Canadian companies slow on security uptake

IT security seems to be a topic that gets taken less seriously the more frequently it’s discussed. Alas, there are too many alarmist stories in an industry driven by fear. What a load of negative hooey and who needs to repeatedly hear that? Don’t worry, be happy.

Maybe years of hysteria fueled by the dire prophecies of so-called security experts, who have adopted a paranoid view towards all things collaborative computing, and who rarely surface from sheltered worlds to view practical reality, have hardened people to the message. Even countless highly publicized recounts reported in the media of disastrous breaches and denial of service attacks that have destroyed corporate perceptions and devastated bottom lines, don’t seem to be stirring much adoption action on the security front.

The security message has been delivered the wrong way. There’s not enough calm reason and too much misinformation about what security systems can and can’t do.

So let’s start there. The reality is that no security system on the planet can guarantee complete IT computing safety. Don’t look to eradicate the disease, but rather to minimize, through various security solutions and methodologies, the effect (risks) of intrusions, data corruption and other assorted malicious and/or accidental disasters that may befall computing resources.

It’s an individual corporate determination that dictates how much IT security to impose and where. No one size here fits all and the best way to look at security is as a customized solution. And security is only as necessary as the need to protect IT resources. As one security expert recently explained to me, “If there are no assets to protect, no vulnerable components and no human threat, then there’s no need for security.”

There’s every reason to believe Canadian businesses see security as a top of mind concern, but also little to suggest that most companies are likely doing enough to minimize their risks. Here resides “the disconnect,” if you will, between security perception and reality.

Recent security research, sponsored by four leading Canadian IT companies, completed by IDC Canada in early April, suggests the danger is real and the possibility that your organization may be targeted is not nearly as remote as might be imagined. It’s not a one-in-a-million, one-in-a-thousand or even one-in-a-hundred shot. Security professionals surveyed from medium- and large-sized Canadian businesses reveal that odds may be as low as one in five. That’s how many respondents said their organization’s network, data or Internet security had been compromised in the past and the same ratio of those who reported their networks had been “knowingly hacked” in the past year. And three out of four said their computing environments have been infected with computer viruses at least once during the past 12 months.

Is this not enough evidence to suggest that Canadian companies should be worried?

The volume of computer virus infections may have been an expected result, but the frequency of system compromises within Canadian corporations probably wasn’t. Still, if you were to ask any vendor of security products, most would lament the fact that security is generally a tough sell, especially those solutions that are designed to be proactive and comprehensive.

The problem may be largely due to understanding. Security remains a daunting issue for most companies and many don’t have a clue about what they need to protect and why. In addition, there are few true IT security experts in the world, let alone Canada, so help isn’t exactly available.

Some other interesting general highlights from the survey include:

Approximately 75 per cent of companies surveyed say they have defined security policies, which would determine the scope of security concerns and determine action recourses in the event of security compromises and/or breaches. Additionally, nearly half of respondents indicated these policies are revisited annually, while nearly a quarter of respondents said they update their policies on a monthly basis. If the development of a security policy is a first step towards adopting a comprehensive approach to security, then Canadian businesses are well on their way.

Accidental, rather than malicious, activities are a greater threat. Internal, rather than external, sources are also a greater security threat, although large and medium businesses differ somewhat on their overall perception of internal vs. external threats — more respondents from medium-sized companies say the greater threat is external.

Nearly all respondents say they utilize virus protection products, as well as physical security measures and user management practices. However, more advanced solutions such as vulnerability scanning and assessment, authentication certificates and secondary authentication, are relatively uncommon solutions, especially among medium-sized businesses.

Firewalls are also widely deployed by most respondents surveyed, while more advanced security solutions such as ethical hacking services, intrusion detection, security management suites, public key infrastructure certificates, handheld authentication devices or tokens, and biometrics tools are rarely used.

Even though IT security ranks as a major area of concern for respondents, there’s currently modest investment being made, relatively speaking. Nearly 75 per cent of respondents overall currently spend only between 1 per cent and 10 per cent of their IT budgets on security and relatively few have declared security as a separate line item in those IT budgets. While most respondents say they will increase their investments in IT security over the next 24 months, more than half will allocate only 10 per cent or less of their IT budgets to security solutions and services.

IDC Canada concluded the companies that participated in the security survey appear to be cognizant of the importance of security and many have adopted the necessary basic security tools. However, security as an IT investment priority appears to be relatively small and Canadian companies are moving too slowly in their adoption of more comprehensive solutions and services, given the relative threat that appears to be present.

Of course, it seems the most effective way to actually relate the importance of IT security is to say as little as possible about the devastating and disastrous impact that it may have for a business.

Even if that just happens to be the truth.