Despite pronouncements by Canadian companies that IT security is a top priority, local firms continue to be slow in implementing defensive measures, according to a recent survey.
Seventy nine per cent of the businesses surveyed by market research firm Televerde of Phoenix, Ariz. indicated that IT security is of critical importance to their organization.
Yet 69 per cent have no IT security initiatives planned for this year, although 31 per cent of the respondents experienced at least one security breach within the past six months.
Ninety-six per cent of those that claimed security was a high priority reported at least one “unresolved technical security issue.”
The Channel Management International Inc. (CMI) , an Ottawa-based consultancy firm for technology resellers and marketers, commissioned the survey of 100 tech professionals for a paper titled the Canadian Security Technology Readiness Intelligence Report.
The survey queried IT managers, directors and senior executives from various industries on topics such as security breaches, regulatory compliance, technology spending priorities, as well as wireless and Web-based security issues.
It is “reassuring” that a majority of the firms place security at the top of their priority list but “many Canadian companies are not prepared to withstand a breach,” said Karen Letain, president of CMI.
“Most people are still looking for basic solutions such as anti-virus software when they should be considering more sophisticated security systems.”
Both Letain and Steve Brining, business development director for Televerde, said Canadian firms lag those in the U.S. in IT security implementation.
Brining attributed this to the prevalence of small and medium-scale businesses (SMBs) in Canada, which he typified as being “less responsive to adopting security technology and policies.”
Previous surveys by other organizations have noted sluggish technology spending on the part of Canadian SMBs.
The head of a Canadian coalition of technology firms said failure to take security issues seriously could have negative repercussions with international transactions.
“The degree to which we implement best security practices will determine the effectiveness of our marketing strategies,” said John Reid, president of the Canadian Advanced Technology Alliance (CATA), headquartered in Ottawa.
“Other countries will be looking at how we meet their standards. If we don’t measure up, that will be a negative point.”
The Televerde survey also pointed to wireless security as an emerging security challenge for most organizations.
Sixty-eight of the 100 firms have a wireless infrastructure in place, while about 49 per cent of these companies rated security concerns surrounding wireless technology as a high priority.
One Wi-Fi specialist said the prevalence of uncontrolled wireless devices that are able to access a network tends to increase that network’s vulnerability.
“With a locked-down end-to-end network, security can be easily handled. It is in environments such as corporate or public Wi-Fi networks where a variety of devices can gain access that security becomes difficult,” said Richard Belzil, director of Wireless City , Alberta’s municipal WiFi technology development program.
E-mail spam was another area of major concern that the survey spotlighted. More than 75 per cent of the firms reported that unwanted mail was a “growing challenged. One out of three companies plan to upgrade or implement and anti-spam solutions.
One Canadian IT industry analyst said budgetary constraints and a lack of “stringent” regulatory guidelines not lack of awareness are the major reasons behind the lethargic pace of security implementation.
“It’s not lack of awareness but a [reluctance] to spend money that is the biggest reason why many Canadian firms lag in security implementation,” said James Quin, senior research analyst with London, Ont-based InfoTech Research Group Inc.
He said SMBs, which make up the majority of Canadian businesses, have less money to operate with and “therefore have to be careful with their budget.”
These firms, Quin added, might be hesitant to pursue a security initiative until some clearer directive from an industry regulatory body or the government is available.
The survey said 55 per cent of the companies reported that compliance was a key driver in their security decisions.
However, Quin said, although legislation such as Ontario’s Bill 198 , the Canadian counterpart of the U.S. Sarbanes-Oxley Act, and Personal Information Protection and Electronics Documents Act (PIPEDA) “push for the adoption of better security measures” there is a need to “ramp up the creation of tougher rules and penalties”.
In the past, other industry insiders have complained that existing Canadian IT security and privacy legislation had “no teeth”.
But this, Quin pointed out, is no excuse. “If a company says security is a top priority then why not spend on it?”
“It appears that a large number of firms are merely paying lip service to security,” Quin said