Aggressive on growth, but not security

A recent study by PricewaterhouseCoopers (PWC) has found that almost half of the fastest-growing companies in the U.S. have suffered a recent breach of their information security, despite higher precautions taken since 9/11. And one Canadian security expert says he’s not surprised.

PWC interviewed the CEOs of 402 privately held companies about what kinds of precautions they have taken to protect against threats to their company’s information security, the vulnerabilities that got the best of them; the effects of breaches; and their corporate security priorities.

The study found that 46 per cent of companies had been victimized by security breaches; of those, 83 per cent said they experienced monetary loss and nearly one-quarter faced network downtime.

The companies polled have been identified in media reports as the fastest-growing U.S. businesses over the last five years, ranging in size from about US$5 million to $150 million in revenue.

The fact these firms are growing quickly may be what is causing the problem in the first place, according to Mark Lobel, senior manager, security and privacy services for PWC in New York.

“One of reasons they’re fast-growing companies is that they’re willing to accept more risk to move the business forward,” Lobel explained. “They spend more time focusing on the revenue generation aspects of the business versus implementing the (security) controls their more mature brethren already have in place.”

Although two-thirds of respondents reported that information security is important to their company’s near-term profitable growth, the study found that the security budgets for 80 per cent of fast-growing companies “have not and are not planned to materially increase,” Lobel said. Those results contrast starkly with an earlier global PWC survey that indicated most other companies had plans to increase their security spending by a significant amount, he said.

“What do more mature companies understand that these fast-growing companies don’t understand or are refusing to accept?” Lobel said. “I’m not sure if it’s ignorance, arrogance or inexperience.”

Richard Reiner, CEO of FSC Internet Corp. in Toronto, said PWC’s findings mirrors what he typically sees within Canadian firms. FSC works with larger companies in Canada’s major industries, including banking and insurance firms, telecommunications, some parts of public sector, public utilities and health care. In most cases, these sectors also have the greatest security risk.

Reiner said he knows of only half-dozen Canadian firms that have a truly effective and comprehensive security management program. The rest have programs in place that are mature in some areas and lacking in others; or their security capability is downright inadequate right across the board.

The reason? With the exception of banking and some parts of the telco industry, which “have [security] experience that dates back quite a while, and have always considered themselves to have these risks,” for many companies there hasn’t been as much of a focus on its importance until recent years. “For them, it’s a new set of challenges,” Reiner said.

Lobel agreed, adding that fast-growing, private companies don’t face the same kind of scrutiny as public firms when it comes to regulatory compliance. Some companies lack risk knowledge because the classification of high and low risks changes very quickly and it’s hard to keep up, Reiner added. “Some areas have emerged that companies are really ill-prepared around.”

For example, while most firms now understand the network and infrastructure areas of security, awareness and capabilities are much lower around things like application-level security, he said. “Web-based applications have emerged, as we think, risk area number one, and it’s an area that even in many organizations that have information security teams and dozens of people in those teams, there is little understanding and the awareness is not high.”

Reiner suggested firms get up to speed on security by mapping out a threat and risk assessment, determining what kind of information it has, where it flows and what would happen if that information was disclosed or destroyed, and then follow up with a plan that manages each risk systematically and takes care of the blind spots.

The wrong approach is for a company to just slap in a piece of technology and expect it to do the trick, Lobel said, adding that following the “people, process and technology” mantra applies in this instance. “If you install antivirus, you’d better also define who is responsible to make sure the signatures are updated.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now