​Thales releases new security report – Aussies lead with employee error concerns

Each year at RSA Conference, various vendors and service providers release annual reports looking into various aspects of information security. In the report produced by Thales, there are some interesting insights into the use of encryption and points to Australian companies lagging by a long margin.

Peter Galvin, from Thales’ Global Strategy and Marketing team, told us there’s been a continuous increase in the number of people using encryption with over 40% of people now using encryption in some form.

“That begins to show the ubiquity of encryption,” he says.

That protection goes beyond financial and intellectual property but also personal information.

He also noted that while many companies have been implementing encryption for some time, just over a third now have a specific strategy for how it is used rather than using encryption in a haphazard way. When the survey was first taken, just 11% of respondents had an encryption policy. That’s now closer to 37%.

Those policies cover what is going to be encrypted and where that will occur. There’s a growing understanding that not all data needs to be encrypted and decisions need to be made about whether on-premises and cloud-based data need to be treated the same way.

One of the other trends from the survey sees is a marked improvement in key management although it’s still a challenge.

John Grimm, a director at Thales, says key management is a “struggle point”.

“So much of your encryption policy has to come out and be instantiated by multiple products. You have your database encryption, your SSL, applications – those have to be all managed separately and differently”, he says.

Amongst the problems, says Grimm, is a lack of skills in key management and difficulties in implementing consistent policies across different products where implementation and user interfaces differ substantially.

“It’s more complicated than people realise,” he added.

And, as a result of the challenges, people tend to do what’s operationally easier rather than what’s most secure. And they either don’t try to create a policy or have a poorly conceived one as the systems are too difficult to govern consistently.

Grimm says companies that do encryption well see it as an integrated layer in their security system, just like identity management or system access. And the encryption follows the data as it moves in and out of the corporate data centre, whether that’s on-premises, on mobile devices or in the cloud.

That means not relying on platforms as the encryption will be applied inconsistently in the life of the data.

Another change Grimm and Galvin have noted is the move towards tokenising data. While Apple Pay is a very public example of how this works – not sending credit card data but a token that represents the validated information – is also an approach enterprises are looking towards.

One of the things that came out of the report was the number one attack threat was employee mistakes. Across ten of the 11 different countries included in Thales’ research, about half the companies surveyed ranked this as their most significant issue.

But in Australia, the results were “off the charts” according to Grimm.

93% of Australian companies in the survey reported employee errors as their number one security threat.

This begs the question – why is this such as major concern for Australian companies? Is this driven by a skills shortage, poor awareness of other issues and a lack of end user training?

Or are companies understating, either intentionally or through a lack of insight into the importance and potential severity of other issues?

Join the CSO newsletter!

Error: Please check your email address.

Tags Anthony CaruanaAnthony Caruana#RSACRSA Conference 2016CSO Australia​Thales

More about AppleRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts