive when the implications of the data being hacked results in damage to businesses or individuals. Such areas of sensitive data are personally identifiable information (PII), protected health information (PHI), and financial data such as credit card information. Of the individuals asked, 80% responded that their company currently uses sensitive data such as PII (61%), PHI (46%), or PCI (48%), with respondents allowed to pick more than one answer. With such a high percentage of companies using sensitive data it begged the question, how do they protect their data?
Stringent data privacy regulations such as the GDPR (General Data Protection Regulation), issued by the European Union, identify encryption as an appropriate safeguard and approach to mitigate risks associated with the processing of sensitive data. The Payment Card Industry Data Security Standard (PCI DSS) recommends tokenization as a method to secure credit card data. Most enterprises use encryption and/or tokenization to protect data. Chief Technologist Terence Spies explains the difference as this: in a payments ecosystem, for example, encryption is fundamentally a technology that is about securing that data while it is being transmitted and pushed around. Tokenization, on the other hand, is essentially the method of creating pieces of data that are going to be put into storage. They are different technologies that solve different things, but work together to make a more secure whole.
As a follow up to the first question, respondents were asked about their data protection practices for sensitive or regulated data. A majority of respondents (52%) reported that they employ both tokenization and encryption. However, 10% of respondents also reported that despite their businesses’ using sensitive data, they do not implement security measures for the data. The good news is that this amount is down 4% from last year. However, any sensitive data that is left unprotected makes it vulnerable to attack, putting customers’ private information at risk.
Lastly, respondents were asked if they are planning any Big Data, Internet of Things (IoT), or cloud projects that involves sensitive data. A total of 67% said they are either currently planning (58%) or will be planning (9%) a Big Data, IoT or cloud project involving sensitive data. Of the remaining, 30% reported that they are not currently planning a sensitive data project while an even smaller amount, 3%, reported having no future plans to ever have such a project involving sensitive data.
With so many businesses using sensitive data, what happens next? As the number of businesses using sensitive data increases, the need for data security at-rest, in-motion, and in-use, increases. The Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) has proven that regulations on data security will soon be the new normal. Businesses that use sensitive data have no excuse to not properly protect their customer’s information.
To find out more on how to secure sensitive data visit HPE SecureData.