A recent Canada-wide survey reveals that not only are security attacks on the rise, but when it comes to network and denial-of-service (DoS) attacks, one-third of Canadian enterprises were hit from the inside.
The survey findings were revealed late last month at a CA Identity and Access Management (IAM) symposium held in Toronto. The event was co-sponsored with Bell Security Solutions Inc. (BSSI), an Ottawa-based network and information security provider. The report from Toronto-based research firm The Strategic Council is a cross-Canada survey of 240 organizations sponsored by Toronto-based security software vendor CA Canada Inc., subsidiary of Islandia, N.Y.-based CA Inc.
According to the survey, 30 per cent of large Canadian firms note that internal breaches of network security is a huge issue, with 82 per cent of large firms actually reporting an identity breach within the past 12 months. The figure is up from 67 per cent in 2003.
Comparatively speaking, three years ago the percentage of Canadian firms plagued with network and denial of service (DoS) attacks was less than 15 per cent.
The survey also reported an increase in the number of internal security breaches Canadian organizations have dealt with in the past year: 30 per cent, up from less than 5 per cent three years ago.
But the survey also notes that the ability of enterprises to understand, detect and counteract attacks is on the rise, with 28 per cent of those polled looking at implementing an IAM solution within 18 months.
Warren Shiau, lead analyst at The Strategic Counsel said that IAM tools can be instrumental in securing end-user admittance to enterprise applications and resources. But for Canadian firms, the critical factors in choosing an IAM tool revolve around ease-of-use, scalability and the ability of the software to integrate with existing network infrastructure, Shiau noted.
The survey also provided some compelling statistics around low investment in security and increased attacks: respondents who believed their security spending was too low reported a greater incidence of attacks than those who felt spending was adequate, particularly in the virus attack and internal breach categories. As in many IT spheres, Shiau noted there is perhaps a disconnect in executive awareness of cause and effect. “Although respondents identified public embarrassment as a key cost, this isn’t translating into executive recognition that lack of good security is a threat,” he said.
Roberta Witty, vice-president of the information security and privacy group at Stamford, Conn.-based Gartner Inc. said IAM practices should be an important component of every IT strategy in order to boost network security.
Gartner estimates that investment in IAM software identity management solutions will increase by 60 per cent by 2008. Witty noted that most IAM implementations are currently driven by regulatory and compliance requirements. Witty said that achieving true enterprise single sign-on (E-SSO) may be an impossible task. E-SSO, also known as legacy single sign-on, intercepts login prompts presented by secondary applications and automatically fills in fields such as a login ID or password. “Don’t aim for 100 per cent user/role assignment, 80 cent is good enough,” Witty said.
Tom Moss, vice-president of technology at BSSI, said firms should not underestimate the amount of data in an IAM project. Some companies required data cleansing before they could proceed.