IT managers can set up all the security policies they want, but nearly a quarter of Canadian executives admit they look after their personal data more carefully than that of the enterprise they work for, according to a survey report released Wednesday.
One in five of the businesses surveyed said they did not use anti-virus software or a firewall, while one in six said their firm has been the victim of a security breach. The survey, conducted by Leger Marketing on behalf of Toronto-based Fusepoint Managed Services, was based on interviews with 1,200 executives and has a margin of error of plus or minus 2.8 per cent, 19 times out of 20.
Fusepoint president George Kerns said the lack of adequate security tools represents the input of smaller firms rather than large enterprises, noting that companies tend to get more proactive about security as they grow. Still, “I think that is kind of an alarming number,” he said.
Companies like Fusepoint allow enterprises to outsource portions of their IT infrastructure. As a result, Kerns said Fusepoint regularly sees issues in companies that fail to set up processes to ensure appropriate safeguards on data.
“You see a lot of people who take more of an 8:00 a.m. to 5:00 p.m. orientation towards security – they’ll check the firewall logs once a day, for example,” he said. “A lot of that information, you need to act upon it immediately.”
Although the majority (81 per cent) of those surveyed said they feel personally responsible for data security in their company, 22 per cent said they put their own data first. Kerns attributed that attitude to human nature. He gave the example of someone throwing a reconciled invoice into a wastebasket that gets stolen by “dumpster divers” who seek out customer account information.
“Someone might not shred stuff in a corporate environment the way they might do at home,” he said. “I don’t think they’re naturally not diligent. I think they’re not going the extra step.”
Kerns noted that the security issue goes beyond internal safeguards but also that of customer information. Survey respondents said the Internet was the least trusted channel for conducting business, and 50 per cent said they do not believe businesses are doing everything they can to protect them.
This perception is one of the reasons why financial institutions such as ING Direct are trying to offer tools to help their customers ward off viruses and phishing schemes. The company recently formed a partnership with Symantec whereby it will offer the vendor’s Norton Internet Security product free of charge for a 90-day period.
Robert Weaver, ING Director’s IT security director, said those that avoid deploying anti-virus, in particular, end up hurting themselves and their relationship with other companies.
“Once they let in keystroke loggers or malware that allow takeover of their machine, then all bets are off,” he said. “Once they’ve filled out an application online or a form, there’s not much else you can do. On the other hand, that’s a pretty simple thing to fix.”
Thirty eight per cent of survey respondents said companies who are negligent in protecting customer data should face jail time, but Weaver wasn’t worried.
“Nothing that has ready affected the legal landscape in terms of where the liability lies. I can’t see it going in that direction,” he said.
Despite major security breaches at firms such as TJX, 39 per cent of those surveyed said they were carrying on with business as usual.