Canadian government organizations are showing a “surprisingly” high level of confidence on their IT security systems, according to one Canadian IT analyst.
Four out of five organizations, including public sector entities, are confident that they have the necessary protection in place, according to David Senf, IDC’s director for Canadian security and software research.
“The confidence is up this year over last year, which is surprising given that these same organizations aren’t doing proper risk assessments so they don’t know what the value of their assets are nor do they know what protection they have in place to be able to defend those assets,” said Senf.
Senf is one of the speakers at the 2007 MISA (Municipal Information Systems Association) Security Conference to be held in London, Ont. next week and will be discussing perceptions and realities with regards to Canadian IT security.
“I think there is a false sense of confidence (on security) and governments need to take a step back and re-evaluate,” Senf said.
Like many Canadian enterprises, the public sector needs to do more in terms of evaluating its most important assets and putting in place technologies to protect those assets, he said.
The IDC analyst added that while security is a priority among government organizations, it’s not a top priority.
“Complexity is an issue,” Senf said. “The overconfidence comes from where we actually see spending in the past have occurred…which is antivirus, anti-spam, anti-spyware, firewalls and those technologies that deal with readily understood threats.”
There is, however, lower adoption of technologies that deal with “less-understood threats,” like identity and access management, he said. “The internal threats, which government needs to focus on, are not as well-managed as some of the external threats are because the internal threats are less-understood than the external threats.”
Despite the fact that IT security is not the topmost priority for government spending, business continuity, which has a security component to it, is currently the government’s top investment priority this year, Senf said.
Keeping IT systems up and running, in disaster situations, has been a steadily increasing concern for the public sector, which is leading to storage and security technology purchases Senf said.
‘The challenge is that while governments have business continuity plans in place, those aren’t consistent across all departments and in some cases, they are even ad hoc. So more needs to be done in terms of broader business continuity planning and a large part of that is actually doing risk assessments,” he said.
Such risk evaluations would allow government organizations to determine what their most valuable assets are and put systems in place to protect those assets according to their value to the organization, said Senf.
Mary Kirwan, a Toronto-based IT security consultant is also among the speakers at the MISA security event. Kirwan will be discussing the regulatory aspect of data protection.
Kirwan is expected to discuss the gaps between Canadian and international legislations, particularly in the U.S., pertaining to data breach disclosure laws. Breach disclosure legislation mandates organizations to report incidents of data breach where it involves people’s personal information.
There is currently no such regulation in Canada, although the issue has been raised during the review of the Personal Information Protection and Electronics Document Act (PIPEDA), said Kirwan.
Several U.S. states, on the other hand, have enacted breach disclosure laws.
“There’s an enormous gap between legislation here, or lack of it, versus what you can find particularly state by state in the U.S.,” Kirwan said.
She added that while governments have various disclosure requirements among themselves, “how effective they are is another matter.”
“Often the penalties here are non-existent,” she said. “Even if you’re governed by some of these statutes, you get a slap on the wrist from the (privacy) commissioner, and that is as bad as it gets.”