In order to shield themselves, businesses must understand the threats they face and develop stronger corporate policies.

However, according to recent research from IDC, only half of Canadian firms have acceptable use policies (AUP) in place for their employees to follow. Further, only one in three firms communicate these policies with any frequency.

Another survey that polled attendees of the SecTor (Security Education Conference Toronto) conference in Toronto — which attracts leading members of Canada’s IT Security community — echoed IDC’s findings. Respondents expressed concern over a lack of strong management leadership and employee security knowledge.

Rising complexity of hacking attacks

Despite this complacency, corporate attackers continue to devise crafty and ingenious ways of exploiting enterprise infrastructure flaws.

Today’s attackers are becoming much stealthier and can often bypass security without even utilizing sophisticated technology. Many have even adopted no-tech hacking tactics — a phrase coined by professional hacker Johnny Long — such as shoulder surfing, Google hacking, vehicle surveillance and dumpster diving.
But it’s the more innovative security attacks that rely on emerging technology that have fostered an open discussion about the need for best practices. One emerging technology that requires more attention is Radio Frequency Identification Devices (RFID). Most companies do not understand the extent of RFID security risks, and thus do not have adequate protection from attacks associated with its use. This has not slowed RFID adoption and companies will need to develop education strategies and best practices to mitigate many potential security breaches.

Whether stored on laptops, USB keys or on the back end, companies need to ensure that data — should it land in the wrong hands — is not accessible. With looming underground security threats such as identity theft, spamming, phishing and corporate espionage, combined with the often overlooked “insider threat,” companies cannot afford to have lax security practices or policies.


Need for training
Very large organizations in already heavily regulated industries have likely spent significant time and money working to address security issues. Legislation such as the Canadian Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) are positive first steps in providing the impetus for companies and government to bolster IT security, but much more still needs to be done. And too many organizations are mistakenly convinced that they already have the necessary protection in place.