IT security breaches at Canadian firms account for an average annual loss of $834,149, a figure that reflects a 97 per cent increase from the $423,469 average cost reported in 2008, according to a national study released Tuesday.
The Rotman School of Management at the University of Toronto and Telus Corp. released the results of their 2009 Joint Study on Canadian IT Security Practices during a briefing to executives at the Toronto Board of Trade.
The study, which looks at the state of IT security at Canadian organizations with over 100 employees, is the second in a series of annual studies Rotman and Telus plan to develop in subsequent years.
The results are based on over 600 responses from Canadian IT security professionals and nine focus groups across Canada. A full copy of the 80-page report is available at rotman.utoronto.ca/securitystudy. A benchmarking tool is available at telus.com/securitystudy.
The average number of breaches have also raised from 3.0 in 2008 to 11.3 in 2009. In both categories, security breaches increased most for government as opposed to private and publicly traded organizations.
“Government organizations more than tripled their average annual cost of breaches to $1 million in 2009, up from $321,000 in 2008. Private companies more than doubled their cost of breaches to $807,000, up from $294,000 in 2008. Publicly traded companies reported a moderate increase of only six per cent year-over-year,” states the report.
Dr. Walid Hejazi, professor of business economics at the Rotman School of Management, said government “is a natural target” for security breaches.
Governments are custodians of confidential information and breaches that increase during economic downturns tend to be related to identity theft, he said. “But it’s really important to note that per dollar, government organizations are performing quite effectively,” said Hejazi.
The average cost per breach has decreased significantly across all organizations, according to the study. “For example, publicly traded organizations decreased breach costs to $75,014 in 2009, down from $213,926 in 2008,” states the report.
Hejazi linked the breach results to the downturn in the economy. “On the one side, you’ve got organizations cutting budgets. On the other side, you’ve got layoffs mounting … you can predict an increase in the number of breaches and this is what we’ve seen,” he said.
The increase in breaches is also linked to greater detection capabilities. “Threats are up, but it is partially because organizations have improved their capabilities to detect unknown security events. Organizations are also improving their response to breaches, which has lowered individual breach costs,” states the report.
Unauthorized access to information by employees is the fastest rising breach category, up by 112 per cent. Bots within an organization and financial fraud follow second and third, rising by 88 per cent. Theft of proprietary information rose by 75 per cent and laptop or mobile-device theft by 58 per cent.
The five breach categories that remained constant or declined include password sniffing, phishing and pharming, denial of service attacks, sabotage of networks and exploiting DNS.
The top three costs associated with breaches include damage to brand or reputation, lost time due to disruption and lost customers. “Canadian organizations continue to report damage to brand as the most significant impact of a breach,” states the report.
The top five concerns that drive IT security programs and spending include disclosure or loss of confidential data; compliance with Canadian regulations and legislation; business continuity and disaster recovery; loss of strategic corporate information; and employee understanding and compliance with security policies.
Hejazi finds an overall “lack of understanding” on the part of C-level executives when it comes to the security threats that face their organizations. He recommended that organizations view IT security as a source of competitive advantage and fundamentally important to business strategy.
“When organizations view IT security as a source of competitive advantage, when they built it secure to begin with, outcomes are much better than when they build IT security systems only to satisfy some compliance requirement and then move on and believe the problem is going to go away,” he said.
Hejazi also finds a “lack of clarity” on the state of IT security in Canada and a need for more Canadian-based security data. “Many times, the perceptions of the threat environment, preparedness and strategies that should be deployed are generally based off U.S. information or global studies,” he said.
Canadian organizations that rely on information and strategies developed using U.S. information or global studies commit a “strategic error,” according to Hejazi. The perception that what applies in the U.S. applies to Canada is not the case, he said.
“Canada is very different than the U.S.,” said Hejazi. We have a different approach to government, public healthcare and six major banks as opposed to thousands, he pointed out. “In terms of threat to information and the flow of information across businesses, it’s very different,” he said.
The average security spend is 7 per cent of the IT budget, but top performers have an average IT spend of 15 per cent, noted Alan Lefort, managing director at Telus Security Labs. But the secret to good security is not necessarily spending more money, he said.
Governance drives performance significantly, according to Lefort. Business level security metrics increase the perceived value of security at the C-level by 47 per cent and high performers were twice as likely to measure their IT staff performance on security goals, he said.
Organizations with more remote workers have less security breaches because they put a lot more focus on security awareness training for employees and IT staff in general, noted Lefort. “As trite as this stuff looks like, working on your people and helping them understand what role they play in security matters immensely,” he said.
Technology is the last thing organizations should think about when it comes to security, according to Lefort. “Technology can make a well-developed security program, a good security program, better. It will not save a bad security program,” he said.
The study also found that technology investments are driven by malware and not insider threats. But the types of breaches on the rise are targeted attacks looking to collect data rather than disrupt systems, Lefort pointed out.
“A fundamental mind shift that has to happen within the community of Canadian companies is that you can be a target. You don’t need to be a government organization, you don’t need to be a high-profile company. It’s very simple to determine if you have value – do you take credit cards on your Web site,” he said.
People are the greatest security asset and the greatest security threat, said Christopher Burgess, director and senior security advisor to the chief security officer at Cisco Systems Inc. Employees must understand that everyone is responsible for security, he said.
Cisco ran its own security education program like a marketing campaign, according to Burgess, targeting the nuances of individual departments and adapting to different cultures around the globe. The company also re-worded its code of conduct, making the language easier for employees to understand.
But policy must not get in the way of employee decision-making, Burgess warned. “Do not put the employee in the position where they have to choose between following a policy and enhancing their business. If your policies keep you from getting business done, perhaps you need to revise your policies,” he said.
Security must be leader-led and education needs to take a how-to approach, Burgess advised. “Every employee has to be held responsible and accountable for their actions online and in their decision-making and in doing so, it is your responsibility as the executive team to educate your workforce on what that responsibility entails,” he said.
Burgess suggested organizations develop a visible and focused security awareness program. “What I mean by that is when the security messaging comes out, it's not on your first day of work and it's done … it's an ongoing effort, all the time, every year, throughout the year, multiple times. It also extends outward to the offboarding,” he said.