On the heels of the federal privacy commissioner’s scathing report on corporate data security, a new national survey of Canadian IT security executives has found that the loss of confidential information and intellectual property has doubled over the past two years.
The survey, commissioned by CA Canada, indicated that more than 20 per cent of enterprises reported a loss of private data as a result of security attacks and breaches, up from 10 per cent two years ago. The proportion of companies reporting loss of intellectual property also rose, from eight per cent in 2006 to 16 per cent in 2008. The report polled 200 senior IT executives in a random sample of major Canadian enterprises.
Renee LaLonde, regional vice-president at CA Canada, called the findings alarming; despite the fact that many high-profile data breaches have made headlines over the last several years. The most surprising finding, she said, was that one-third of survey respondents cited internal security breaches as the biggest threat – compared with less than five per cent in 2003. “Threats and security breaches are evolving and it’s to the point where internal breaches constitute the biggest concern,” LaLonde said. “For the most part, enterprises have the right tools for virus attacks, network attacks, and keylogging, but the internal breaches need to be tackled.”
James Quin, senior security analyst at London, Ont.-based Info-Tech Research Group, said he was unsurprised at the survey findings and attributed the results to the increasing sophistication of the cyber criminal community. He also said that, unlike several years ago, companies have begun classifying internal security lapses as a data breach in itself.
“Virus and malware are tailing off in severity, whereas the more targeted attacks are increasing in severity,” he said. “As for internal security breaches, it’s important to note that it isn’t always a malicious action and in most cases is a result of human error. Previously, organizations would only look at classifying breaches as a result of a malicious attack, but now they are beginning to realize that when Bob from accounting loses a disk drive, it’s a data breach that needs to be reported.”
According to LaLonde, critical to successfully combating security attacks – whether internal or external – is a willingness to invest in identity access and management solutions (IAM) as well as establishing a more transparent relationship with prospective customers.
“It’s about letting your customers know about your best practices, how to address security and lock down consumer data,” she said. “If you’re posting your best practices on the Web and talking to your customers about how you feel about security, it will make them feel good about doing business with you. Honestly is the best policy, so when an organization does suffer a breach, working with your customers to disclose that information will allow them to be more confident to work with you in the future.”
But recent findings from Privacy Commissioner of Canada Jennifer Stoddart seem to suggest that most companies lack any of these basic privacy and security measures.
“Too often, we see personal information compromised because a company has failed to implement elementary security measures such as using encryption on laptops,” Stoddart wrote in her annual report on the Personal Information Protection and Electronic Documents Act (PIPEDA).
The commissioner also found that almost nine in 10 people affected by a self-reported breach – such as a misplaced tape drive or laptop – were put at risk because their personal information was held in an electronic format that was either not secured or lacked adequate protection mechanisms such as firewalls and encryption.
These findings have even led to some wishful thinking from some security analysts like Quin, who hopes the government will push encryption even further.
“It’s difficult for the government to come out and say which technologies to use, because they would appear to be advocating for certain commercial enterprises, but I wish they would in the case of encryption,” Quin said. “As a security professional, I wish they would just come out and say that it is mandatory that companies use encryption.”
And while Quin realizes the idea is far-fetched, he said that making breach reporting mandatory – which the privacy commissioner has hinted at in the past – would be the next best thing.
“It’s something that you can back-up and the government can enforce it with stiff penalties,” he said. “If they did this, enterprises would have to report their breaches and be forced to implement better systems and tools to ensure they eliminate them from occurring in the first place. So, I see it as a kind of backdoor way of enforcing the use of certain technologies, like encryption.”