Confidence in IBM i Security Is Dropping, Syncsort Says
May 6, 2020 Alex Woodie
IBM i shops were significantly less confident in their ability to prevent a security breach in 2019 than the previous two years, according to a new study by Syncsort. More than 40 percent of IBM i shops have suffered at least one security breach, according to the study, which also indicates that awareness of security regulations is growing, but not for the ones you might think.
In 2019, 11 percent of respondents reported being somewhat or very unconfident in their ability to prevent a data breach at their organization, Syncsort concluded in its new study, which is titled “IBM i Security Insights for 2020.” Back in 2017, no IBM i shops reported being somewhat or very unconfident in their breach-prevention, while that figure was just 2 percent in 2018.
At the same time, only 25 percent of respondents to the 2019 survey reported being very confident in their ability to prevent a data breach, compared to 30 percent in 2018 and 40 percent in 2017.
These figures indicate an increasingly wariness about security on the part of IBM i shops, according to Bill Hamond, senior product marketing manager for Syncsort.
“That trend of dropping [confidence] is pretty significant and we definitely want to call it out as one of the things we saw in the survey data,” Hammond said during a webinar last week. “We think this is a dynamic where people are really understanding the problem at a deeper level and realizing this is a really tough challenge.”
IBM i shops have good reason to be worried about being breached, based on the results of the security assessments that Syncsort performs on behalf of its clients, said Rich Marko, director of technical services for Syncsort’s security products.
“Most of the time, we’re seeing organizations not implementing exit point security,” Marko said during the webinar. “For the most part, companies either do not know about exit point security or have just not implemented any tools to at least monitor, but more so to secure the exit points for network activity.”
The authority levels on IBM i objects is another area where companies have a reason to be concerned, he continued. “You really don’t have to have *PUBLIC on your objects,” Marko said. “I think a lot of that comes from legacy applications . . . that have not been updated to be more specific.”
Security was the top yearly IT priority among Syncsort’s survey respondents for the second straight year, tying with analytics at 37 percent. Third on the list was high availability/disaster recovery at 31 percent followed by big data projects, application modernization, and cloud or hybrid cloud adoption, at 29 percent, 29 percent, and 28 percent respectively.
“Given the compliance mandates that are out there, it’s not surprising that security is top of mind for a lot of these clients,” Hammond said.
The growing complexity of regulations was the top security-related challenge for IBM i shops, with a 34 percent share, followed by adoption of cloud services at 33 percent and searching data from new internal and external sources at 29 percent, the survey concluded.
“The complexity of regulations and the adoption of cloud services dovetails with security data from new sources,” Hammond said. “Both of those show pretty significant increases in terms of the ranking that they had.”
Training is another concern growing in IBM i-land, Hammond said.
“One of the things they’re seeing as the need is training for their IT staff, getting more experience on their security capabilities and technology, and also training end users not to do, frankly stupid things and compromise the security,” he said.
On the regulatory front, GDPR and CCPA have gotten a lot of attention in IT departments over the last few years. Those are not, apparently, top of mind for IBM i shops, as the survey found that SOX, HIPAA, and PCI DSS had the most mindshare among survey respondents, at 36 percent, 33 percent, and 31 percent, respectively. GDPR and CCPA rated 27 percent and 22 percent shares in the regulatory category.
“I find it interesting that SOX and HIPAA made the top of the list,” Syncsort product director Dawn Winston said on the webinar. “They should be there. But they haven’t been in previous years. They are older regulations. There’s a large majority [of organizations] that should be following them, especially SOX. I find it interesting that it just now made it to the top of the list.”
Winston said she was concerned that PCI DSS, GDPR, and CCPA are so low on the list. “PCI and GDPR are global regulations,” she continued. “They’re not specific to one region, so that response should be higher. For example, GDPR isn’t just applicable to business doing business in Europe. It is applicable to businesses globally.”
Forty-two percent of survey respondents said they had experienced at least one breach and 24 percent said the breach went undetected for two months or longer. However, only 20 percent of the hacks resulted in the loss of unencrypted data. Nearly one-third (31 percent) of respondents attributed security breaches to internal employees or outside contractors.
Syncsort also asked survey respondents to list what kind of data they’re storing on their IBM i systems.
“It’s not surprising, but it’s pretty obvious that the IBM i is housing critical data for originations: financial data, customer details, HR details, health information,” Hammond said. “All of these are important, critical data. They’re confidential data in a lot of places, and I think this makes IBM i a pretty high-value target from a security perspective.”
Syncsort, which acquired Vision Solutions in 2017, has moved aggressively into IBM i security with the acquisitions of Townsend Security, Cilasoft, and Enforcive. For more information on the webinar, click here.