27 data security stats that matter

The workplace and operational disruptions caused by the COVID-19 pandemic have opened new data protection challenges for organizations across all industries.

With more employees working from home and other remote locations, enterprise data has become more widely distributed and needs to be protected across a broader range of managed, unmanaged, and personal devices. The trend has been exacerbated by the accelerated adoption of cloud and SaaS offerings as a result of the pandemic. Security teams now must protect customer, employee, and business data not just on premises, but across home, public cloud, and hybrid environments as well.

Data privacy regulations, though not the primary driver anymore, continue to be a major source of additional pressure on security teams to protect sensitive data.

Here are key statistics, culled from a variety of reliable sources, that your data security team needs to be aware of.

Data privacy and protection

93%: Percentage of security professionals who say their organization turned to the data privacy team to help guide their response to the COVID-19 pandemic.

A survey of more than 4,700 security professionals showed that organizations with more mature security practices are in a much better position to handle new and emerging privacy regulations compared to organizations with less mature practices.

Source: Cisco Privacy Benchmark Study 2021

34%: Percentage who said data privacy had become one of the core responsibilities for the cybersecurity team.

Likely as a result, average privacy budgets doubled to $2.4 million in 2020 compared to the prior year.

Source: Cisco Privacy Benchmark Study 2021

94%: Percentage of data, privacy, and security professionals who say compliance with data privacy regulations is a top priority for their organization.

At the same time, nearly half (45%) also professed to not being concerned about fines and penalties for noncompliance.

Source: The Intersection of Data Privacy and Cybersecurity (Corinium and Okera)

13: Total number of enforcement actions that the FTC took between July 2020 and August 2021 against organizations for violating consumer privacy rights or for failing to properly secure sensitive consumer information.

That number marked a sharp drop from the nearly three-dozen cases that the FTC initiated against various organizations between July 2019 and August 2020.

Source: FTC

63%: Percentage of consumers who consider an organization's data collection and storage practices to be the most important factor when they share sensitive information with the organization.

Fifty-seven percent consider their ability to control what data of theirs the organization shares as critical, and 51% cited the brand's trustworthiness as the most critical factor when sharing data with an organization.

Source: EY Global Consumer Privacy Survey

Data encryption, tokenization, and masking

50%: Percentage of respondents who say their organizations have an overall data encryption strategy that is applied consistently across the entire enterprise.

The global survey of 6,610 individuals marked the sixth year in a row when the number of organizations reporting consistently applied encryption polices has steadily increased year over year. In 2015, the percentage stood at 37%, and in the last survey it was 48%

Source: The 2021 Global Encryption Trends Study (Ponemon Institute, for Entrust)

65%: Share of survey takers who say the biggest barrier to successful data encryption is discovering where sensitive data resides across the organization.

Thirty-four percent describe data classification as the biggest encryption-related challenge, and 43% say it is the initial deployment of encryption technology.

Source: The 2021 Global Encryption Trends Study (Ponemon Institute, for Entrust)

60%: Proportion of organizations that transfer sensitive data to the cloud whether it is first encrypted or not.

Another 24% plan to do the same thing within the next two years, suggesting that many organizations view the benefits of cloud computing as outweighing potential security risks.

Source: The 2021 Global Encryption Trends Study (Ponemon Institute, for Entrust)

$1.9B: Size of the global market for data tokenization technologies in 2020. The market is expected to grow at a CAGR of 19.5%, to $4.8B in 2025.

The major factors driving the tokenization market include regulatory compliance and the increasing need for organizations to support contactless payment and cloud-based tokenization services and technologies.

Source: MarketsandMarkets Research

$484M: Size of the data masking market in 2020. By 2026, global demand for masking technologies that help organizations obfuscate sensitive content is expected to top $1B.

Much of the momentum for data masking technologies is expected to come from the healthcare industry, which has been one of the biggest targets for attackers in recent years—and especially since the COVID-19 outbreak in early 2020.

Source: Mordor Intelligence

82%: Share of organizations that use a data classification system to categorize data by sensitivity so that appropriate access controls and restrictions can be applied based on level of sensitivity.

However, many organizations are undermining the benefits of data classification by providing employees with access to more data than required for their function.

Source: 2020 State of Data Security Report (GetApp)

Cloud and data security

52.9%: Percentage of organizations that currently store employee records in the public cloud.

In addition, slightly more than 51% store business intelligence data in the cloud; some 50% have uploaded financial and accounting data and 42% store sensitive customer data in the cloud. The data suggests that many organizations are implicitly trusting their cloud service providers to have controls for adequately protecting their sensitive data.

Source: SANS 2021 Cloud Security Survey

44%: Percentage of cloud user privileges that are misconfigured, thereby exposing organizations to heightened risk of data exfiltration and account takeovers.

Sixty percent of cloud users are shadow administrators, meaning they have unauthorized privileged access to data without the security team's knowledge or oversight.

Source: 2021 SaaS Report (Varonis)

15%: Share of employees who transfer critical business data to personal cloud accounts.

Administrators that assume business-critical data always remains in enterprise-sanctioned cloud services are making a mistake. Employees—many with privileged access—often transfer enterprise data to cloud services outside the security team's purview. This can include personal cloud accounts.

Source: 2021 SaaS Report (Varonis)

40%: Share of organizations that reported incidents involving unauthorized access to enterprise data and applications as the result of a cloud-misconfiguration issue.

The most common cloud misconfigurations include poorly configured identity and access management controls, unprotected externally facing workloads and overly permissive account permissions.

Source: The Maturation of Cloud-Native Security (Enterprise Strategy Group for Lacework)

34%: Percentage of IT and security managers who believe that more investment is required for cloud-native controls that prevent data loss for object stores.

Other areas that survey respondents said would benefit from increased investments include cloud security posture management (38%) and cloud workload protection platforms (37%).

Source: The Maturation of Cloud-Native Security (Enterprise Strategy Group for Lacework)

Fourfold: How much more likely an organization will experience a data breach if it provides full data access to all employees compared to a company that doesn't.

More than half (50.7%) of all organizations that reported a data breach in the previous 12 months gave employees full access to all company data, compared to just 12.6% or organizations that applied the principle of least privilege to control access to data.

Source: 2020 State of Data Security Report (GetApp)

11M: The number of files that an average financial services employee has access to daily. At larger financial enterprises, the average employee has access to some 20M records daily.

Nearly two-thirds of financial services companies leave more than 1,000 files containing sensitive data open to access by every employee. Nearly six in 10 gave out over 500 passwords that never expire.

Source: 2021 Data Risk Report (Varonis)

Zero-trust security

64%: Percentage of organizations that use a zero-trust, least-privileged access approach as a guiding principle to control access to their data, most or all the time.

However, centralized data management, which is key to enabling granular control, continues to be a major challenge at many companies.

Source: The Intersection of Data Privacy and Cybersecurity (Corinium and Okera)

88%: Percentage of CISOs in survey who said that adopting a zero-trust approach to data security was either "important" or "very important."

Forty-five percent of them said the top priority for implementing a zero-trust approach was better controls for identity and access management.

Source: The CISO View 2021 Survey: Zero Trust and Privileged Access (CyberArk)

87%: CISOs who view just-in-time access controls as a "very important" or "important" component of a zero-trust approach.

An almost identical share (89%) described controls for connecting uses to specific resources was critical to zero-trust access control.

Source: The CISO View 2021 Survey: Zero Trust and Privileged Access (CyberArk)

56%: Percentage of 420 IT professionals who continue to equate zero trust with technology rather than an approach.

Forty-three percent described zero trust as a security strategy based on an assumed-breach approach supported by continuous authentication, vetting, and risk evaluation for every request.

Source: The State of Zero-Trust Security Strategies (Enterprise Strategy Group for Axis Security)

51%: Organizations that are deploying a zero-trust approach as part of a broader enterprise security modernization program.

Contrary to perception, enabling secure remote access for employees and external parties is only the third-biggest driver (41%) of zero-trust initiatives. The second-biggest driver after modernization is reducing the number of security incidents.

Source: The State of Zero-Trust Security Strategies (Enterprise Strategy Group for Axis Security)

Big data security

56%: Share of enterprise IT managers and executives in a survey who described security as one of their biggest challenges to getting more value from data lakes.

Other major reasons include slow querying times, governance and metadata issues, and challenges related to manageability and scalability.

Source: Key Trends in Hybrid, Multicloud and Distributed Cloud for 2021 (Yellowbrick)

57%: Organizations that are not, or cannot, use a cloud data warehouse because of security concerns.

Security is the top, but not the only, reason keeping some organizations from using a cloud data warehouse or data lake. Unpredictable costs (38%), concerns over potential performance issues (37%), and regulations pertaining to cloud data security (32%) are other gating issues as well.

Source: Key Trends in Hybrid, Multicloud and Distributed Cloud for 2021 (Yellowbrick)

41%: Percentage of IT and security managers who perceive big data security analytics technologies as very important to protecting enterprise data in the future.

In addition, 21% view these tools as very important right now. Organizations in the telecommunications, IT, and retail sectors in particular view big data security analytics as playing a crucial role in their security strategies over the next few years.

Source: Big Data Security Analytics (KuppingerCole and BARC)

50%: Percentage of survey respondents who cited data privacy as one of the biggest challenges to implementing big data security analytics in their environment.

A gap exists at many organizations between the perceived benefits of big data security analytics and actual implementation of the technology. In addition to privacy, other concerns include cost, data quality, and inadequate analytical skills.

Source: Big Data Security Analytics (KuppingerCole and BARC)

New era, new approaches required

Enterprise security teams are under greater pressure than ever to protect enterprise data against theft, misuse, and other malicious actions. The shift to a more distributed work environment and the rapid adoption of cloud and SaaS services since the COVID-19 pandemic began has complicated the security challenge and heightened the need for organizations to adopt new approaches—such as zero-trust models.