Some Canadian firms still think they won’t be targets of cyber attacks, conference told

Many Canadian organizations – particularly small ones – still wrongly think they aren’t in the sights of cyber attackers, says a major provider of business connectivity to small and medium businesses.

”There’s a sense of safety” that isn’t justified, Stewart Cawthray, general manager of network security for Rogers Communications’ enterprise business unit, told the annual Canadian Telecom Summit in Toronto on Tuesday.

Speaking on a panel on cyber security, Cawthray said corporate awareness of the threat is good among large organizations. Medium sized firms are where large ones were five years ago, he added in terms of investing in security technology.

Still, he noted that some customers still say ‘We’re not the target,’ Yet studies suggest 54 per cent of Canadian organizations have suffered a breach.

Perhaps he suggested, it’s because there are few reported breaches here. That will change, he predicted, when the mandatory data breach reporting law comes into effect for firms covered under the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

Ottawa is now consulting with the private sector on disclosure regulations, but they aren’t expected to come into law until next year.

But several panellists also spoke of the importance of organizations getting over the shame of admitting they’ve been breached. Cawthray argued that organizations can be respected by the public if they face up to a problem and explain what is being done to reduce the risk of another breach. Om the other hand trying to hide a breach ends up losing customer trust.

(By coincidence the University of Calgary acknowledged this week it had to pay $20,000 after being struck last month by ransomware.)

And while some noted that large organizations such as Home Depot and Target have survived huge data breaches, panel moderator Scott Jones, assistant deputy minister for IT security at the Communications Security Establishment, charged with protecting sensitive federal data as well as being the country’s electronic spy agency, cited research that half of small companies suffering a breach don’t survive.

The session also got a small peek into the operations of the Communications Security Establishment (CSE) when Jones said his department blocks 100 million malicious acts a day.

On the other hand, Jones said “at the end of the day you’ll never win because the actors are very diverse,” ranging from nation states to script kiddies who have access to a wide range of tools that can hide their behaviour. At the moment , he conceded, all of the advantage is with attackers.

There was no shortage of advice on what has to be done. Kellman Meghu, Toronto-based head of data centre virtualization at Check Point Software, warned that “we’re not solving a technology problem. We’re solving a people problem. There’s no accounting for what people will do when attacking. So the appraoch (by enterprises) that ‘ We’re secure because we’re protected.’.makes for great marketing but they still have to manage their risks

“One thing I fear from a marketing perspective is is we (vendors) try to sell it off as easier than it is, and I think we need to be honest with customers: This is not easy, it’s hard. It’s not going to get easier but it’s not something we can ignore. We need to step up and do the work and use the tools for what they really are, not try to market them as a magic box. This is an ongoing thing has to be part of the infrastructure.”

Unfortunately, according to Darren Anstee, chief security technologist at Arbor Networks, many organizations are still talking about reducing the cost of security. “I very much wish it was about the value of security to the business, how it can differentiate the business, how it applies to various frameworks.”

The conversation has to change from a technology discussion to one of business outcomes, said Cawthray. Security has to be something organizations just do as part of normal operations, that it’s a risk management problem. Then technology decisions are more business-oriented.

The culture of organizations has to change, agreed Jennifer Blatnick, vice-president of cloud and enterprise product marketing at Juniper Networks. But, she added, when her firm surveys customers it finds security is still an afterthought. — and the proof is security is only 10 per cent of IT budgets. “Why wouldn’t you spend 100 per cent of your budget to protect 100 per cent of your budget?”

Meghu also suggested that user awareness training is a waste. “Trying to teach someone what a bad Web site is, forget it.” More important, he said, is teaching developers to write secure code.

There was also discussion on security in an era when organizations are increasingly moving to cloud computing. That means securing data — whether through encryption or tokenization or other techniques is vital, Cawthray said. Regardless of whether it’s in the cloud or on-premise, he added “if we have well-protected data it can live on insecure infrastructure and still operate.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now