The state of data security

Learn what leading data security professionals think are their biggest concerns.
Published year: 2023

Introduction

Data security is a vital issue and one of the most significant challenges in today’s technology world. Defined as the practice of protecting critical systems and sensitive information from digital attacks, maintaining data security is paramount for IT and technology professionals around the globe, regardless of the size of their organization and the industry they are involved in.

New security challenges and threats arise every day, due to factors like the increasing value of sensitive data to malicious actors, the rise in remote work, and the subsequent growth in ways to access and store data.

What’s more, software, data, and applications stored in the cloud are becoming ever more prevalent and commonly used, due to their efficiency, cost, and effectiveness. However, the rise of the cloud also means an associated increase in cloud-related vulnerabilities. And this means that new security measures and considerations need to be taken.

WinZip®, a leader in data security and compliance solutions, actively surveyed world-class organizations to gain a deep understanding of the current state of data security.

Read on to learn about what leading data security professionals think are their biggest concerns and how they are overcoming these challenges.

Key takeaways

Some of the most notable discoveries from this survey included the data points and observations described below.

While data security is extremely important for most organizations, a significant number have somewhat limited confidence in their data security with 21% reporting they did not feel confident that they would not experience a security breach in the next year.

Moreover, 41% reported that they did indeed have a security breach in the past twelve months.

35% of organizations (the largest segment of respondents) reported that their data security budget was between $100,000 and $500,000 USD, and 74% expected this budget to moderately or significantly increase in the next year.

The top internal data security threats reported were employee mistakes and negligence (human error) at 55%, weak passwords or poor password hygiene at 51%, and mobile device vulnerabilities at 38%.

The top external data security threats were malware and ransomware attacks leading at 64%, cloud vulnerabilities at 42%, and social engineering or phishing attacks at 38%.

The most commonly encrypted type of data reported was financial records at 59%, followed by employee data at 58%, and customer information at 57%.

Survey demographics

The intent and purpose of this survey was to gain insight from IT and data security professionals at larger organizations and to learn more about their current practices and biggest challenges regarding data security and data encryption.

We received responses from 472 IT professionals who reported responsibility and involvement for data security at their organization of 5,000+ employees; respondents came from a global population sample that included the United States, Canada, the United Kingdom, Australia, the Netherlands, Belgium, Germany, Switzerland, South Africa, and the United Arab Emirates. The industries they represent include software development, finance, ecommerce/retail, manufacturing, healthcare, and more.

Using Qualtrics’s* research tools and communities to gather this anonymous data sample in February and March 2023, we asked the aforementioned group to answer the questions covered in the report that follows. Their job roles and titles are detailed in the chart below.

Jobs Graph

The state of data security

The first section of the survey focused on capturing the current mindset and thoughts around data security, particularly the most significant threats that data security professionals are facing right now and in the near future.

We captured their state of mind as well as assess where the data security industry as a whole was headed, along with their top priorities and primary worries or concerns.

For instance, 79% of respondents reported that their organization works with personally identifiable information (PII), payment card information (PCI), or personal health information (PHI). So perhaps it is only logical that a significant majority, or 87% of those surveyed, reported that security was of significant importance at their companies.

Read on to discover the key trends and what today’s data security professionals consider to be the most significant threats that they and their organizations are facing...

Importance of data security

Nearly every respondent—86%—placed significant value on data security at their organization and rated it as “extremely important to their organization”. This is fairly standard, given that our sample was made up of IT professionals and those in similar roles who identified themselves as being responsible for data security at their respective companies.

Importance Graph

Handling sensitive information

Most of the respondents—79%—reported that their organization was responsible for sensitive data, including personally identifiable information (PII), personal credit information (PCI), and personal health information (PHI).

Rating their organization’s current data security

While few respondents ranked their organization’s security as weak (and this is expected since although it was anonymous survey, people are unlikely to report that their organization has security problems), the responses did not indicate a full sense of confidence either. With 48% rating their organization’s security as very strong and only 40% as somewhat strong, there’s still room for improvement.

Security Rate Graph

Threats to data security

It might seem that new threats to an organization’s data security pop up every month or even every week. While that might be a slight exaggeration, there’s no denying the fact that sensitive data is under attack and there are threats both external to an organization (like cloud vulnerabilities or ransomware attacks) and internal (user error).

In the following section, we will cover historic security breaches, the internal and external threats that are most concerning to IT industry professionals, and organizational confidence in data security as of spring 2023.

Previous security breaches

While most respondents reported that they did not experience a security breach in the past year, 41% did indeed have a security issue significant enough to warrant a “yes” response to our question. This is somewhat in line with the statistics that at 45% of U.S. companies have dealt with a data security breach of some kind, and the average cost of a data breach being 4.35 million in 2022 the aforementioned 41% is quite alarming.

Security Breach Graph

Primary data security threats in 2023

Some security issues pose a bigger challenge than others. While most of the respondents rated their current security as at least adequate, 64% reported that malware and ransomware attacks were of primary concern, at least regarding external threats.

While that information is not unanticipated considering the prevalence and awareness of these threats in the industry (and amongst the general public), what is particularly intriguing is how 42% of respondents reported that cloud vulnerabilities were second on the list of security threats with outside origins.

With cloud adoption growing in popularity at an astonishing rate, it only goes to follow that savvy security and IT professionals are taking security in the cloud into account. Social engineering and stolen or compromised credentials were also prominent concerns, as well as internal threats like various types of human error like weak passwords or employee negligence.

Internal threats to sensitive data

While we often think of external factors such as hackers or other malicious actors as being the most significant threats to sensitive data, internal issues can be just as problematic, if not more so. After all, organizations may be more prepared for an outside attack than a problem that stems from within, and 82% of overall security breaches in the U.S. were at least partially caused by human error.

The top three internal threats (as reported by survey respondents) were employee mistakes and negligence (human error) at 55%, weak passwords or poor password hygiene at 51%, and mobile device vulnerabilities at 38%.

Internal Threats Graph

External threats to sensitive data

There’s no denying that there are more external threats to data than ever before, with sensitive data like PCI, PHI, and PII becoming increasingly valuable on the open market.

What’s more, with the growing popularity of the cloud, vulnerabilities in the cloud have become a significant challenge. In fact, it was the second most reported external threat at 42%, with malware and ransomware attacks leading at 64% and social engineering or phishing attacks at 38%.

External Threats Graph

Experience unparalleled data protection with WinZip® Enterprise, where advanced encryption meets secure file management, compression, and sharing. Choose WinZip Enterprise for a robust, secure solution that keeps your critical data safe, whether at rest, in transit, or in the cloud, ensuring compliance and peace of mind in today's digital landscape.

Start your free trial of WinZip Enterprise today and turn these insights into action.

Try free

Organizational confidence in current data security methods and measures

With 64% of data security professionals believing that their organizations will not experience a data breach in the next year (as well as how most respondents ranked their data security as being very or somewhat strong), it is not surprising that while organizations are spending a substantial amount on data security, they are fairly confident in their solutions.

The key takeaway? A significant number of our respondents believed that their data security strategies are effective, but they still need to protect their organizations from current and future threats, which may underscore the planned increase in spending.

Breach Confidence Graph

Spending on data security

The costs of data security vary widely by industry and the type of data that different organizations must handle, of course, but overall, our survey respondents are spending at least six figures (in USD) on their security measures. This does include software costs as well as the support efforts required to deploy and maintain said software.

With ever-growing number of potential security threats detailed above, organizations plan to increase their security expenditures in the coming year, with 74% of respondents reporting they planned to up their security budgets moderately or significantly in the coming year.

This may or may not be connected to remote work and the need for secure remote access or the rapid adoption of the cloud. That said, IT professionals are clearly putting data security at the forefront of their minds—and budgets.

Current data security expenditures

The majority of respondents are spending six figures and upwards on data security, which makes sense considering that the average cost of a data breach was $4.35 million USD in 2022. What’s perhaps more intriguing, however, is that a significant number of big spenders (11%) reported spending over $1 million, and 29% of respondents exceeded $500,000 in data security spending.

Security Expenditure Graph

Future data security expenditures

Given the increasing likelihood of a data breach happening and the associated costs, just over half of respondents, or 52%, reported planning a moderate increase in spending, and 26% reported a significant spending increase planned in the next year.

Security Investment Graph

Data encryption strategies

Data encryption can be defined as encoding data from plaintext to ciphertext, which can then only be decrypted by the user with the encryption key. Accordingly, a data encryption strategy is, on the surface, a plan to ensure that an organization’s sensitive data is properly encrypted.

Nearly every respondent—95%—reporting that their organization has a data encryption strategy in place. However, what is interesting is that 42% only encrypted certain data types or data that was considered particularly sensitive. This may point to gaps in data security or explain why respondents do not feel as confident in the strength of their organization’s security measures.

Main drivers for using encryption

Generally, the main driver for using data encryption at various organizations is to protect sensitive information of some kind, whether that is customer data at 69%, employee information at 59%, or intellectual property at 47%. Furthermore, 33% also reported complying with external regulations as a main reason they encrypt data.

One finding of note is that protecting employee information via encryption was valued nearly as highly as protecting customer data, which is somewhat unforeseen as the data security conversation often centers around customer or client data.

Encryption Drivers Graph

Commonly encrypted data types

The commonly encrypted data types include various types of personally identifiable information, including the somewhat anticipated customer information at 57%. The most commonly encrypted type of data reported, however, was financial records at 59%, with employee data at 58%.

Interestingly enough, securing employee information came up again as a priority, which may speak to the importance of encryption and data security for Human Resources and similar departments or roles.

Encryption Data Types Graph

Required regulatory compliance

Every organization must deal with some type of regulatory compliance or legislation that applies to their industry, with some organizations needing more oversight or more stringent regulations due to the type(s) of data that they handle.

Two of the most commonly required regulations, the CCPA (California Consumer Privacy Act) and the GDPR (General Data Protection Regulation) were at the top of the list at 29% and 28%, as predicted. However, the number one regulation that organizations must comply with, according to 33% of our survey respondents, was HIPAA (the Health Insurance Portability and Accountability Act), which is only applicable in the United States.

Furthermore, HIPAA is only relevant to the healthcare industry in the United States while GDPR and CPPA are applicable across industries in the European Union and the United States respectively, as well as foreign companies doing business in those locations.

Other requirements our survey respondents indicated are U.S.-centric like FIPS-197, FIPS 140-2, the ILBA Safeguards Rule, CPRA, and FISMA. These are also applicable to foreign companies who do business in the United States. PCI DSS, the Payment Card Industry Data Security Standard, is applicable globally for any company that accepts credit cards from major brands.

Only 6% of respondents reported that their organization does not need to comply with any regulations.

Regulations Graph

Conclusion

Addressing these security challenges in 2023 and beyond

During our research process, we observed these key trends...

  • Data security is extremely important for most organizations, but there is limited confidence and respondents reported concern about the likelihood of experiencing a data breach at their organizations.
  • Almost half of respondents actually did experience a security breach in the past twelve months.
  • Budgets for data security at larger organizations run at least six figures, and over three-quarters of respondents plan to increase spending in the next year.
  • Human error is perceived as the biggest internal threat to data security.
  • Externally, malware and ransomware attacks were the leading reported data security threat, followed by cloud vulnerabilities and social engineering or phishing attacks.
  • Employee data security was more prominent than we anticipated and the second most encrypted data type.

In addition to the above takeaways, the research helped to uncover more key challenges that the data security industry faces right now, in a world where the cloud is becoming an increasingly popular solution and remote work is becoming the standard or de facto option.

We also focused on exploring the current state of the data security industry and technology used by IT professionals. With significant six-figure-plus security expenditures and an ever-increasing number of internal and external threats, most of our respondents reported significant confidence in their data security and data encryption solutions. In fact, 64% stated that they did not expect a security breach in the coming twelve months and 59% said they did not experience a security breach during the previous year.

This confidence could be the result of having proper security solutions in place, since 88% of respondents reported their current security solutions are either very strong or somewhat strong (as opposed to adequate or less). With hybrid and remote workers on the rise as well as a sharp increase in the use of cloud solutions, tools and software for securing data handled in the cloud are undeniably essential.

“As cloud solutions and platforms continue to grow and more employees are using their own devices, a secure workspace with access to company data and applications is essential. Organizations need to be able to make intelligent and strategic decisions about the security solutions they need and then apply those technologies in a way that deals with the core issues that enable flexibility and choice of decentralized IT.”

- Prashant Ketkar, Chief Technology and Product Officer at Alludo

This highlights the importance of zero-trust security, which operates under the following three principles:

  • All entities are untrusted by default.
  • Least privileged access is enforced.
  • Comprehensive security monitoring is implemented.

“Zero-trust security securely enables the anywhere, anytime, any device workforce, allowing companies to allow for remote and hybrid work environments. Its continuous and rigorous verifications ensure employees have a secure, uniform experience no matter where they are working while bolstering efficiency and productivity. In the remote and hybrid world zero-trust is not a choice, it should be a business mindset,” says Ketkar.

Protecting sensitive data with WinZip Enterprise

Equip your teams with the tools they need to protect your organization’s critical data at rest, in transit, and in the cloud. WinZip® Enterprise simplifies data security, policy enforcement, and regulatory compliance with IT-controlled file encryption, compression, and sharing. It supports secure multi-cloud file management and features a "break the glass" option for enterprise-wide password and file recovery.

This security solution works for organizations with on-site, remote, or hybrid workers handling critical data, stored anywhere. Combined with other solutions or used as a primary data security and encryption tool, WinZip Enterprise enables organizations of all sizes to adapt to today’s evolving business needs.

Discover how WinZip Enterprise can add an additional layer of security to your organization today.