Businesses collect more data than they can handle

Size: px

Start display at page:

Download "Businesses collect more data than they can handle"

Priscilla Small
5 years ago
Views:

1 Businesses collect more data than they can handle 2018

2 2

Businesses collect more data than they than they can handle On 25 May, the European Union's General Data Protection Regulation (GDPR) became enforceable.

3 Businesses collect more data than they than they can handle On 25 May, the European Union's General Data Protection Regulation (GDPR) became enforceable. This long-awaited deadline ushered in a new age where confidence of data protection measures is more critical than ever. Organizations could incur reputational damage and a hefty fine, for example, if their lack of confidence coincides with GDPR noncompliance. With GDPR on most organizations' minds, now is the perfect time to look at just how confident organizations are in their data protection policies. Gemalto s fifth annual Data Security Confidence takes a look at the views from more than one thousand IT decision makers worldwide and 10,500 consumers worldwide to explore whether organizations are confident in their ability to handle the large amounts of data they collect on a daily basis. The study reveals that two in three companies (65%) are unable to analyze all the data they collect and only half (54%) of companies know where all of their sensitive data is stored. Compounding this uncertainty, more than two thirds of organizations (68%) admit they don t carry out all the procedures in line with data protection laws such as GDPR. The research found that business ability to analyze the data they collect varies worldwide with India (55%) and Australia (47%) best at using the data they collect. In fact, despite nine in 10 (89%) global organizations agreeing that analyzing data effectively gives them a competitive edge, only one in five Benelux (20%) and British (19%) companies are able to do so. If businesses can t analyze all of the data they collect, they can t understand the value of it and that means they won t know how to apply the appropriate security controls to that data. Whether it s selling it on the dark web, manipulating it for financial gain or to damage reputations, unsecured data is a goldmine for hackers. You only need to look at the recent hacks on the World Anti-Doping Agency and International Luge Federation to see the damage that can be done. What s more, data manipulation can take years to discover, and with data informing everything from business strategy to sales and product development, its value and integrity cannot be underestimated. Confidence in securing the breach is low When it comes to how data is being secured, the study found that almost half (48%) of IT professionals say perimeter security is very effective at keeping unauthorized users out of their networks. This is despite the majority of IT professionals (68%) believing unauthorized users can access their corporate networks, with Australian companies being the most likely (84%) and the UK the least (46%). However, once the hackers are inside, less than half of companies (43%) are extremely confident their data would be secure. UK businesses are the most concerned with just 24% prepared to say they re extremely confident, with Australia the highest (65%). If businesses can t analyze all of the data they collect, they can t understand the value of it and that means they won t know how to apply the appropriate security controls to that data. Even though there is still faith in how they re securing their networks, more than one quarter (27%) of companies reported that their perimeter security had been breached in the past 12 months. Of those that had suffered a breach at some point, only 10% of that compromised data was protected by encryption, leaving the rest exposed. Consumers say compliance is critical According to the study, a growing awareness of data breaches and communications around GDPR have led to the majority (90%) of consumers believing that it is important for organizations to comply with data regulations. In fact, over half (54%) are now aware what encryption is, showing an understanding of how their data should be protected. 3

4 Key findings From IT decision makers 82% 65 % can t analyze or categorize all the consumer data they store 55 % 54 only % 96 % of companies know where all of their sensitive data is stored deem some of their data to be worthy of access restriction 55% believe they adhere to GDPR, with 82% finding it difficult to remain compliant with data regulations 68 % believe their companies are failing to carry out all procedures in line with data protection laws 25 % 35 % 27 % think everyone who should have access to data, have access to it can analyze the data it collects very effectively say their company s perimeter security has been breached in the past 12 months 89 % agree the ability to analyze data would provide a competitive advantage believe they could be more prepared to make better use of the growing data 91 % 68 % believe unauthorized users can access their networks 4

5 would trust their own organization to store/manage their personal data if they were a customer. say their organization s own sensitive data is secure 93 % 57 % 43 % are extremely confident their organization s data would still be secure if hackers penetrated the network perimeter From consumers 52 % 41 % trust organizations to store/manage their personal data believe that financial institutes keep all of their sensitive data secure 65 % 90 % believe it is important for companies to comply with security regulations believe organizations are impacted by the GDPR 5

6 Data regulation and compliance Sensitive information policies Adhering to data regulations Three in five (60%) respondents say that their organization has policies and procedures in place for how sensitive information should be protected in line with government legislation This is least likely in Japan (42%) and Belgium and Netherlands region (BeNe) (46%), but most likely in the Middle East (70%), India (70%) and the US (70%) There is still a large proportion of organizations who do not have these policies and procedures in place, despite government legislation becoming stricter all the time. Fig 1 Analysis of ITDM respondents whose organization currently has policies and procedures in place for how sensitive information should be protected in line with government legislation Total Middle East India US UK Brazil Germany France Australia South Africa 48% 48% 51% 60% 59% 70% 70% 70% 68% 68% Over half (55%) of those surveyed report that their organization adheres to the GDPR Over nine in ten (92%) comply with at least one regulation, but it s less than half who adhere to ISO 27001/2 (49%) and/or ICO Audit (34%) It s only the minority who comply with these regulations (with the exception of the GDPR), which could suggest that it is difficult to adhere to these regulations Fig 2 What data regulations does your organization adhere to? GDPR ISO27001/2 ICO Audit PCI DSS DPA HITECH/HIPAA 26% SAS 70 FISMA SSAE 16 FCA/FSMA 21% 4% 4% None 24% 23% 22% 29% 29% I don't know 34% 49% 55% Benelux 8% Japan 46% 42% Asked to all ITDM respondents (1,050 respondents) Asked to all ITDM respondents, split by respondent country (1,050 respondents) 6

7 Difficulty remaining compliant Around four in five (82%) surveyed ITDMs state that their organization finds it difficult to remain compliant with the data regulations that it must abide by. Fig 4 How important do you think the following is when it comes to organizations securing your data? Compliance with security regulations (such as the Data Protection Act, GDPR etc) Fig 3 Does your organization find it difficult to remain compliant with the different data regulations it must adhere to? 8% 2% 7% 14% 18% 12% 41% 28% 31% 38% It is not important It has some importance It is quite important It is very important It is critically important Not applicable Yes, very difficult Yes, a little difficult Yes, quite difficult No, it is not difficult Asked to all consumer respondents (10,500 respondents) Asked to ITDM respondents from organizations that adhere to data regulations (965 respondents) Nine in ten (90%) consumer respondents state that it is important for organizations to comply with security regulations when it comes to securing their data Even though it is difficult to do, organizations need to ensure that they meet regulations in order to give confidence to their customers 7

8 The impact of GDPR Four in five (80%) ITDM respondents believe that their organization will be impacted as a result of the GDPR being introduced in May this year. Only around two thirds (65%) of consumer respondents however believe that organizations will be impacted. Fig 5 How impacted do you believe that your organization will be as a result of GDPR being introduced this year? ITDMs Fig 6 This could suggest that consumers are yet to realize the full impact that this will have on organizations How impacted do you believe organizations will be as a result of the General Data Protection Regulation (GDPR) being introduced this year? 4% 1% 15% Consumers 35% 18% 3% 30% 45% 15% Significantly impacted Not particularly impacted I don't know Impacted a little Not impacted at all 35% Asked to all ITDM respondents (1,050 respondents) Significantly impacted Not particularly impacted I don't know Impacted a little Not impacted at all Asked to all consumer respondents (10,500 respondents) 8

9 Becoming GDPR compliant Nine in ten (90%) of those surveyed report that their organization has/will turn to another organization in order to be GDPR compliant, with consultancy firms (53%) and/or business partners (43%) being the most likely. Around four in five (79%) respondents state that their organization has or will face challenges in addressing the GDPR, with the deadline (37%) and not being a senior executive priority (29%) being the most common Fig 7 Which of the following will/has your organization turn/turned to in order to be compliant with GDPR? Consultancy firms Business partners Legal counsel / lawyer Independent consultants Government agencies Training centers 2% 8% 31% 31% 34% 43% 42% 53% None, we think we can achieve this ourselves None, we do not need to be compliant Asked to all ITDM respondents (1,050 respondents) Fig 8 Thinking about your organization's entire journey to addressing the GDPR, which of the following challenges has it faced? The deadline doesn't give us enough time It hasn't been a priority for senior executives It's unclear what needs to be done Lack of funds to make changes We do not have the right knowledge 1% 16% Don't know 19% 25% 24% 29% 28% 37% There isn't the right external support available We have not faced / are not facing any challenges Asked to all ITDM respondents (1,050 respondents) With the impact of GDPR likely to be high, it appears that organizations are eager for help (fig. 8) to get past these challenges 9

10 Meeting the GDPR Deadline Respondents organizations in the UK (84%) and BeNe (84%) are the least likely to be confident of compliance among those in the European markets Fig 9 Analysis of whether ITDM respondents are confident that their organization will be compliant with the GDPR by 25th May Overall, 89% of respondents believe that their organization will be GDPR compliant by the May 25th deadline Those in BeNe were some of the least likely to have policies 11% Total 2% Brazil 5% India 6% Australia 8% France 8% Middle East 13% Germany 14% US 15% Japan 16% UK 16% BeNe South Africa 28% 72% 89% 98% 95% 94% 92% 92% 87% 86% 85% 84% 84% in place around how sensitive information should be protected in line with government legislation (fig. 1), which could suggest that they are not prioritizing in this area. Organizations are expecting the GDPR to impact them (fig. 5), with consumers reporting that it is important to meet regulations (fig. 4), so the GDPR should be a high priority for organizations or they could find themselves receiving huge fines and financial punishment Will be compliant Will not be compliant Asked to all ITDM respondents, split by respondent country (1,050 respondents) 10

11 Data collection, analysis and use Organizations collecting data The majority of ITDM respondents report that their organization currently collects data via website (61%), (58%) and in store/in person (56%), while a quarter or more say that they will do in the future (27%, 29% and 25% respectively) However a smaller proportion (45%, 40% and 37% respectively) of surveyed consumers expect that their data is collected via these sources currently (fig. 11), which suggests that organizations are collecting data from a greater range of sources than consumers realize. Consumers are less aware of the impact that GDPR will have, but perhaps they would consider it more impactful if they knew how much data was being collected Fig 10 ITDMs From which of the below sources does your organization currently collect data or expect to in the future? Online - via website Online - via In store / in person Telephone Mail Online - via apps Online - via social media 27% 25% 29% 29% 28% 32% Online - via connected devices (IoT) 43% 36% 42% 40% 37% 49% 48% 56% 61% 58% Fig 11 Consumers When considering organizations that you interact with, which of the below sources do you expect them to currently collect your data from, or expect them to in the future? Online - via website Online - via In store / in person Telephone Mail Online - via apps 24% 24% 24% Online - via social media 32% 29% 24% 24% 22% 28% 31% 27% Online - via connected devices (IoT) 37% 40% 45% 42% 45% We currently collect data from this source We expect to collect data from this source in the future We currently collect data from this source We expect to collect data from this source in the future Asked to all ITDM respondents, split by respondent country (1,050 respondents) Asked to all consumer respondents (10,500 respondents) 11

Analyzing data effectively Only around a third (35%) of those surveyed believe that their organization can highly effectively analyze the data that it collects There is room for improvement for the

12 Analyzing data effectively Only around a third (35%) of those surveyed believe that their organization can highly effectively analyze the data that it collects There is room for improvement for the majority of organizations when it comes to analyzing data if they can t analyze it effectively, then they may as well not collect it at all Could organizations improve the way that they use data? This is far higher in India (55%) and Australia (47%), but only one in five or fewer say that this is the case in BeNe (20%) and the UK (19%) Fig 12 Analysis showing ITDM respondents who think that their organization can highly effectively analyze the data which it collects Total 35% India 55% Australia Middle East US 44% 42% 47% Brazil South Africa Germany France Japan 36% 32% 29% 28% 25% BeNe UK 8% 20% 19% Asked to all ITDM respondents, split by respondent country (1,050 respondents) 12

13 13

14 Making the most out of data Just over nine in ten (91%) respondents agree that their organization could be more prepared in order to make better use of the growing amounts of data that is becoming available (fig. 13) A similar proportion (89%) agree that the ability to effectively collect, analyze and use data would give them a competitive advantage in their industry (fig 14.) Fig 13 Analysis showing ITDM respondents who agree that their organization could be more prepared in order to make better use of the growing amounts of data that is becoming available Fig 14 Analysis showing ITDM respondents who agree that the ability to effectively collect, analyze and use data would give them a competitive advantage in their industry 89 % agree 91 % agree their organization could be more prepared in order to make better use of the growing amounts of data that is becoming available the ability to effectively collect, agree analyze and use data would give them a competitive advantage in their industry It s important for organizations to be able to analyze data effectively, but many seem to be struggling, which could be due to using the wrong data collection and analysis tools 14

15 Breaches and Encryption Perimeter security systems Almost half (48%) of respondents say that perimeter security is very effective at keeping unauthorized users out of their organization s network, which is an increase from 2017 (42%) and 2016 (37%) state that they are extremely confident that their organization s data would still be secure if unauthorized users penetrated their organization s network perimeter, compared to 2017 (35%) and 2016 (31%) In addition a higher proportion (43%) of respondents Fig 15 Analysis of respondents who say that perimeter security is very effective at keeping unauthorized users out of their organization s network Fig 16 Analysis of respondents who are extremely confident that their organization s data would still be secure if unauthorized users penetrated their organization s network perimeter 48 % 42 % 37 % 43 % 35 % 31 % 2018 Total 2017 Total 2016 Total 2018 Total 2017 Total 2016 Total Asked to all ITDM respondents, showing historical data (1,050 respondents) Asked to all ITDM respondents, showing historical data (1,050 respondents) 15

16 Breaching perimeter security Around a quarter (27%) of respondents organizations have had their perimeter security breached in the past 12 months, while similar proportions report that this has happened months ago (22%), months ago (25%) and more than 24 months ago (27%) Fig 17 Analysis of respondents who say that their organization s perimeter security has been breached Just over three quarters (76%) of respondents cite that their organization did report their most recent breach to the local authorities Fig 18 Analysis of respondents who reported that their organization s most recent breach to the relevant local authorities Total 76% 27 % 22 % 25% 27 % South Africa Middle East Japan 83% 82% 88% In the past 12 months more than 12 months but less than 18 months ago more than 18 months but less than twenty-four months ago more than twenty-four months ago India Brazil 82% 80% Asked to all ITDM respondents (1,050 respondents) US BeNe Australia France Germany 8% UK 78% 74% 74% 68% 68% 64% Asked to all ITDM respondents, split by respondent country (1,050 respondents) This is highest (88%) in South Africa, but lower in France (68%), Germany (68%) and the UK (64%), which is extremely concerning for these European countries considering the imminent nature of the GDPR 16

17 Use of encryption Seven in ten (70%) respondents report that their organization encrypts payment data, while only slightly fewer say the same when it comes to customer/user information (67%) and/or employee records (60%). Only 22% state that they encrypt data on mobile devices, which is alarming when considering the amount of data now available on mobile devices Fig 19 Does your organization encrypt any of the following types of data? Payment data 70% When asked about the most recent breach that their organization suffered, only around a third (33%) of respondents report that 5% or more of their data was protected by encryption, with the average amount protected being 9.81% Fig 20 Thinking about your organization s most recent breach, what percentage of the breached data was protected by encryption? 9% 4% 3% 4% Customer / user information 67% 18% Employee records Financial business information 60% 59% 27% data 54% Intellectual property 46% 24% Metadata 31% 12% Data held on mobile devices 22% 0% No data is encrypted Asked to all ITDM respondents (1,050 respondents) 0% 2% 4% More than 10% 1% 3% 5-10% Don't know Asked to ITDM respondents from organizations that have had their perimeter security systems breached (517 respondents) This lack of encryption could easily have resulted in organizations losing valuable and sensitive data 17

18 Consumer knowledge of encryption Approaching nine in ten (86%) consumer respondents state that they have at least a limited understanding of encryption, but only 16% say that they have complete understanding Just over half (54%) of those who claim to have some understanding picked the correct definition of encryption, while 17% believe that it is the use of human features and 16% believe that it is a password rotation system (fig. 22) Fig 21 What level of understanding do you have regarding encryption? Fig 22 Which of the following best describes encryption in your opinion? 14% 16% The process of converting data into code so that it cannot be accessed/ viewed by unauthorized parties 17% The use of physical human features to access data (eg facial recognition or fingerprints) 16% A password rotation system 54% 29% 42% 13% A code or pin number that has to be given at the time of a financial transaction being completed using the internet Complete level of understanding, I know exactly what it is and does Limited understanding Some understanding, I could know more No understanding at all Asked to consumer respondents that have at least a limited understanding of encryption (9,077 respondents' Asked to consumer respondents that have at least a limited understanding of encryption (9,077 respondents' While consumers feel that they have some knowledge about encryption, it s clear that there is still plenty of room for education in this particular area It is only 47% of all consumers who believe that they know what encryption is and who give the right definition when asked. 18

The importance of encryption to consumers Nine in ten (90%) consumer respondents say that encryption has at least some importance to organizations securing their data Almost a third (32%) even go as

19 The importance of encryption to consumers Nine in ten (90%) consumer respondents say that encryption has at least some importance to organizations securing their data Almost a third (32%) even go as far as to say that using encryption is critically important Fig 23 How important do you think each of the following are when it comes to organizations securing your data? Encryption Not all organizations are encrypting their sensitive data types, but they should be for their security needs, as well as to meet consumer desires 8% 2% 10% 18% 32% 30% It is not very important It is quite important It is critically important It has some importance It is very important I don't know / not applicable Asked to all consumer respondents (10,500 respondents) 19

20 Strength and confidence of security Accessing data in organizations Almost all (97%) respondents know some of the people/types of people/departments in their organization that has access to the data that their organization collects, but only 37% know everyone Of those who know at least some of the people/ departments in their organization who has access to its data, it s only a quarter (25%) who think that everyone who should have access to data, does have access to it (fig. 27) Fig 26 Do you know which people/types of people/ departments in your organization has access to the data that your organization collects? Fig 27 Do you believe that everyone/every department who should have access to the data that your organization collects, does have access to that data? 9% 3% 2% 1% 25% 25% 37% 51% 48% Yes, I know everyone Yes, I know most people No, I only know some people No, I don't know everyone Asked to all ITDM respondents (1,050 respondents) Yes, everyone does No, only some people do Don't know Yes, most people do No, those who should have access do not Asked to ITDM respondents who know at least some of the people/ departments in their organization that has access to the data that their organization collects (1,016 respondents) This suggests that organizations could face obstacles in sharing data with the right people/ departments, which could potentially be resolved with the help of a trusted third party 20

21 Ensuring data is secure On average, respondents feel that the IT department (34%) and senior management (30%) should take the biggest proportion of responsibility when it comes to securing data Organizations are taking most of the responsibility for securing data yet are leaving it open to unauthorized users the impacts of suffering a hack or losing data could be severe, so organizations need to ensure that their network is secure Only a minority (13%) of responsibility falls to customers, on average, but they still need to take some action and this could leave a security hole if they are unaware of this responsibility The majority (68%) of respondents admit that unauthorized users are able to access their organization s network, while over a quarter (26%) believe that they can access the entire network Fig 28 Analysis of the average percentage that respondents think each of the below should take when it comes to ensuring data is secure Fig 29 Do you think unauthorized users are able to access your network? 12.77% 32% 26% 33.81% 23.51% 17% 25% It department 29.9% Senior management Yes the entire network Yes, but not a significant proportion of the network Yes, a significant proportion of the network No General employees Customers Asked to all ITDM respondents (1,050 respondents) Asked to all ITDM respondents (1,050 respondents) 21

Trusting personal data to be stored/managed Almost all (93%) ITDM respondents would trust their own organization to store/manage their personal data if they were a customer There is a lot less trust

22 Trusting personal data to be stored/managed Almost all (93%) ITDM respondents would trust their own organization to store/manage their personal data if they were a customer There is a lot less trust among consumers than ITDMs, despite ITDMs acknowledging that unauthorized users can access their organization s data (fig. 29) Consumers lack of faith ties in with the thought that organizations are not using the right methods and technologies to protect their data (figs. 24 and 25) Fig 30 Analysis of whether ITDM respondents would trust their own organization to store/manage their personal data if they were a customer, and whether consumer respondents trust organizations to store/manage their personal data in general Consumers lack of faith ties in with the thought that organizations are not using the right methods and technologies to protect their data 93 % 7 % 52 % 48 % ITDMs Consumers Yes No Asked to all ITDM respondents (1,050 respondents) and all consumer respondents (10,500 respondents) 22

23 Securing sensitive data ITDMs Only four in ten (40%) carry out all procedures in line with government legislation and it s just 32% who state that they carry out all procedures in line with data protection laws Fewer than three in five (57%) respondents report that all of their organization s sensitive data is secure. In addition, only just over half (54%) know where all their organization s sensitive data is stored Despite stating that most of the responsibility falls on the organization to protect sensitive data (fig. 28), it appears that this isn t always being done, which would be extremely alarming for consumers and anyone associated with these organizations Fig 33 Which of the following statements is true about your organization? All of our sensitive data is secure 57% 54% Companies agree they are responsible for protecting sensitive data but fail to do so I know where all of our sensitive data is stored 40% We carry out all procedures in line with government legislation 32% We carry out all procedures in line with data protection laws 2% None of the above statements are true of my organization Asked to all ITDM respondents (1,050 respondents) 23

24 Securing sensitive data - consumers Only around four in ten (41%) consumer respondents feel that financial institutes keep all of their sensitive data secure, while even fewer say the same when it comes to healthcare organizations (25%) and the government (24%) Over a quarter (28%) feel that their data might not be secure within social media and entertainment organizations Consumers have ideal methods of data security (fig. 24), but do not feel that organizations are always using these methods (fig. 25) and that seems to be impacting their confidence in organizations securing their data Fig 34 Which of the below statements do you expect to be true when thinking about the following types of organizations? Asked to all consumer respondents (10,500 respondent) 41 % 17 % 13 % 24 % 25 % 13 % 27 % 25 % 18 % 24 % 24 % 18 % All of my sensitive data is secure They know where all of my sensitive data is stored 33 % 29 % 21 % 30 % 29 % 23 % 27 % 22 % 17 % 26 % 24 % 18 % Carry out all procedures in line with government legislation Carry out all procedures in line with data protection laws (eg Data Protection Act, GDPR etc) 28 % 26 % 20 % 19 % 20 % % 18 % % 13 % 12 % 13 % 6 % None of these - my data might not be secure I don't know / not applicable 24

25 Conclusion The cost of poor data security For many years analysts and security professionals have tried to estimate what a data breach can cost a company. From the expense of having to upgrade IT infrastructure and security to paying legal fees and government fines there are a lot of costs that are both tangible and intangible. In addition, there are the impacts to a company s stock price and the erosion of customer trust. For management teams it can also have a very real impact professionally. For example, the chairman and CEO of Target resigned months after the data breach, and the CEO resigned of Equifax resigned within weeks of its data breach. Many studies have been done to calculate the cost of a data breach, including the annual Ponemon Institute s Cost of a Data Breach report which calculates the cost down to the data record. According to the latest Ponemon annual report, the average cost of a data breach is currently $3.62 million globally, which comes to $141 a record. But do these reports actually gauge what a data breach will cost a company? At the end of the day, equating data breach damages to a per record cost makes data breaches just an actuarial exercise of acceptable risk. This type of thinking must change because we are at a tipping point on the implications of data breaches. The costs have become more real to companies and the boards who run them. CEOs and other members of the management team are now losing their jobs because data breaches now have more potential to be more lifethreatening, if not killers, for companies. Take for example the TalkTalk data breach, which caused the company to lose more than 100,000 customers, and the fact that Yahoo! had to lower its purchase price by $350 million in its acquisition by Verizon. The last and most important factor is that governments are now taking notice and doing something about it. GDPR is a prime example of this, and countries around the world are looking at it as the model for their own regulations. If costs and risks of data breaches are increasing (and they are), companies need a radical shift in their approach to data security if they are going to more successful in defending sensitive data they collect and store. With organizations extending their business to being cloudand mobile-first, their attack surface and likelihood of accidental data exposure continues to grow. These trends all point to a consistent theme security needs to be attached to the data itself and the users accessing the data. It s time companies got their houses in order; starting with who oversees their data security. A central figure such as a Data Protection Officer essential in some circumstances under GDPR must be appointed to the board to lead data security from the top down. Next, is having more sight and analysis on the data collected to ensure that it is both correctly protected and enabling more informed business decision making. Finally, a mindset change. Organizations must realize that it s no longer a case of if, but when a breach occurs, and protect its most valuable asset data through encryption, twofactor authentication and key management, rather than solely focusing on the perimeter. 25

26 IT Decision makers (ITDM) demographics 1,050 IT decision makers, from organizations with perimeter security systems, were interviewed split in the categories below Country 50 Benelux 200 US UK France Germany 100 Japan 50 Middle East 100 India 100 Brazil 50 South Africa 100 Australia Asked to all ITDM respondents (1,050 respondents) Organizational size Organization sector 18.19% IT / computer services % Manufacturing Financial services Retail Healthcare % 24.29% Telecoms Construction and real estate Government Insurance and legal employees employees employees More than 5000 Utilities 44 Other sectors 8% 118 Asked to all ITDM respondents (1,050 respondents) Asked to all ITDM respondents (1,050 respondents) 26

27 Consumer demographics 10,500 adult consumers were interviewed. All of those surveyed actively use online/mobile banking, social media accounts and/or online retail accounts, split in the categories below Country 500 Benelux 2000 US UK France Germany 1000 Japan 500 Middle East 1000 India 1000 Brazil 500 South Africa 1000 Australia Asked to all consumer respondents (10,500 respondents) Gender Age 0.15% years old years old years old % 49.96% years old years old years old and above Prefer not to say Asked to all ITDM respondents (1,050 respondents) Female Male Prefer not to say Asked to all consumer respondents (10,500 respondents) 27

28 Gemalto offers one of the most complete portfolios of enterprise security solutions in the world, enabling its customers to enjoy industry-leading protection of digital identities, transactions, payments, and data from the edge to the core. Gemalto s portfolio of SafeNet Identity and Data Protection solutions enable enterprises across many verticals, including major financial institutions and governments, to take a data-centric approach to security by utilizing innovative encryption methods, best-in-class crypto management techniques, and strong authentication and identity management solutions to protect what matters, where it matters. Through these solutions, Gemalto helps organizations achieve compliance with stringent data privacy regulations and ensure that sensitive corporate assets, customer information, and digital transactions are safe from exposure and manipulation in order to protect customer trust in an increasingly digital world. Contact Us: For more Gemalto research, visit safenet.gemalto.com/data-security-trends Follow Us: blog.gemalto.com/security Gemalto All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries. (EN)- 27Jun Design: DB