Last year, we ran a wide-ranging survey to understand the data security controls that businesses like yours use to keep information safe. This year, we expanded our survey and dove deeper into the data to bring you exclusive insights along with year-over-year analysis (you can find our methodologies at the bottom of the page).
Our research helps you understand the progress your peers have made on their data security initiatives while shedding light on the evolving threat landscape to help you plan your security strategy accordingly.
Data security comprises the controls and technology required to protect sensitive information such as customer data, financial records, and intellectual property. Data is commonly a company’s most valuable resource and the level of effort made to protect it often means the difference between success and failure.
In 2020, every facet of life has been affected by COVID-19, including data security. The sudden shift to remote work created new security threats for businesses big and small. That’s why it wasn't necessarily a surprise when our survey revealed that limited security for remote workers is the single most common vulnerability businesses are facing today.
We asked IT security managers (who made up 83 of our 868 respondents) to select the top five vulnerabilities their company is facing. Here’s what they said:
Limited network security was a close second behind concerns about remote work security; careless employees, unauthorized applications, and mobile device security rounded out the top five. Other responses included web application vulnerabilities (25%), software/programming bugs (24%), and poor password practices (24%).
If yours is one of those companies struggling with remote work security, you can start making improvements by developing a formal remote work policy and by adopting the right software tools that ensure company data is safe when accessed remotely.
Read our guides:
A fundamental element of information security is controlling access to data. The principle of least privilege states that an employee should be allowed only the minimum level of data access needed to perform their job. This is key to preventing breaches that are caused both by malicious data theft and accidental data loss.
A full half (50.7%) of the companies that reported a data breach in the last 12 months allow full access to all company data, compared to only 12.6% of companies that strictly limit data access to what employees need to do their job. In other words: businesses that allowed access to all company data were four times as likely to experience a data breach compared to those that limited access to relevant data.
These statistics are a clear call to action for businesses that don't already restrict data access rights or use privileged access management software. Even something as simple as securing folders and directories within Windows or limiting access to a shared Google Drive; any efforts made to restrict access will strengthen your security posture and reduce the chances of a data breach.
A data classification system is typically used to categorize information based on sensitivity. Understanding the sensitivity of different types of information helps you identify where to implement access controls and restrictions.
Critical data that could lead to financial, reputational, or legal damage if compromised is often classified as confidential, sensitive, or restricted. Company information that’s freely available on the internet or via other sources is usually labeled as public. Though there are no universal standards for data classification, our survey found that the most-used categories are public, internal, and confidential.
While 82% of employees reported that their organization uses a data classification system, these programs alone have proved insufficient to restrict access and prevent data breaches.
Sixty-two percent of companies with a data classification policy still provided employees access to more data than they need. Such companies were two-and-a-half times as likely to experience a data breach compared to companies with a data classification policy and restricted data access.
Need to develop a data classification system for your business? Read our guide.
Phishing is one of the oldest tricks in the internet’s book—and it isn’t going anywhere. This year’s results showed a concerning rise not only in phishing numbers, but also in effectiveness. In 2019, 73% of workers in our survey reported receiving phishing emails, compared to 80% this year. Even more worrisome, reports that someone within their organization had clicked on a malicious link in a phishing email surged by 15%.
This jump in employees clicking malicious links suggests that phishing emails are becoming more difficult to detect. That might be because spear phishing attacks are increasingly tailored to individuals while more and more executives are targeted by business email compromise (BEC) schemes due to their access to confidential information and payment mechanisms.
When we looked into the departments of respondents who themselves admitted to clicking on a malicious link, marketing employees were the most likely to have done so at 38%.
Clearly, executives must take extra precautions when it comes to digital communication channels to ensure they aren't manipulated into making bogus wire transfers or disclosing sensitive data. However, our research also points to a need for enhanced training of marketing staff to help them guard against social engineering tactics used in phishing ploys.
On the bright side, the percentage of workers who reported receiving a phishing test from their employer increased from 30% to 44% year-over-year. But that’s still less than half, leaving plenty of room for improvement.
To help, we’ve created a guide to spotting phishing emails (which includes a phishing test so you can assess your detection abilities).
An account takeover (ATO) occurs when a cybercriminal gains unauthorized access to an online account using a stolen username and password. ATOs commonly result in unauthorized transactions and the exposure of sensitive information. Our research found that 37% of workers have experienced an account takeover.
Account takeovers were already skyrocketing before COVID-19 pushed even more transactions online. From 2018 to 2019, TransUnion reported a 347% increase in account takeovers targeting online retail customers. And increased reliance on eCommerce will only make things worse.
Account takeover schemes are magnified by poor password practices that make it easy for cybercriminals to commandeer multiple online accounts. Our research* on password practices found that 53% of consumers use the same password for multiple accounts. That means if a hacker gets hold of a single password, they might gain access to several different accounts.
Whether or not a company uses security software is another factor in account takeovers. We took a closer look and found that 63% of respondents who didn't experience an ATO said their company uses email security software, compared to only 42% of employers of account takeover victims. This data suggests email security software may substantially mitigate account takeovers that begin with phishing emails.
Ultimately, the best way to prevent an account takeover is to add another layer of account protection by using two-factor authentication (2FA) whenever possible.
Authentication measures ensure that the right person is able to access the right data, while safeguarding information from unapproved users. Over the last year, the use of authentication measures advanced significantly. The use of biometric data security measures increased from 27% in 2019 to 53% in 2020. This sharp increase may be driven in part by the increased use of laptops and mobile devices to support remote work, as these devices commonly include fingerprint and facial recognition security features.
The adoption of two-factor authentication—one of today’s most important information security features—made considerable progress over the last year. The percentage of workers saying they use 2FA for some or all business applications rose from 64% in 2019 to 82% in 2020. Interestingly, the number of those who use 2FA for some business applications went nearly unchanged while workers who use 2FA for all business applications jumped from 21% to 38% year-over-year.
Interested in learning about different authentication methods? Read our guide.
Few cybersecurity threats have made a bigger impact in recent years than ransomware, taking down everything from hospitals to entire cities. Our survey found that 28% of businesses have suffered a ransomware attack in the past 12 months. Of those businesses, 75% paid the ransom. The remainder either removed or decrypted the ransomware, recovered using a data backup system, or were forced to accept permanent data loss.
Of those businesses that paid the ransom, 70% of recovered their data. But that also means 30% made a payment only to get nothing in return. And many of them lost tens of thousands of dollars.
According to our survey respondents, ransomware payments ran the gamut between relatively small amounts under $5,000 to business-crippling payments of up to $100,000 (only one respondent reported a payment exceeding $100,000). Nearly half (48%) of all ransom payments exceeded $25,000.
Be aware that ransomware tactics are evolving from straightforward extortion into something more closely resembling blackmail. That’s because rather than simply encrypting your data, more and more ransomware operators are downloading and threatening to release it on the internet.
In other words, ransomware is now a data breach threat and victimized organizations may be required to report the attack while facing potential regulatory fines and reputational damage.
Learn about the history of ransomware and how it’s evolving. Read our report.
Which would you prefer: a lecture on cyber security or a digital simulation that requires you to hunt down security threats? Our survey revealed that 17% of businesses are using AR and VR for training purposes, up from just six percent in 2019. In some industries (including digital marketing and accounting), these numbers are as high as 35%.
Offline modes of security training, such as on-the-job and classroom instruction, saw decreases across the board while the use of digital training tools (online training programs, webinars, etc.) saw an equivalent increase. Businesses are also mandating more frequent training. Seventy-one percent of employees say they are required to undergo security training at least once per year, up from 57% in 2019.
Businesses continue to concentrate their training programs on data privacy and cybersecurity. And while slightly more employees are being trained on social engineering techniques in 2020, fewer employees said they received training on acceptable use policies, social media guidelines, and onsite security.
With attacks such as phishing, ransomware, and account takeover on the rise, security awareness education might be the most important action you can take. Case studies and interactive elements can make dry security training more compelling for employees. And that’s crucial, because well-informed and vigilant employees are often your best defense.
Lacking an IT security policy and not sure where to start? Read our guide.
Data privacy is becoming more relevant as businesses embrace digital transformation and more of our personal information moves online. A full 86% of survey respondents say their company has become more concerned about data privacy over the past 12 months. This was a 12% increase over a similar survey** we ran in July 2019.
Clearly, data privacy concerns have risen sharply in recent years. We asked respondents about the reasons their company has become more concerned about data privacy; this is what they said:
While protection of sensitive customer data and proprietary company information are by far the leading causes for rising privacy concerns, business shifts due to COVID-19, evolving customer expectations, and maturing data privacy regulations all made significant impacts.
Familiarity with new data privacy regulations has improved since 2019. The percentage of IT professionals familiar with the EU’s General Data Protection Regulation (GDPR) climbed from 66% to 78%, while knowledge of the California Consumer Privacy Act (CCPA) soared from 57% to 78% year-over-year.
Just as the public is getting to know the CCPA, the California Privacy Rights Act (CPRA) will appear on November’s ballot and—if passed—will amend and strengthen the CCPA while establishing a new state agency dedicated to its enforcement—the first of its kind in the U.S.
After a long delay, Brazil recently passed its federal data security law, the Lei Geral de Proteção de Dados (LGDP). India is poised to enact the similar Personal Data Protection Bill (PDPB) in the coming months. All businesses must stay up-to-date on privacy laws in the U.S. and abroad to ensure regulatory compliance and avoid costly fines.
Check out our guide to the latest data privacy challenges you should know about.
Understanding how your peers are keeping up with data security helps to gauge your company’s progress. In this section, we take a look at data security trends in seven key industries.
(Note: More than two dozen industries were represented in our survey. In this section, we’ve covered the seven industries that individually made up six percent or more of the total sample. References to average values relate to the full sample of all industries.)
Accounting was among the industries hit hardest by cyberattacks, reporting significantly higher-than-average exposure to ransomware, phishing, data breaches, and account takeovers. A whopping 63% of respondents at accounting firms reported a ransomware attack over the previous 12 months, compared to the 28% average.
Perhaps not coincidentally, accounting firms also happen to allow disproportionately more access to data than needed. Half of employees in the accounting industry had access to all company data, nearly doubling the 26% average.
The percentage of employees in BFS with access to all company data more than doubled in the last year, which could be one reason 43% of financial services businesses experienced a data breach. The percentage of BFS employees who clicked on a phishing link increased from 52% in 2019 to 67% in 2020. Forty-seven percent of BFS firms also experienced account takeover attacks, compared to the 37% average.
On the security tools adoption front, 45% of financial service firms now use two-factor authentication for all their applications, up from just 18% in 2019. Two out of three (67%) reported using biometric security measures.
A full 50% of digital marketing respondents reported that employees have access to all company data, nearly twice the 26% average. Moreover, eight percent of respondents said their digital marketing business doesn’t use any security software, higher than any of the other six industries in this section.
Sixty-three percent of digital marketing companies experienced a data breach, compared to the 35% average. Digital marketing businesses are also increasingly targeted by phishing attacks. Employees in this sector who received phishing emails jumped from 66% to 83% year-over-year, the largest increase among the industries compared here.
The education vertical was the most likely of the seven industries to limit employee access strictly to the data needed to perform their jobs. This is likely a reason why only 16% of those in the education industry reported a data breach at their organization, less than half of the 35% average.
Educational organizations have made progress adopting data classification systems, up from 58% in 2019 to 70% in 2020. But only 68% of respondents in education said their data classification system is part of a formalized policy, compared to the 86% average.
The healthcare industry has some of the most mature data security practices, thanks to long-standing compliance regulations such as HIPAA. Only eight percent of healthcare industry employees had access to all company data, much lower than the 26% average.
Healthcare businesses were also far less likely to experience a data breach compared to the average (12% vs 35%) while their exposure to ransomware attacks was only a quarter of the average for all industries (7% vs 28%). They also reported a decrease in phishing attacks, down from 26% to 20% year-over-year.
Despite all this, healthcare respondents say "careless employees" are the industry's primary security vulnerability. This contrasts with most other industry segments that mentioned limited remote work security as their top vulnerability in 2020.
The IT services industry results were a mixed bag. Though more IT service businesses adopted a data classification system (from 73% to 93%), the percentage of employees with access to all company data has also risen (from 11% to 28%).
While the IT services industry has experienced marginally higher-than-average numbers of phishing attacks, data breaches, and account takeovers, the percentage affected by ransomware was slightly lower than average.
At only 51%, companies in the retail and food services industry were the least likely among the seven industries to report using a data classification system. Surprisingly, only seven percent of employees in the retail industry had access to all company data compared to the 26% average. Like the healthcare industry, the top security vulnerability for retail businesses is also "careless employees."
Of the seven industries, retail employees were the least familiar with privacy regulations such as GDPR and CCPA. Interestingly, 33% of retail businesses victimized by ransomware were able to recover data using their data backup, thanks to higher-than-average adoption of data backup software in the industry.
It’s often simple practices such as limiting data access and setting strong authentication protocols that help prevent unauthorized disclosure of company information. Technologies such as email security, data encryption, and endpoint protection further aid security by mitigating cyberattacks.
But in the end, the answer to "What is data security?" is more than just access controls and technology; it’s a mindset that starts with education and ends with execution.
Head over to our IT security software directory to learn more about the tools that help boost your company’s data security practices.
GetApp’s 2020 Data Security Survey was conducted from September 10 to September 11 among 868 respondents who reported full-time employment. Of the 868 respondents, 267 identified as IT professionals and 83 identified as their organization’s IT security manager.
GetApp’s 2019 Data Security Survey was conducted in June 2019 among 714 respondents who reported full-time employment. Of the 714 respondents, 207 identified as IT professionals.
Other research cited
* GetApp’s Password Survey was conducted in January 2020 among 487 respondents to learn more about consumer password behaviors
** GetApp’s Data Privacy and Consent Management Survey was conducted in July 2019 among 178 respondents who reported full-time employment at companies that do business through their website