Refraining from opening e-mail attachments from unknown senders is the number one way companies can stop the spread of viruses and worms. But evidence from a survey by AT&T and the Economist Intelligence Unit (EUI) shows that 78 per cent of top-level employees surveyed, ranging from board members to CEOs and CIOs, plead guilty to double-clicking on unknown files.
Ironically, this Network Security: Managing the risk and opportunity survey, released Thursday, also showed that 92 per cent of the same executives pinpointed these very same viruses and worms to be the most significant security threat faced by their network.
But Tom Slodichak, CSO with WhiteHat Inc., doesn’t think the number is too surprising, even if the survey respondents are the executives responsible for security. “Human error…that is the extent of the threat, that is why is is so dangerous,” he said. “The whole idea is that you want to remove [human error] from the equation” by having an antivirus solution in place that keeps all malicious content from the e-mail inbox.
AT&T and EIU surveyed 254 executives from around the globe. Twenty-seven per cent hailed from North America, 40 per cent from Europe, 21 per cent from Asia-Pacific, eight per cent from Latin America, three per cent from the Middle East and Africa and one per cent from elsewhere.
Canadian companies’ security savviness stood out in particular. Of note, Canuck firms are more likely to have chief security officers (CSOs) and pay more attention to network security issues, the results from the survey indicated.
In fact, 87 per cent of Canadian executives surveyed rate security as their number one concern compared with 78 per cent worldwide.
“I think it is getting a lot of attention,” Slodichak said. “I see no evidence that it is getting a lot of funding.”
Additionally 16 per cent of Canadian respondents had established CSO positions at their firms in companies wont 10 per cent globally.
However, Chris Byrnes, senior vice-president, security practice lead at the Meta Group Inc. in La Jolla, Calif., said the CSO numbers are a little low. By his estimation, about 30 per cent of North American companies — with Canada leading the U.S. by only a few percentage points — have CSOs or chief information security officers (CISOs) compared with their European and Asian counterparts. Also, he said an additional 30 per cent of North American companies have employees dedicated to the practice of network security don’t have a C-level executives at the helm.
Richard Reiner, CEO of FSC Internet, a Toronto-based security company, said “there are a considerable number of Canadian companies without such a (CSO-type) role defined.” When asked if he thought 16 per cent of Canadian companies have a C-level executive at the helm of security he said, “I wouldn’t have said so.”
Slodichak agrees that the number seems a little high for Canada but that it is higher than the U.S. does not surprise him. Canada has fewer but larger companies in many industries, such as banking, he said. In the U.S. there are thousands of small banks. “Do they have a CSO? No.”
But Reiner’s bigger concern is that 54 per cent of respondents said security policies are in the hands of the CEO, CFO or CIO. Not to mention the possibility of conflict of interest (delivering an application to users versus securing it), Reiner said, “they have other things to do.”
“To have it roll all the way up to a CEO or CFO really means that there is no executive with a focus in that area (security).”
Though Slodichak agrees in principle, he said one can’t forget that “the CEO is where the buck stops, so that is (ultimately) where the policies have to be yea or neyed.”
Canada’s minute lead over the U.S. is a result of Canada’s stricter privacy legislation, Byrnes said, but with new regulatory requirements such as Sarbanes-Oxley cropping up south of the border, the gap is closing.
In security issues he said Europe runs about 12 to 18 months behind North America and Asia-Pacific takes two years to catch up, but these time lags are shortening.
Though network security is now at the top of the list, Reiner said, it is by no means the only major concern in the network domain. Availability, reliability and business continuity are “all very much works in progress,” he said. “All we have to do is look what happened at the Royal Bank…and that is a company with a sophisticated system” in place.