George Edwards thought his company’s security measures were top-notch until the day a third-party assessor came in to test the steps ProPharm had taken to protect itself from attacks.
When the person sent by IBM Corp. to test the company’s security system walked unimpeded into ProPharm’s Markham, Ont.-based offices, there was a quick realization that not even basic physical security had been taken into account, said Edwards, a vice-president at the company, which supplies computer technology to pharmacies. And when the assessor asked who the chief security officer was, Edwards was once again at a loss.
“We were thinking we’re pretty good,” he said.
Edwards was speaking during a seminar held recently in Ottawa, where the results of an Ipsos-Reid study on Canadian CEOs’ attitudes towards security were announced.
He said the outside evaluation showed the company that there were many areas in which it could be improved.
ProPharm’s once ill-conceived approach to security isn’t that different from other Canadian companies. For most, security is only a secondary concern, said David Saffran, a senior vice-president and managing director at Ipsos-Reid.
In a survey of 250 CEOs, protecting the company from malicious attacks ranked fourth in a list of priorities behind reducing the company’s overall expenses, maintaining and building revenues, and hiring qualified staff.
This lukewarm approach to security could come at a cost. According to RCMP statistics, cybercrime is up 65 per cent from last year. And a large number of hacking events go unreported each year, as companies are afraid of going public with such information, said Sgt. Charles Richer, a team leader with the RCMP’s technological crime unit in Ottawa.
Cyberattacks have become more sophisticated since the days of Mafia Boy, Richer said, referring to the Canadian teenager who managed to shut down several high-profile U.S. Web sites in 2000. Though unable to go into details of the cases he’s investigated, Richer said in one denial of service attack, a company was losing $100,000 a day.
Theft of data is happening at a disturbing rate, he said. Smart card cloning through reverse engineering is also possible, if there isn’t enough security. “We’re investigating things that could have been prevented,” Richer said.
Although individual viruses aren’t as common as they once were, more worms are starting to appear, he added.
Many of the crimes are internally generated. Often, the attack is generated from within the network, or the victim knows the perpetrator.
Often, people are the weakest link. “Human issues are at the heart of the matter,” Richer said, which is why it’s essential to train and communicate with employees.
The Ipsos-Reid study also found that 46 per cent of CEOs reported being hit with a widespread infection by malicious software, and 20 per cent admitted to being hit by an external hacker in the past year.
To combat such attacks, it’s important to get an outside assessment of your security system while it’s still in the design phase, Edwards said.
ProPharm was forced to undergo such an assessment in order to comply with the Ontario government’s requirements.
As a supplier to pharmacies, the company is more aware of the importance of protecting confidential information than most companies, but this is something all organizations have to worry about, Edwards said.
Among the measures that IBM recommended to ProPharm was the creation of a “poison pill” for the Linux boxes at pharmacies. If a box is stolen and then used to connect to the ProPharm network through which insurance claims are validated, then not only will the connection be severed, but the computer will be sent a command to commit suicide.
Once the system was in place, ProPharm then had a third party test it through ethical hacking.
“You shouldn’t proofread your own work,” Edwards said.
Security a low priority
The potential threat of external or internal network attacks is only a “moderate priority” among Canadian mid-market CEOs, according to a recent Ipsos-Reid survey.
Protecting their corporate data and computer networks from an external or internal attack is a secondary consideration for the CEOs of most mid-sized Canadian companies, even though fewer than one in three feel their security measures are adequate, the report found.
Given the attention network security has been getting, the findings are a bit eye-opening, noted Chris Ferneyhough, vice-president of technology research for Ipsos-Reid in Toronto.
The survey reveals that CEOs of many mid-sized companies aren’t particularly conscious of company security, and aren’t investing in the necessary infrastructure that will protect their critical corporate assets, Ferneyhough noted.
Twenty per cent of respondents said an outside hacker had hit their networks in the past year, but 40 per cent said their organizations didn’t possess the intrusion detection systems necessary to determine if their networks have been attacked.
During the interview process, the study found CEOs seemed to become more aware of potential security threats. Initially, 48 per cent said their systems were “extremely secure” or “very secure,” but after answering questions about viruses, hackers and internal threats, less than one-third said their company’s security measures were very effective.
While most CEOs didn’t think it was a top business priority, three-quarters agreed that securing IT systems was a top IT priority, but 42 per cent said spending on IT was either frozen or lower than last year.
The Ipsos-Reid report interviewed 250 CEOs of companies in Canada with 100 to 500 employees, from July through September 2002.
– Ryan B. Patrick