Canadian IT security practices conflict: survey

VICTORIA–What are Canadian governments and enterprises doing in the world of cyber-security post-recession? Not much evidently.

According to the “2010 Rotman-TELUS Joint Study on Canadian IT Security Practices, 2010 saw Canadian security budgets remain below 2008 levels, in effect carrying over the austerity measures implemented in 2009 that resulted in average budget cuts of 10 per cent.

Ritchie Leslie, director, Western Canada, TELUS Security Solutions, shared the results of the research with the delegates at the 12th Annual Privacy & Security Conference in Victoria, B.C., last month. He noted the average security expenditure as a percentage of IT budgets dropped from 7 per cent to 6.5 per cent.

The study also focused on issues around social media, virtualization, cloud computing, and mobile devices as well as the determining the effectiveness of outsourcing security services.

“Breaches have leapt in 2009 to 2010 by roughly 30 per cent. This is a combination of two factors: there are more security incidents and we’re getting better at tracking them and protecting against them as we gain access to more sophisticated tools,” he said.

Meanwhile, government respondents indicated the key concern for them is the disclosure or loss of sensitive information.

“The healthcare sector is still plagued with healthcare records being left in dumpsters, with laptops being left on car seats, and very basic leakages,” he said. “There are more privacy breaches in healthcare than any other vertical industry in the world. It’s the worst offender.”

The study also showed malware is on the rise and that it’s increasingly sophisticated. Leslie said 60 per cent of malware TELUS sees is targeted at stealing identities. A lot of malware can also determine what security solutions you have deployed and will subsequently change its behaviour to avoid detection.

“That’s the nightmare scenario that suggests you need multiple lines of defence just like that of an old-fashioned castle,” he remarked.

Michelle Warren, principal, MW Research & Consulting in Toronto, said the identity theft of employees is a major concern for organizations.

Consider the theft of employees’ identities via the corporate network, or theft of customer/supplier identities via the corporate network. There is an element of responsibility and liability on behalf of the organization. And even if there isn’t in a particular region as of today, there will be tomorrow,” she said. “This can negatively impact an organization’s financial bottom line and their brand. At the very least, the crisis management initiative will be expensive.”

After malware and of the 725 organizations surveyed for the study, the top issue is device theft and loss, unauthorized access to data by employees, and bots. But the insider threat is one of the largest issues, Leslie said.

“In government, 33 per cent of the breaches that occur are the result of insider action and if you drill down further approximately half of that is accidental,” he said. “We’re all under the same pressure to get stuff done, to communicate and increasingly work with entities outside of our core organization and this causes real problems.”

Data loss and compliance is also a key issue. Interestingly, the survey’s respondents stated they believe contracts are an effective and adequate measure for managing third party security compliance.

“I would put it to you respectfully that contracts are probably an adequate mechanism for managing responsibility if a breach occurs but not an effective measure for preventing that breach from happening in the first place,” he said. “You need to manage regular audits and exercises to test that. Any business partner worth their salt should embrace that.”

Something else to consider: from the point of personal compensation IT security is the place to be if you’re at the top of the food chain. While the leaders of security functions have seen better compensation in 2010 versus 2009, for the folks who actually do the work compensation hasn’t changed from last year or it has decreased while workloads have increased and team sizes have shrunk.

“This is setting a nasty trend. We’re putting more load on existing security teams with more sophisticated technologies,” he said. “In the longer term, organizations will head into trouble in terms of trying to maintain their security posture if they continue to hold the line on compensation and increased workloads on people. These are classic recipes for generating employee retention problems.”

As is often the case, when companies look to control or minimize expenditures, employees feel the crunch, Warren said.

“It usually is employees who are recent hires or those in low-level positions that take the hit. As a result, remaining employees experience increased workloads, increased stress, without increased pay,” she agreed.  “IT costs – hardware and software – have balanced out. Payment options are available, notably pay-as-you-go; however, employee costs remain constant. Unless the workforce takes an across-the-board pay hit, employees will be let go.”

David Senf, director, infrastructure solutions group, IDC Canada, also greed with Leslie.

“Those on the front line have a keen awareness of what attacks the firm is under and what needs to be defended,” he said. “Ideally, those would be the folks who would be compensated such they would be happy and wanting to go the extra distance for the organization.”

With respect to outsourcing security, Leslie said the study’s results showed outsourcing has “no significant positive or negative effect on the quality of the security that is delivered.”

Other areas of concern Leslie highlighted included application security, application-level breaches, and data theft.

“We have a lot of data that’s sitting on databases and exposed to either internal or externally-focused Web-based applications,” he said. “What worries TELUS greatly as a security practice is that in terms of building security into the basic design of applications there’s still a tremendous amount of work to be done.”

Twenty-five per cent of surveyed organizations said they don’t have security built into being a formal part of their systems architecture base in a major systems development project.

On the subjects of social media and mobile devices such as smartphones and tablets, Leslie said TELUS is working hard to determine how best to secure a smartphone without turning it into a ‘dumb-phone’. Meanwhile, the survey found last year that organizations that blocked access to social media sites like Facebook reported marginally higher levels of breaches.

“When we drilled down with those organizations, they said they felt they had probably upset and negatively biased a lot of their younger and more talented employees who spent time trying to work around the corporate security measures,” he said.

Lastly, with respect to cloud computing, Leslie said most of the survey’s respondents concerns in 2010 were beginning to focus on highly technical issues within VMware environments.

“People are moving from concerns about cloud computing conceptually to very detailed and focused technical issues within the VMware environment,” he said. “So in other words, the respondents were telling us that cloud computing is more or less under control as Canadian organizations.”

— Lahey is an online community manager for in Vancouver. Follow him on Twitter: @LiamLahey

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now