There isn’t a more searing “hot button” than security when it comes to business technology.
Few topics get as much mass airplay or attention from vendors, customers and people in general. Judging by the noise surrounding IT security, you’d assume every business in Canada was zealously plugging up the many seeping cracks that seem to form relentlessly within corporate networks, in an effort to fend off viruses, worms, trojans, spam, spyware, phishing scams, and an assortment of other bizarrely named intrusions and digital corruptions.
The reality is quite the opposite.
Truth be told, most Canadian companies and institutions do a pretty lousy job of keeping the cyberwolves at bay.
Even our own government can’t seem to get security right. Last week, auditor general Sheila Fraser, in a federal government report tabled to the House of Commons, admitted that senior officials within departments and agencies have failed to minimize the IT security risk to which the government is exposed. According to Fraser, the feds can’t even meet their own minimum standards for IT security, and she characterized as “unsatisfactory” the current state of affairs.
Fraser’s audit suggests the government’s various agencies and departments haven’t even properly assessed security risks – meaning they haven’t figured out what vulnerabilities exist within IT, where attacks may occur, and how serious the impact of a breach might be. She further cited specific IT security weaknesses of particular concern, which included poor access control to sensitive data and programs, as well as inadequate network security.
“It means government systems and the sensitive data they hold are vulnerable to security breaches,” Fraser concluded.
If they conducted a similar examination of their digital defences (or lack thereof), most Canadian businesses – particularly those of the small/medium variety – would likely conclude the same thing. The government’s security problem isn’t much different from that of most Canadian businesses. IT security concerns are so numerous and exist in so many areas that few companies know where to begin, let alone what to do.
Like the government, many Canadian companies are highly vulnerable to IT breaches of various sorts, any one of which could be potentially disastrous. But when it comes to investing in IT security, companies tend to do only as much as they feel they have to and not a whole lot more.
Interesting that this view contrasts with comments made by John Thompson, the chief executive officer of Symantec Corp., a provider of IT security technology such as anti-virus software. Thompson, during a speech at an Empire Club of Canada lunch in Toronto’s Royal York Hotel last week, asserted that security is among the highest areas of spending in IT.
He must be thinking of some other country.
The truth is that security still ranks among the lowest areas of IT investment among most Canadian businesses, more often than not languishing far down the list of corporate IT priorities.
It’s been that way for a long time. The Canadian government spends about 3 per cent of its IT budget on security. In my experience, it’s fair to say most Canadian businesses are either in line with that figure or spending proportionately less.
There are at least two issues at play that may explain things. One is that companies are not inclined to invest in something in which there is little understanding. That’s probably why the Canadian government is spinning its wheels when it comes to IT security. It seems pretty clear that the government can’t get a handle on what’s at risk, let alone what needs to be done.
Secondly, too many businesses are cavalier when it comes to security, believing they are not at risk – or at least not to a degree that would justify a more comprehensive security strategy and greater investment.
But the bigger problem is actually less about dollars and more about sense – good sense.
Symantec’s John Thompson, in a press scrum after his speech, made the point that changes in human habits would have a tremendous impact. The greatest security risk, most experts agree, stems from people who behave foolishly and in a way that puts their companies at risk. These folks need to be educated, Thompson said.
Absolutely. Businesses must make employees aware of the things they do that compromise the safety of data and computing systems, and help them understand how to avoid that risky behaviour. And awareness campaigns don’t have to mean sending every employee on a formal security course. They can involve simple things such as getting administrators to minimize the number of people with access to systems, telling employees not to visit questionable websites or open unsolicited e-mail and attachments, encouraging staff to change passwords regularly, mandating difficult passwords or random combinations of letters and numbers, and making it an office taboo to write passwords on sticky notes pasted near the computer.
“It is only through repetitive, thoughtful cajoling and counselling that we’re going to get the society that we live in more aware of what they should and shouldn’t do,” Thompson said, during an interview.
Proof of education’s power to change attitudes is seen in many areas – campaigns that have reduced forest fires, decreased the smoking population, and increased the use of seat belts, Thompson said.
“In each of those three incidents, government played a role in raising [public] awareness and consciousness about threats that were there,” he said. “I would argue [there] is an important role for government now around information security awareness.”
I’m suggesting that both government and industry work in conjunction to promote messages through awareness campaigns of the importance of safe computing, by highlighting the costs, dangers and other risks of unsafe computing behaviour. As Thompson rightly pointed out, government can’t do it alone. Industry and business have an equally, if not more important, role to play in effecting a major attitude adjustment when it comes to improving IT security.
Education is a good place to start, if yours is a company that hasn’t done much on the IT security front. The technology part of crafting a comprehensive risk-minimized computing environment can be extremely complex, which is often why many businesses quit before they even start. But simply creating a burning desire among employees to practice safe IT can help any company figure out what it really needs to do to make the technology that runs its business more secure.
— This article appeared in The Globe and Mail on February 24, 2005.