Parental experts say its always wise to explain to children why you say no to them.
It turns out that’s good advice for adults, too, if an organization wants better IT security.
According to a study conducted by Telus and the University of Toronto’s Rotman School of Management, Canadian organizations that explained security policies clearly to employees had fewer data breaches.
The results “jump out” of the numbers and “are incredibly strong,” co-author Walid Hejazi, a Rotman professor of business economics and co-author of the report, said in an interview. His partner was Hernan Barros, director of product management for Telus’ security solutions division.
“It’s not about saying yes or no” to new and possibly risky technologies like cloud computing, Hejazi said, “but about making decisions in a security responsible way” so staff won’t defy management.
In fact overall, respondents whose firms fit the profile of what the authors call a security responsible organization not only reported a lower number of breaches, they were also able to keep IT security staff longer, managed risk better and had a better opinion of their security.
This was the sixth annual Telus-Rotman security study, which this year asked questions of some 400 security, C-level and IT staff at Canadian organizations. Read the full report here.
Among the results:
–Respondents who said their organizations had no difficulty in retaining security staff reported suffering seven breaches in the previous year; those that had some difficulty holding onto security staff had 13 breaches, while those who said their organizations were unable to retain staff reported 26 breaches annually;
–More than 56 per cent of respondents are satisfied or very satisfied with their organizations’ security postures;
–Forty per cent of organizations still block business-enabling innovations;
–‘Disclosure/loss of strategic or sensitive data’ is the number one security concern overall;
–Among respondents breach losses decreased for the public and private sectors compared to previous years, but have more than doubled for governments.
That’s surprising, Hejazi said. He speculates that government deploy advanced technologies and so can better to detect breaches. Also, he thinks they have more complex environments that are more difficult to manage than the private sector. Hejazi thinks lower salaries in the public sector than the private sector may play a role.
And governments are big targets for attackers, he added.
The authors believe there are four key concepts to a security repsonbile organization: It focuses on risk beyond compliance (meeting compliance is a bare minimum); it retains people with IT security skills (and, the authors note, they are attracted to organizations that give importance to security); it is diligent about security policies (policies aren’t reworked to accommodate new technologies); and it educates staff about security (otherwise they suffer more breaches because employees find ways to get around the barriers).
These organizations don’t eliminate breaches, the authors say. But they do handle risk better than other enterprises.
Despite regular news reports about breaches and software vulnerabilities, 56 per cent of respondents said they are satisfied or very satisfied with their organization’s security postures. That raised the question of whether respondents were overly optimistic about the job they’re doing, or seeing things clearly?
The survey also found that only 37 per cent of respondents said their organizations are taking a security responsible approach to mobile security.
Still, Hejazi said there’s more to what might be considered a glass half full/half empty analysis. “I believe the glass is almost full,” Hejazi he said of overall Canadian IT security. “I think we’re doing a great job, but we have to maintain our diligence.”