Portal26 Research Report
Enterprise Security Priorities for 2023
Portal26’s Enterprise Security Priorities for 2023 finds that an overwhelming majority of organizations ie. 92% intend to increase their cyber budgets for 2023. Of all the anticipated challenges for 2023, data security was on the top of the list. Attackers are expected to target large corporations without industry focus. We expect to see data other than PII to be targeted for ransomware and extortion. Further, survey participants indicated that they plan to look beyond conventional data security techniques such as traditional tokenization towards encryption-in-use and modern tokenization that supports search and analytics without decryption or detokenization.
2022 was filled with news headlines covering one major cyberattack after another. Even as enterprises increased their security investments and seemingly improved their security postures, this did not seem to reflect in attack and data breach statistics. In 2022, at Portal26, we conducted both the Data Exfiltration and Extortion Survey as well as the State of Enterprise Tokenization Survey to gain a better understanding on what was really going on with data security in the context of these frequent and ferocious attacks.
As 2022 rolls to a close, we are interested in a quick look back on top risks and challenges that were faced in 2022, especially in the context of data security, as well as expectations for 2023 on those same topics.
In order to get first hand data on enterprise sentiment regarding cybersecurity risks, challenges, budgets, and priorities for 2023, and where possible, compare the sentiment against 2022 expectations, we undertook this survey.
Portal26 commissioned an independent third-party to conduct this study on this topic. In this original research study covering 100 enterprises, we asked the above question and we are delighted to present our findings in the form of this report.
Ultimately, the data showed that enterprises know data security is at risk and are prioritizing data security for 2023. Increased investment via larger budgets should make 2023 a good year for data security and for Portal26. We offer this data to you, our readers, so that you have the information you need to make a strong case for improving data security in your organization. As always, please feel free to write with questions or comments.
Summary of Study Participants
Portal26’s Enterprise Data Security Priorities for 2023 survey included 100 participants across the United States from a variety of industries. Participants were all Security professionals. We requested a wide distribution cross regions and cities and participation definitely reflected this. See chart below for a breakdown of survey participants.
Ransomware Remains Concerning, Insider Threats Even More So
The study found that enterprises expected malware to be their biggest challenge in 2023, followed by insider threats, ransomware and related extortion, and phishing. This represented a slight reordering of expected threats relative to 2022 where malware was followed by ransomware and related extortion, then insider threats and then phishing. This did not represent a big change since the absolute percentage of surveyed enterprises who were worried about ransomware, insider threats, and phishing remained approximately the same across both years. Malware, however, has more enterprises worried for 2023 than it did for 2022. Note that these threats can be overlapping, where insiders can have a hand in ransomware attacks, phishing can be a source of malware, etc.
Attackers Expected to Reduce Vertical Specific Focus
While in 2022 enterprises believe Financial Services to be most targeted, followed by large corporations (not industry specific), government, healthcare, and education, their expectations for 2023 are that attackers will target enterprises more broadly. For 2023, the expectations are that attackers will go after any large corporation over 40% of the time. Industry specific targets would be financial services, government, healthcare, and education, in that order. This change can be attributed to attack patterns that were witnessed in 2022 with attackers going after a much broader set of targets relative to prior years.
The change in sentiment found by the study is interesting in three respects: First, we can see that enterprises are expecting to be targeted by cyberattacks regardless of the industry segment they are in. Any large corporation is expected to have something of value for cyber attackers. Second, with Healthcare being heavily targeted last year, there has been a wave of education as well as regulation that has made it much harder to be successful. Finally, several attacks on healthcare and critical infrastructure had terrible human consequences such as loss of life. From an attackers perspective, the collateral damage was worse for their bottom line since it created a sentiment of “not paying ransom” regardless of the cost. This has cost attackers revenue that would have come easier prior to this type of sentiment becoming popular. At the end of the day, it did not make business sense to go after highly regulated verticals, when the pay out was just as good elsewhere.
We were also curious to learn if participants had prioritized their 2023 cybersecurity initiatives according to their expectations of attack patterns. The following question covered this area.
Data Protection is the Top Priority for 2023
The study found that over 30% of participants are prioritizing Data Security over everything else. This is followed closely by Preventing Ransomware.
A Majority of Participants Experienced a Data Breach in 2022
Over 60% of participants in the study had experienced a data breach in 2022. This explains why Data Security is the top priority for 2023. Given the connection between malicious attacks, ransomware and data breach, we can
understand why enterprises are concerned about all these areas and looking to prioritize 2023 programs accordingly.
It is also interesting to note in the chart above that compliance came in last place as far as 2023 priorities. We do not believe this means that compliance is not important. Rather, we believe that this reflects a check-the-box sentiment that might have existed among security teams earlier.
When cyberattacks are as frequent as they have become, security teams can no longer rely on the bare minimum controls as required by compliance. Security needs to focus on substantially securing enterprise data from being compromised.
Breaches Were Identified Faster than Prior Years
The study showed some positive data on the breach front with over 90% of participants reporting data breaches identified within a week. Another approximately 10% took between a week and a month. This represents a considerable improvement over prior surveys where participants reported taking months to identify breaches in their environment.
More Organizations Lost IP and Enterprise Data compared to PII
The study showed another interesting trend where PII was not on the top of the list of data compromised during attacks. Participants reported that other data crucial to organizations including Intellectual Property was compromised in more organizations than those that lost PII. This is consistent with the findings around types of organizations being targeted by attackers where we are seeing more companies besides just regulated verticals that are typically heavy on PII.
Structured Data Risk Outweighed Unstructured for 2022 and 2023
The study showed that participants observed structured data in databases to be most at risk, followed by structured data in analytics platforms, followed by unstructured data created by applications and finally unstructured data created by users.
2023 Cybersecurity Budgets Are Increasing
A large majority (92%) of study participants reported increasing their cybersecurity budgets for 2023. This is great news for technology providers especially those focused on areas where enterprises expect to focus their 2023 investments.
Our final question we asked survey participants was how they plan to spend the portion of their 2023 cybersecurity budget allocated to data protection. Note that data protection was the top ranked item in their 2023 expected challenges. See the table below for results. Traditional tokenization appears to come in last behind Modern Tokenization (which supports search and analytics) Data Masking, and Encryption-in-Use.
Make your data immune to cyberattacks with Portal26’s Data Security Platform
One Platform for Enterprise-Wide Data Security, Privacy, Ownership and Stewardship
Portal26 is the industry’s most advanced enterprise scale data security platform that combines high performance encryption-in-use with traditional privacy preserving techniques to ensure that enterprise data remains secure in the most challenging of scenarios.
Deployed in a variety of form factors (Vault, API, Proxy, or Plugin) that can be combined to support hundreds of use cases spanning applications, data platforms and across clouds, Portal26 delivers NIST FIPS 140-2 validated encryption-in-use at all times and without loss of search and analytics functionality.
In addition to encryption-in-use, which ensures that large amounts of valuable data cannot be stolen in unencrypted form, Portal26 also provides all nine privacy-preserving formats in one solution, thus eliminating the need for separate solutions for tokenization, masking, anonymization, and traditional encryption.
In addition to securing existing applications, file shares, and data platforms, Portal26 also offers rich developer APIs that enable the creation of new, natively secure applications. Enterprises rely on Portal26 for day-to-day privacy and compliance as well as strong data security during ransomware attacks, extortion, data supply chain attacks and insider compromise