Despite the media hype over internal security breaches, it seems Canadian as well as American firms trust their employees.
That’s a key finding of a recent survey of 1,611 organizations on both sides of the border.
The survey, titled Cross-Border IT Security, was prepared by Info-Tech Research Group Inc. in London, Ont. Some 580 Canadian and 1,031 American IT managers were questioned on issues of security attitudes and implementation.
When asked what security issue they considered to be of “extreme importance”, managers from enterprises and government agencies ranked protection from internal users sixth in a line up of seven possible threats.
Generic external threats such as viruses and malware headed the list, followed by random attacks. The need for physical protection of data centres was a close third.
“These findings don’t jibe with what we see in the media,” said Ross Armstrong, senior research analyst at Info-Tech. He said if media reports were to be believed, internal threats “would be number one on the list.”
But the consultancy firm believes internal personnel rarely figure in intended actual security attacks against their employers.
“We believe that when employees are involved in a security breach, it is not so much a case of malfeasance as of ignorance,” said Michael O’Neil, managing director at Info-Tech.
He said most in-house breaches could be explained away as “innocent mistakes.”
Generic threats – from viruses and malware – had 85 per cent of the Canadian firms and 70 per cent of the U.S. firms most concerned.
Random external attacks (by hackers, for instance) were second on the list for 60 per cent of Canadian and 55 per cent of American respondents.
Fifty-eight per cent of Canadians and 52 per cent of Americans saw physical protection for data centres as very important – placing this third on the list of key enterprise security issues.
Other important security concerns were: security policy compliance, targeted external attacks, and mobile device security.
By contrast, less than half of those polled (48 per cent of Canadian respondents and around 45 per cent of the Americans) believed that employees are the source of grave security threats.
Armstrong said security for laptops and personal digital assistants rank low because not all companies have mobile devices.
“However, if in future, we are forced to check in laptops on flights, IT managers would need to impose encryption to protect against data theft.”
The survey also found that while organizations in both countries share similar attitudes towards and implementation of IT security, the Canadian government is seen as a leader in technology deployment.
“We queried 88 Canadian and 129 U.S. agencies and found our government is [viewed as] a leader in IT security deployment,” said O’Neil.
“The government appears to be setting the standard for enterprise in IT security.” Another Canadian analyst agrees with this assessment.
“The Canadian government is a best practices leader in IT while the U.S. government is a laggard,” said Brian O’Higgins, chief technology officer for Third Brigade Inc., a provider of host-based intrusion protection systems headquartered in Ottawa.
The flip side of this, O’Higgins said, is that the Canadian healthcare system lags behind its American counterpart.
O’Higgins said one factor that might be working against the U.S. government is its size. “For instance, our treasury board is very good at setting up IT policy standards that can be adopted throughout the government. That wouldn’t be as easy south of the border because a single U.S. department can be as big as our whole government.”
Canada’s “single player” system, however, can work against the healthcare sector, he added.
“As multiple companies are buying for peoples’ healthcare dollars in the U.S., hospitals and healthcare centres are pushed to roll out IT solutions in order to offer better services,” he said.
In general, Canada lags by 12 to 18 months behind the U.S. in technology adoption, according Info-Tech’s O’Neil.
Info-Tech said companies seeking to improve data protection should include the following in their IT security line-up: anti-malware products to guard against spam, viruses and spyware; wireless local area network security tools; online authentication tools; enterprise encryption software; end-point security devices; and intrusion detection products. Smaller companies should consider deploying unified threat management (UTM) devices that combine the functionality of firewalls, intrusion detection and prevention software and anti-malware in a box.
“UTMs are probably the wisest buys an IT manager can make,” according to the Info-Tech report.
The multi-function offering of UTMs might not be top of the line, “but for small environments, they’re the sweet spot right now.”