Many Canadian organizations – particularly small ones – still wrongly think they aren’t in the sights of cyber attackers, says a major provider of business connectivity to small and medium businesses.
”There’s a sense of safety” that isn’t justified, Stewart Cawthray, general manager of network security for Rogers Communications’ enterprise business unit, told the annual Canadian Telecom Summit in Toronto on Tuesday.
Speaking on a panel on cyber security, Cawthray said corporate awareness of the threat is good among large organizations. Medium sized firms are where large ones were five years ago, he added in terms of investing in security technology.
Still, he noted that some customers still say ‘We’re not the target,’ Yet studies suggest 54 per cent of Canadian organizations have suffered a breach.
Perhaps he suggested, it’s because there are few reported breaches here. That will change, he predicted, when the mandatory data breach reporting law comes into effect for firms covered under the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
Ottawa is now consulting with the private sector on disclosure regulations, but they aren’t expected to come into law until next year.
But several panellists also spoke of the importance of organizations getting over the shame of admitting they’ve been breached. Cawthray argued that organizations can be respected by the public if they face up to a problem and explain what is being done to reduce the risk of another breach. Om the other hand trying to hide a breach ends up losing customer trust.
(By coincidence the University of Calgary acknowledged this week it had to pay $20,000 after being struck last month by ransomware.)
And while some noted that large organizations such as Home Depot and Target have survived huge data breaches, panel moderator Scott Jones, assistant deputy minister for IT security at the Communications Security Establishment, charged with protecting sensitive federal data as well as being the country’s electronic spy agency, cited research that half of small companies suffering a breach don’t survive.
The session also got a small peek into the operations of the Communications Security Establishment (CSE) when Jones said his department blocks 100 million malicious acts a day.
On the other hand, Jones said “at the end of the day you’ll never win because the actors are very diverse,” ranging from nation states to script kiddies who have access to a wide range of tools that can hide their behaviour. At the moment , he conceded, all of the advantage is with attackers.
There was no shortage of advice on what has to be done. Kellman Meghu, Toronto-based head of data centre virtualization at Check Point Software, warned that “we’re not solving a technology problem. We’re solving a people problem. There’s no accounting for what people will do when attacking. So the appraoch (by enterprises) that ‘ We’re secure because we’re protected.’.makes for great marketing but they still have to manage their risks
“One thing I fear from a marketing perspective is is we (vendors) try to sell it off as easier than it is, and I think we need to be honest with customers: This is not easy, it’s hard. It’s not going to get easier but it’s not something we can ignore. We need to step up and do the work and use the tools for what they really are, not try to market them as a magic box. This is an ongoing thing has to be part of the infrastructure.”
Unfortunately, according to Darren Anstee, chief security technologist at Arbor Networks, many organizations are still talking about reducing the cost of security. “I very much wish it was about the value of security to the business, how it can differentiate the business, how it applies to various frameworks.”
The conversation has to change from a technology discussion to one of business outcomes, said Cawthray. Security has to be something organizations just do as part of normal operations, that it’s a risk management problem. Then technology decisions are more business-oriented.
The culture of organizations has to change, agreed Jennifer Blatnick, vice-president of cloud and enterprise product marketing at Juniper Networks. But, she added, when her firm surveys customers it finds security is still an afterthought. — and the proof is security is only 10 per cent of IT budgets. “Why wouldn’t you spend 100 per cent of your budget to protect 100 per cent of your budget?”
Meghu also suggested that user awareness training is a waste. “Trying to teach someone what a bad Web site is, forget it.” More important, he said, is teaching developers to write secure code.
There was also discussion on security in an era when organizations are increasingly moving to cloud computing. That means securing data — whether through encryption or tokenization or other techniques is vital, Cawthray said. Regardless of whether it’s in the cloud or on-premise, he added “if we have well-protected data it can live on insecure infrastructure and still operate.”