Global Edition

2022 Thales
Data Threat Report
Navigating Data Security in an Era
of Hybrid Work, Ransomware and
Accelerated Cloud Transformation

#2022DataThreatReport

cpl.thalesgroup.com
2022 Thales Data Threat Report: Global Edition

Introduction
As the pandemic continues to affect both business and personal
lives, expectations of a ‘return’ to pre-pandemic conditions have
faded from most plans. Underlying trends that have always
driven information security, such as new technologies, greater
compliance mandates and more severe security incidents,
continue to be significant change agents. The 2022 Thales Data
Threat Report, based on data from a survey of almost 2,800
respondents from 17 countries across the globe, illustrates these
trends and changes. This report examines the implications of the
survey responses and explores their meaning to security strategies
and how organizations should plan for the year ahead.

Source: 2022 Data Threat custom survey from 451 Research, part of S&P Global Market
Intelligence, commissioned by Thales

56%
of global respondents ranked malware as the leading
source of security attacks.

21%
of all respondents said they had experienced
a ransomware attack.

2
 cpl.thalesgroup.com
#2022DataThreatReport

Contents

COVID-19 (Continues) to Change Everything 4

Key Findings 6

Small Improvements, Increasing Risks and Changing

Security Mindsets 7

Security Threats 8

Ransomware Alters Breach Economics 10

Breaches and Their Impact 11

Quantum Computing 13

Continued Era of Remote Working 14

Cloud Momentum Continues 15

Most Firms Are Using a Multicloud Strategy 16

Zero Trust Goes Mainstream 17

Security Spending Misalignments 18

Data Protection Management Strategies 19

Cloud Data Protection 20

Moving Ahead 21

About This Study 22

3
2022 Thales Data Threat Report: Global Edition

COVID-19 (Continues)
to Change Everything
The COVID-19 pandemic, with its waves of infection from New technologies and increased cloud consumption
variants, is shifting mindsets from taking urgent action to continued to grow at the same rapid rates as last year. In
handling a chronic condition. The impacts continue to cause the 2021 report, 16% of respondents used more than 50
lasting changes within enterprises with ripple effects throughout software-as-a-service (SaaS) apps. In the 2022 report, 34%
the security community. The durable shift to remote work of respondents said they used more than 50 SaaS apps and
continues to alter mindsets – enterprises are realizing that more than 16% said they used more than 100 SaaS apps.
what seemed to be a singular event may extend indefinitely. Some progress has been made despite market disruptions.
Despite another full year of remote work and newer Last year, only 17% of respondents said that more than 50%
technology adoption, 79% of respondents indicated they are of their sensitive cloud data was protected with encryption.
still ‘somewhat’ or ‘very concerned’ about the security risks and This year, 22% said that more than 60% of their sensitive cloud
threats that a greatly increased remote workforce poses. 40% data is encrypted. The financial services sector is also a bright
said they are not confident that their current security systems spot for cloud data protection and encryption; 19% of financial
could effectively secure remote work. enterprise respondents said that more than 80% of their
sensitive cloud data is encrypted. However, there remains work
to be done in data identification, classification and protection
in the context of the shifting threat and risk landscape.

Respondents agreed that it

79%
is more complex to manage
privacy and data protection
regulations in a cloud
environment than in on-
premises networks within of businesses remain concerned about the security risks of an
their organization.” increasingly remote workforce.

22%
of respondents disclosed that more than 60% of their sensitive
data has been encrypted.

4
 cpl.thalesgroup.com
#2022DataThreatReport

The high percentage

of recent breaches
could be an indication
that organizations face
challenges meeting
improved attacker
techniques.”

5
2022 Thales Data Threat Report: Global Edition

01 Key Findings
• R
 ansomware has changed breach economics;
enterprises must refine their responses.
• Post-quantum security should further accelerate data
security hygiene.
• P andemic pressures are impacting security approaches
and spending.
• Remote work is a risk that needs to be managed more
effectively.
• There is significant momentum in cloud migration, but
many necessary controls are lagging.
• Encryption use to protect sensitive data in cloud is low –
a significant risk.
• Global awareness of changing risks is high, but this
hasn’t catalyzed organizations to address them.
• Zero trust architectures need to show more improvement
in security outcomes.
• Breaches and their impacts weigh on security planning.
• Misalignment in understanding security impacts
between management and practitioners could affect
planning and budgeting.

There is a correlation
between investment in
compliance and breach
outcomes. It seems efforts to
improve compliance lead to
better security outcomes.”

6
 cpl.thalesgroup.com
#2022DataThreatReport

Small Improvements, Increasing Risks and

Changing Security Mindsets
Despite the general security concerns regarding remote Encouragingly, our research does reflect changing and
work, survey results show slight improvements in the improving data security mindsets. Last year, we reported
security posture of organizations. Implementation of disparities in the perception of attack frequency and severity
security technologies such as encryption and multi-factor among individual contributors, mid-level managers and
authentication (MFA) have slightly increased but have senior leaders. This year, the perceptions were much more
not yet reached saturation levels such that the majority of unified. For example, 43% of senior leaders, 46% of mid-
applications and data are fully protected. Last year, we level managers and 45% of individual practitioners reported
reported that 83% of respondents had less than 50% of their an increase in attacks from the prior year. Furthermore,
sensitive cloud data encrypted. This year, there was a slight enterprises’ confidence in their security capabilities
improvement to 78% of respondents having less than 60% remained relatively high. 79% of all respondents said they
of their sensitive data encrypted. Other controls like MFA would entrust their personal data to their organization. This
adoption remained flat. confidence remained high among senior leaders (72%) and
individual practitioners (71%). Despite talent and personnel
Heading into 2022, there have been no shortage of shortages in regions such as North America, optimism was
vulnerabilities and threats severely affecting enterprises. consistently high. The ‘can do’ attitude was a refreshing vote
‘Hafnium,’ Conti RaaS and Log4J highlight the increased risk of confidence considering the increasing volume of attacks
landscape as workers remain distributed and their workloads faced by practitioners.
further dispersed to multiple clouds and SaaS solutions.
The attack surface, asset management and supply chain The report explores the results in more detail and looks at
challenges can only increase this year. the impacts on organizations as they navigate the complex
security environment that they find themselves in today.

43%
of senior leaders reported an increase in attacks from the
28%
of senior leaders said they would not entrust their personal data
prior year. to their organization.

7
2022 Thales Data Threat Report: Global Edition

Security Threats
Breaches are a trailing indicator of security effectiveness. The We asked respondents reporting an increase in cyberattacks
research also examined forward-looking metrics, including to identify the type of attack in which they’d seen the greatest
perceptions about security threats. We asked the panel to increase in activity, and 56% of global respondents ranked
identify levels of attack activity and understanding about attack malware as the leading source of security attacks. Ransomware
risks. Almost half (45%) of respondents reported seeing an ranked second (53%) and phishing/whaling rounded out the
increase in the volume, severity and/or scope of cyberattacks top three (40%). Last year, respondents chose malware at 54%,
in the past 12 months. These perceptions were consistent across ransomware at 48% and phishing/whaling at 40%.
all geographies.
Looking forward, we asked the panel to rank their expectations
To gauge overall risk levels, enterprises need to better for the greatest risks to their environments from a set of choices.
understand the locations and classes of data. In 2022, only This year, 29% of respondents ranked ‘accidental human error’
56% of respondents were very confident or had complete as the top threat, with 78% of respondents ranking accidental
knowledge of where their data was being stored, down from or human error in their top four threats. 19% of respondents
64% in 2021. cited attackers with geopolitical goals (i.e., ‘nation-state
actors’) as the top threat, followed by 17% who cited external
Only 25% of all respondents said they could classify all their attackers with financial motivations. Curiously, only 9% of
data and 53% said they could classify at least half of their data respondents chose malicious insiders with financial motivations
in 2022, compared to 2021, when 31% of respondents claimed as the top threat, with 62% of all respondents ranking this
to be able to classify all data and 54% said they can classify threat in their top four. Last year, 35% of respondents identified
at least 50% of the data. As other parts of this report show, the malicious insiders as the top threat.
dynamic nature and growth of the cloud only adds a challenge
for organizations to understand their data’s risks and sensitivities.

Prioritization and Perceptions of Greatest Threats

WHICH T YPES OF THREATS DO YOU SEE AS THE GREATEST?

Rank 1 Rank 2 Rank 3 Rank 4

2021 2022
12% 21% 26% 41% 28% 21% 26% 25%
Nation States Nation States

35% 29% 22% 14 % 14 % 31% 25% 30%

Malicious Insiders Malicious Insiders

31% 28% 19% 22% 38% 16% 21% 25%

Human Error Human Error

Source: 451 Research’s 2021 and 2022 Data Threat custom surveys

8
 cpl.thalesgroup.com
#2022DataThreatReport

At the time last year’s study was published, the attribution of

the SolarWinds breach to state-sponsored attackers was not
completely known. Curiously, respondents have not given more
importance to these serious attacks, even with the greater impact
of nation-state actors pursuing intellectual property and the
collateral damage to those who were not the primary target.

One interesting aspect of this year’s data is the similarity in

perceptions of attack rates by organizational role. In last year’s
study, 56% of practitioners reported an increase in attacks, but
only 46% of managers and 40% of senior managers reported
an increase. In this year’s study, practitioners, managers and
senior managers were much more closely aligned, with 46%,
46% and 43%, respectively, reporting an increase in attacks.

The investigation also asked respondents to identify what they

felt were the biggest targets for cyberattacks. Last year, perhaps
in response to the SolarWinds breach and the general topic
of software supply chain security, 38% of respondents ranked
third-party networks as the high-priority target. Curiously, this
year, only 25% of respondents prioritized third-party networks.
This year, cloud storage (33%), cloud databases (32%) and
cloud-delivered hosted applications (28%) round out the
priorities. The continued high ranking of cloud as a target
illuminates the inconsistency between identifying the threat
and mitigating it with solutions such as encryption and MFA.
Intriguingly, respondents indicated they believe on-premises
environments to be significantly less of a target: internal
networks (23%), on-premises networks (23%) and on-premises
databases (27%).

There is a lack of maturity in

cloud data security with limited
use of encryption, perceived
or experienced multicloud
complexity and rapid growth of
enterprise data.”

9
2022 Thales Data Threat Report: Global Edition

Ransomware Alters Breach Economics

Ransomware’s severity, frequency and impact altered breach An alternative explanation is that the ransomware threat
economics. Unlike other ‘low and slow’ data breaches that landscape changes quickly, which may make planning difficult
occur over days and months, ransomware immediately takes to measure. In 2021, the industry saw the rise and demise of the
data captive and by definition demands action. About one Avaddon ransomware-as-a-service provider.
fifth (21%) of all respondents said they had experienced a
ransomware attack. Of those attacked, 43% were significantly Curiously, 22% of respondents worldwide said they have paid
impacted, and 3% of those impacted had been mentioned or would pay a ransom for their data. Within the US, 24% of
publicly in the media. Enterprises still prioritize based on harder respondents said they have paid or would pay. Enterprises
and then softer ransomware costs. 23% of enterprises surveyed may not have a good understanding of the effects of all the
said that hard financial losses from penalties, fines and legal parties involved, such as cyber insurance underwriters, incident
expenses have been or would be the greatest impact from response firms, government regulations and ransomware
ransomware. Lost productivity, recovery costs and breach attribution. For example, the NotPetya ransomware was
notification were behind at 19%, 18% and 16%, respectively. considered an ‘Act of War’ by NATO, causing some cyber
Softer, long-term costs such as brand reputation and customer insurance vendors not to pay claims. The US Department
loss were further behind at 11% and 7%, respectively. of Treasury Office of Foreign Assets Control (OFAC) issued
guidance stating that facilitating ransomware payments to
Respondents were also uncertain about their ransomware attackers on behalf of victims could risk violating OFAC
plans, with only 48% having a formal ransomware plan in regulations. Despite ransomware’s additional impacts on data
place. 50% of companies with annual revenue greater than integrity and availability, the changing and unknown landscape
$1bn said they do not have a formal ransomware plan. may cause new plans to stall. 41% of all respondents said they
Perhaps the reason so many enterprises do not have specific have no plans to change security spending, even with greater
and formal ransomware plans is because ransomware ransomware impacts.
response has so far been most closely associated with disaster
recovery. According to 451 Research’s Voice of The Enterprise: It is interesting that of the attacked respondents, 3% had
Storage, Data Management & Disaster Recovery – Advisory media coverage. While it is easy to recall major incidents
Report, 62% of enterprise respondents said they feel ‘very affecting some very large organizations, we found that most
confident’ or ‘extremely confident’ in their organization’s of the attention affected medium-sized enterprises with annual
ability to recover from ransomware. Despite receiving notable revenue of $500m-1.5bn. Perhaps it is because medium-
attention, only 56% of healthcare companies and 44% of sized companies can still be large enough to be regionally
energy companies have formal ransomware response plans. noteworthy yet small enough to be significantly affected.

50%
of companies with annual revenue greater than $1bn said they
22%
of respondents worldwide said they have paid or would pay
do not have a formal ransomware plan. a ransom for their data.

10
 cpl.thalesgroup.com
#2022DataThreatReport

Breaches and Their Impact

Arguably, the ultimate strength of an organization’s security
protection is preventing breaches. We saw some improvement,
Prevalence of Breaches at
but there remains a lot of work to be done. This year, 52% Organizations
identified a breach in their operational history, and 35% of
those experienced a breach in the last 12 months, compared HAS YOUR ORGANIZATION EVER BEEN
to 56% and 41%, respectively, last year. In absolute terms, 18% BREACHED?
of all respondents have experienced a breach in the last 12 2022
months. The high percentage of recent breaches could be an
indication that organizations face challenges meeting improved Yes 52% No 48%
attacker techniques.

This year’s survey data allowed us to compare compliance 2021

audit success to breach history. While 43% of respondents
failed a compliance audit, some regions significantly improved
Yes 56% No 44 %
their audit success. For example, in the previous year’s report,
Source: 451 Research’s 2021 and 2022 Data Threat custom survey
59% of UK respondents reported a failed compliance audit
within the previous 12 months. In this year’s report, only 42% of
UK respondents reported a compliance audit failure.

57% of respondents said that their companies have successfully Prevalence of Recent Breaches,
passed their compliance audits. Of those that have passed,
40% have had a breach. Yet only 12% of companies that have Compliance Success
passed compliance audits have experienced a breach in the
last 12 months. There is a correlation between investment in HAVE YOU EXPERIENCED A BREACH IN THE
L AST 12 MONTHS?
compliance and breach outcomes. It seems efforts to improve
compliance lead to better security outcomes. 2021
Of note, ‘safe harbors’ for breach notification came down in
2022. In 2021, 46% of respondents said they had avoided a Yes 18%
breach notification because underlying data was encrypted
or tokenized. In 2022, only 40% of respondents avoided a No 82%
breach notification because data was protected and covered
by safe harbors. In general, there was also a slight decline in
breach notifications, with 32% of respondents issuing a breach
notification compared to 36% the prior year.
2022
The use of cloud-based infrastructure exposes new risks as
an organization’s data footprint expands. The research also
looked at breaches tied to cloud; 44% reported that they Yes 12%
had experienced a breach or failed an audit in their cloud
environments, a slight step back from the 40% of last year’s No 88%
respondents. The report found that there is a lack of maturity in
cloud data security with limited use of encryption, perceived
or experienced multicloud complexity and rapid growth of Source: 451 Research’s 2021 and 2022 Data Threat custom surveys

enterprise data.

11
2022 Thales Data Threat Report: Global Edition

Avoiding Breach Notification

Process Due to Encrypted Data

HAVE YOU EVER AVOIDED A BREACH

NOTIFICATION PROCESS (E.G., ENCRYPTION
SAFE HARBOR) BECAUSE THE STOLEN OR
LEAKED DATA WAS ENCRYPTED OR TOKENIZED?

2022

Yes 40% No 60%

2021

Yes 46% No 54 %
Source: 451 Research’s 2021 and 2022 Data Threat custom survey

40%
of respondents said they had avoided a breach notification
because underlying data was encrypted or tokenized.

12
Quantum
Computing
As part of last year’s report, we studied the perceived risks
of quantum computing and its potential to break current
cryptographic approaches. Nearly half (47%) of the 2021
respondents said they were very concerned about the security
threats of quantum computing. More education, interest and
activity in post-quantum security (PQS) have been created this
past year. When asked to identify security threats from quantum
computing this year, 52% said they were concerned with
‘tomorrow’s decryption of today’s data’ and 58% said future
‘network decryption.’ Encouragingly, only 2% of respondents
said they are not presently concerned. Last year, one-sixth of
respondents were completely unconcerned.

Although there are no current quantum computing threats

that can practically affect any classical encryption scheme,
the industry proactiveness of government and industry is
commendable. At the time of this writing in early 2022, the
National Institute of Standards and Technology (NIST) was
finalizing and vetting PQS encryption schemes, which could
go into effect in 2023 or 2024. Though quantum computing
is rapidly developing, post-quantum-computing security will
almost certainly be completely implemented with today’s
classical computing infrastructure.

This level of awareness should be generating interest in post-

quantum cryptographic techniques and efforts to improve
crypto agility. The continued efforts of enterprises to identify,
classify and protect sensitive data are strongly applicable to
improving preparations and crypto agility. As PQS encryption
schemes are validated, enterprises can still prepare with
existing risk management frameworks. These are approaches
to quantum computing risk that organizations should be
considering today because data protected with vulnerable
approaches could still be valuable by the time that practical
quantum decryption becomes available to threat actors.

13
2022 Thales Data Threat Report: Global Edition

Continued Era of Remote Working

Remote work continues for many regions. Despite another year
of adjustment, security professionals overall continue to be
Current Remote Access
uneasy. 79% of respondents expressed some level of concern Technologies
about the security risks/threats of employees working remotely
(31% ‘very concerned’ and 48% ‘concerned’). While overall HOW DO EMPLOYEES CURRENTLY ACCESS
THEIR APPLICATIONS REMOTELY?
numbers remain high, a sizable number of respondents work
in industries that seem to be most impacted by the pandemic.
VPN
When looking at respondents from retail, real estate, grocery, 60%
restaurant and sports-related industries, only 62% expressed 59%
concern about the security risks of remote working (25% ‘very Cloud SSO
concerned’ and 37% ‘somewhat concerned’). Empirically, it 53%
51%
is plausible that these industries have had to make the most
severe changes, and that has impacted cultural beliefs about VDI
56%
the security risks of remote work. Confidence in access control 55%
products significantly increased. Last year, 44% of respondents WAM
were not confident at some level that their access security 36%
solutions could enable effective and secure remote work. This 39%

year, that number dropped to 16%. Last year, only 34% were at ZTNA / SDP
53%
least ‘somewhat confident’; this year, 60% said they are ‘highly’
36%
or ‘significantly’ confident.

We asked organizations about their remote access 2021 2022

implementation, and traditional approaches continue to
dominate. VPN continues to lead; 59% of respondents selected Source: 451 Research’s 2021 and 2022 Data Threat custom surveys

it as the primary method for remote access. Virtual desktop

infrastructure (VDI from VMware, Citrix, others) was second
Organizations should expect to invest time and resources to
(55%) and cloud-based single sign-on ranked third (51%).
better understand the models of work that they’ll be moving
Traditional approaches still often lack the granularity of control
toward in the longer term. A separate 451 Research study
needed to effectively manage the much more diverse work
found that remote work is expected to continue at high levels,
patterns that the wholesale shift to remote work has required.
and that there’s growing acceptance that employees can work
Most traditional approaches were designed for tactical use in
effectively in a remote setting. That means that organizations
special cases and may not have received the comprehensive
will need security controls and remote access mechanisms
reviews needed to secure a much larger user population.
that can be effective in the hybrid working environments that
It was somewhat noteworthy that zero trust network access
organizations have begun to embrace.
(ZTNA)/software-defined perimeter (SDP) solutions fell from
53% to 36%.

14
 cpl.thalesgroup.com
#2022DataThreatReport

Cloud Momentum Continues

Respondents in the study are showing continued high use
of cloud-based infrastructure, and this trend appears to be
Encrypted Sensitive Data
accelerating in the wake of the pandemic. Just under a third
WHAT PERCENTAGE OF YOUR SENSITIVE DATA
(30%) of respondents stated that 41-60% of their data is stored IN THE CLOUD IS ENCRYPTED?
in external cloud, and 22% indicated more than 60% is stored
there. While cloud storage consumption is not increasing 2022
relative to on-premises, in absolute terms, data growth remains
the largest challenge, according to 451’s Voice of the Enterprise None 1%
(VotE): Storage, Data Management 2021 study. Although the
absolute amount of cloud data has been growing significantly, 0-20% 9%
the relative percentage of data encrypted in the cloud remains
small. Only 22% of respondents said they have more than 21-40% 39%
60% of their sensitive data encrypted in the cloud. Survey
results indicate that this could be explained by how cloud 41-60% 27%
security policies are defined and implemented: not quite half
(48%) have policies that are centrally defined, but technical 61-80% 12%
standards and enforcement are left to individual cloud teams.
This likely represents a troubling potential shift in the profile of 81-100% 11%
cloud security stakeholders, making them more aligned with
engineering-type concerns over traditional security concerns. Don’t know 1%
In this year’s survey, we offered respondents more ranges
to choose from, and we see some step-ups in improvement 2021
for sensitive cloud data encryption. Last year, only 17% of
respondents stated that more than 50% of their sensitive data
stored in cloud was encrypted. In the current year, 22% of
0-10% 2%
respondents said that more than 60% of the sensitive cloud
data is encrypted, and 50% of all respondents have at least
11-20% 9%
40% of their sensitive cloud data encrypted. There was some
improvement in regulated industries; for example, 20% of 21-30% 18%
financial services respondents said that 80-100% of cloud data
is encrypted. This will certainly be an interesting trend to watch 31-40% 26%
as more industries mature their protection programs.
41-50% 28%
While there is greater use of cloud infrastructure, 51% of
respondents agreed that it is more complex to manage privacy >50% 17%
and data protection regulations in a cloud environment than in
on-premises networks within their organization (22% strongly
Source: 451 Research’s 2021 and 2022 Data Threat custom survey
agreed and 29% agreed), up from 46% last year. Several
factors could be driving this. Persistent skills gaps in both
security and cloud infrastructure have strained security teams gap. The adoption of different cloud service providers and
as they deal with increases in cloud use. In 451 Research’s other SaaS/IaaS offerings adds further complexity. Adapting
VotE: Information Security, Organizational Dynamics 2021 traditional security strategies and teams to cloud operational
study, cloud platform expertise was the most-cited security skills models is also a complex endeavor.

15
2022 Thales Data Threat Report: Global Edition

Most Firms Are Using

a Multicloud Strategy
The nature of cloud use is evolving alongside the increase
in use. For this Data Threat Report, we explored the extent
to which participants are using multiple cloud providers.
Organizations are already using multiple providers for
infrastructure as a service. This year, 48% of respondents
said they employ AWS as their IaaS provider, followed by
Microsoft Azure at 47%. Last year, 53% of respondents
identified AWS as their IaaS provider, and 41% identified
Microsoft Azure, with considerable overlap across Google
Cloud, IBM Cloud, Oracle and Alibaba. SaaS usage has
diversified significantly. Last year, 27% of respondents said
they used at least 50 SaaS apps and 16% said 51-100
SaaS applications. In this year’s survey, 34% use at least 50
SaaS apps and 17% use 100 or more SaaS apps. Perhaps
because of greater attention to asset management and
attack surface area, our survey found 4% of respondents
reporting they use at least 500 SaaS apps.

Multicloud consumption raises concerns about the

operational complexity of successfully managing both
encryption and the corresponding keys across multiple
providers, each with their own consoles and APIs. As
identified above, almost half of respondents see cloud data
protection as more complex to manage. Management
complexity can be multiplied with each new cloud
environment that’s added because each brings its own
technology implementations, operational models and
security tools. Mastering all of them independently can be a
huge resource commitment and, even if it is possible for an
organization, can leave security gaps if management isn’t
well coordinated.

16
 cpl.thalesgroup.com
#2022DataThreatReport

Zero Trust Goes Mainstream

Organizations are working to adapt their security strategies
to address the changes in the threat models that they face. The
Zero Trust Status
study looked at aspects of zero trust and the ways in which it WHERE ARE YOU ON YOUR ZERO TRUST
is being incorporated into operational security plans. When JOURNEY?
asked about their zero trust strategies, 30% of respondents
Execution: We have a formal strategy and are actively
said they have a formal strategy and have actively embraced embracing Zero Trust Policy
a zero trust policy. 44% of respondents said they have no 30%
formal plans for their zero trust journey. For both the 30% of 30%
those that have formal plans and the 44% of those that don’t Evaluation: We are planning and researching to develop
have them, both have significant breach histories at 54% and a Zero Trust Strategy
53%, respectively. However, looking further into breach history 22%
27%
for the last 12 months shows a different story; for the 44% of
respondents with no formal plans, 33% had a breach within Consideration: We are considering it,
but have no formal plans
the last 12 months. For the 30% of respondents with formal 23%
plans, 41% had a breach in the last 12 months. While zero trust 23%
promises much more granular, automated controls that are No Strategy: We currently have no
pertinent for dynamic remote access and software-defined Zero Trust Strategy
perimeters, perhaps the complexity or other implementation 25%
20%
challenges are impeding the lowering of breach occurrences
and frequencies.
2021 2022
We also examined the impact of zero trust approaches on
cloud; 34% of global respondents said zero trust security Source: 451 Research’s 2021 and 2022 Data Threat custom surveys

shapes cloud security strategy to a great extent. In comparison,

31% of US respondents reported the same; Germany was at Importance of Zero Trust
34%, Sweden at 36% and Japan at 35%. Mexico and Brazil
led the way, with 48% of respondents from each saying that to Cloud Security Strategy
ZTNA shapes security strategy to a great extent. Among
industry verticals, 34% of financial services respondents said TO WHAT EXTENT DOES ZERO TRUST SECURIT Y
zero trust security shapes cloud security strategy to a great SHAPE YOUR CLOUD SECURIT Y STR ATEGY?
extent, and technology industry respondents led with 40%. To a great extent
32%
There has also been a modest increase in the proportion of 34%
respondents reporting that zero trust is shaping cloud security We rely on some concepts of Zero Trust Security
strategy at least to some extent. Last year, 76% of those said 44%
47%
that zero trust was influencing their cloud security strategy to
‘some extent’ or ‘great extent.’ This year, 81% of respondents Zero Trust security does not affect our cloud security strategy
said, ‘some extent’ or ‘great extent.’ It’s quite a similar story with 24%
19%
the industry breakdowns: last year, 83% of financial services
and 77% of retail respondents said zero trust was influencing
their cloud security strategy. This year, 82% of financial services 2021 2022
respondents and 75% of retail said the same. Only 20% of
respondents indicated that zero trust does not affect their cloud Source: 451 Research’s 2021 and 2022 Data Threat custom surveys

security strategy, down from 24% last year. Within the Global
Access Management Index (AMI) Report, we’ll dig deeper
into some of the operational challenges with remote access,
17
with some implication for ZTNA approaches.
2022 Thales Data Threat Report: Global Edition

Security Spending Misalignments

31%
This year, our research looked at present and future security
technology spending. We found a much greater diversity
of technology spending priorities than last year by asking
respondents to identify and rank the top three technologies by
importance. Last year, the technology categories of data-loss
prevention (DLP), encryption/key management, DevSecOps
and cloud security all came in above 30%, with DLP the highest
at 39% and cloud security at 35%. In 2022, no single category of respondents prioritized network security (IPS,
had more than 30%. Network security – firewalls, network gateways, firewalls), and no other technology
access control, etc. – came in at 29%, and DLP fell all the way category scored above 30%, compared to last year
to 23%.

When asked what solutions would mitigate data loss, 31%

of respondents prioritized network security (IPS, gateways,
firewalls), and no other technology category scored above
30%, compared to last year, when 38% of respondents
selected encryption as the most effective option for protecting
sensitive data. In 2021, endpoint security was second (36%)
and then tokenization (35%). The only observable alignment
was with ‘cloud security’ categories such as cloud infrastructure
entitlement management and cloud security posture
management. 27% of respondents prioritized these kinds of
cloud security tools to protect sensitive data from attack. The
broad ‘cloud security’ toolset has the greatest future spending
priority, with 26% of respondents. Other future spending
categories that respondents prioritized in 2022 include key
management at 25% and zero trust/secure access service
edge/SDP at 23%.

18
 cpl.thalesgroup.com
#2022DataThreatReport

Data Protection Management Strategies

Given the effectiveness of data encryption and tokenization breaches caused by stolen privileged user credentials. Native
for data protection, the foundation of data protection then cloud encryption offerings typically lack these protections.
rests on a combination of encryption effectiveness and key Bring your own encryption (BYOE) is an approach that can
management strategies. As we’ve noted earlier, there is room offer the controls and protections needed to mitigate these risks.
to expand the use of encryption among the study respondents,
but without better key management, usability and simplicity, the In looking at industry demographics, the financial services
overall data security posture will not significantly improve. The vertical reported high levels of encryption use, at 68%, but
study looked at the current state of respondents’ environments lower key management use, at 49%. Financial services
and how they’re managing this important area of security respondents indicated greater use of tokenization at 53% and
operations. Unsurprisingly, many indicated that they have MFA at 50%. Healthcare also led with encryption at 61% and
deployed a number of encryption key management techniques. reported key management at 55%.
The organic growth of various approaches and the mashups There is still a significant disconnect between interest and
created through corporate mergers and acquisitions can action. Last year, respondents identified encryption as the most
create a complex operational landscape that can pull together important tool for data protection, yet 83% reported that at
different approaches to key management and hardware least half of their sensitive data in the cloud was unencrypted.
security modules alongside homegrown systems, sophisticated Still, there are pockets of improvement in encryption
vaults and cumbersome static documents or spreadsheets. implementation, with 20% of financial service customers
Well over a third (41%) of respondents indicated that their encrypting 80-100% of their cloud data.

14%
organization currently deploys five to seven key management
products, and 14% of respondents said that they employ eight
or more key management products. The larger the number of
systems in place, the greater the risk for error and the more
work required to manage the combination successfully.

When we looked at tactics for data protection in cloud,

encryption was the leading choice: 59% of respondents
indicated that it is in place. Interestingly, 52% said that they are
using key management. Perhaps this discrepancy results from of respondents said that they employ eight or more
encryption without key management, which would indicate a key management products.
lack of maturity in data protection implementation and leaves
unaddressed risks open. The discrepancy could also be
based upon where the feature is implemented and how it is
experienced. For example, AWS S3 encryption is a feature that
largely abstracts key management, so it is possible for users to
be unaware of a key manager. It’s important for organizations Without better key
to understand that simply turning on protections like encryption
without managing all the aspects needed to ensure secure use management, usability and
will leave them open to abuse. Encryption needs to be applied
with a knowledge of users, processes and applications to be
simplicity, the overall data
effective against various threats. There needs to be partitioning security posture will not
of identity and techniques to address ransomware attacks or
significantly improve.”

19
2022 Thales Data Threat Report: Global Edition

Cloud Data Protection

Given the high rate of multicloud consumption, the responses Despite the early state of cloud data protection in place
to survey questions about cloud data protection revealed as mentioned above, a lower number (45%) of
interesting points. We asked about how respondents were respondents reported having experienced a breach
encrypting data in IaaS offerings that they used. A relatively or failed audit of cloud data. Retail reported a higher
small number (17%) said they rely exclusively on the provider’s rate of 52% compared to healthcare and financial
offerings. The largest number (37%) indicated a blend of services (38% and 44%, respectively). Regionally,
their own capabilities and ‘mostly’ the provider’s. That could 50% of respondents in Sweden and 52% of those
be an indication that there is a growing understanding of in the Netherlands said they had experienced
the importance and value that BYOE offers, as mentioned a data breach or failed an audit for cloud data.
above. Another 13% said they use BYOE exclusively, and 21% Failed audits or breaches of cloud data often have
use mostly their BYOE, meaning that over a third (43%) are happened recently. 34% of all respondents experienced
putting BYOE to work today. Another driver of BYOE can be a breach or failed an audit involving cloud data or cloud
the need to centralize data access policies and encryption applications this past year. 37% of retailers failed an audit
key management across multiple clouds and on-premises of or experienced a breach of cloud data in the last 12
environments. This is only possible with BYOE. months. In the US, 37% of respondents had failed an
audit of or experienced a breach of cloud data in
the past year. In the UK, this number was
36% and in Australia it was 37%.

While there is a positive trend

in use, encryption levels are
still below what’s needed for
comprehensive protection.”

In looking at cloud key management, the results showed a

similar, encouraging situation. While respondents favored the
provider’s key management systems as the leading situation
today at 54%, they also reported strong use of external key
management at 38% (23% mostly and 15% use all their
own), up from 34% in last year’s report. Exploring how users
manage keys, more than half said they are managing them in
cloud consoles (52%). Multiple options are in use, with some
respondents leveraging more than one. 45% are managing
keys through their own bring-your-own-key (BYOK) system, and
38% are using a cloud-based service. A hold-your-own-key
(HYOK) approach is being used by 29%, while 31% generate
their own key material but use the provider management
system. The healthcare vertical parallels the average, but
financial services, retail and government respondents indicated
a much stronger preference for using their own BYOK systems,
at 49%, 54% and 48%, respectively.
 cpl.thalesgroup.com
#2022DataThreatReport

Moving
Organizations large and small are reconsidering their security journeys
as they recalibrate their expectations for the year ahead. Insights from
this year’s research can be useful in identifying how to improve those
journeys and ensure better outcomes. Any idea that the urgent changes

Ahead
of the previous year were only a temporary disruption should be put
aside; the primary goal is to build security capabilities with the flexibility
to easily adapt to new realities. Organizations have to:

• Support and scale remote working models effectively.

• S
 ecure data throughout its lifecycle and across applications.
• Span the full breadth of hybrid infrastructure.
• P rovide the visibility to support and inform operations while
Putting in place delivering the assurances that governance and regulatory
commitments require.
systems that use One of the most powerful aspects organizations can focus on is to
common operational simplify their operations. Doing so can have a twofold impact: it not

capabilities across on- only reduces toil but can also reduce risk by minimizing the chance of
errors. In an increasingly hybrid infrastructure, putting in place systems
premises and cloud that use common operational capabilities across on-premises and

resources can help tame

cloud resources can help tame hybrid complexity. With over half of
respondents indicating that it’s more complex to manage security in
hybrid complexity cloud environments, there’s significant benefit to putting tools in place
to help security teams perform at a higher level. That means moving
beyond the limitations of native cloud controls and protections and
ensuring that sensitive data and workloads have the protections they
require, no matter where they’re hosted.

There continues to be a need to deploy data security measures such

as encryption and MFA more widely. While there is a positive trend in
use, encryption levels are still below what’s needed for comprehensive
protection. This is an area that should be driven by regulatory
requirements, as well as security common sense. As the research data
shows, it may be the complexity of managing at large scale that is
holding organizations back. Better security infrastructure can address
that issue. Moving to BYOK and HYOK capabilities should be some of
the most important projects in the year ahead.

As organizations move forward, they’ll need visibility not only across

their infrastructure, but throughout their organization. Establishing a
common understanding is a key part of effectively setting priorities and
executing security projects. When security teams are aligned with the
key parts of the business, they can work together to effectively and
efficiently address whatever issues the future holds.

21
 2022 Thales Data Threat Report: Global Edition

About This Study

This research was based on a global survey of 2,767 respondents, fielded in January 2022, via web survey with targeted populations
for each country, aimed at professionals in security and IT management. In addition to criteria about level of knowledge on the
general topic of the survey, the screening criteria for the survey excluded those respondents who indicated affiliation with organizations
with annual revenue of less than US$100m and with US$100-250m in selected countries. This research was conducted as an
observational study and makes no causal claims.

Sweden
103
USA Netherlands
511 101 Germany Hong Kong
252 102
UK
259 Japan
Canada 203
Mexico 105 South Korea
103 UAE 104
103 India
France 204 Singapore
252 105

Brazil
102 Australia
105
New Zealand
53

Industry Sector Revenue

Manufacturing 157 Consumer Products 107 $100 million to $249.9 million 162

Retail 154 Computers/ $250 million to $499.9 million 802

Electronics/Software 106
Technology 127 $500 million to $749.9 million 865
Engineering 104
Financial Services 120 $750 million to $999.9 million 458
Federal Government 103
Healthcare 115 $1 billion to $1.49 billion 254

Public Sector 109 $1.5 billion to $1.99 billion 58

$2 billion or more 168

22
cpl.thalesgroup.com
#2022DataThreatReport

23
 Contact us
For all office locations and contact information,
please visit cpl.thalesgroup.com/contact-us

cpl.thalesgroup.com/data-threat-report

© Thales - February 2022• RMV13