Though there’s more awareness of the security threats out there in cyberspace, the loss of confidential information and intellectual property has managed to double over the past two years.
According to the CA Canada 2008 Security and Privacy Survey, more than 20 per cent of organizations reported a loss of confidential information as a result of security attacks and breaches this year, up from 10 per cent in 2006, while loss of intellectual property doubled from eight per cent to 16 per cent.
According to the CA Canada 2008 Security and Privacy Survey, more than 20 per cent of organizations reported a loss of confidential information as a result of security attacks and breaches this year, up from 10 per cent in 2006, while loss of intellectual property doubled from eight per cent to 16 per cent.
“The nature of security threats is what’s changing,” says Renee Lalonde, vice-president of CA Canada.
In the past we saw a lot of malware, phishing and keylogging attacks. Now we’re seeing an increase in internal breaches, mainly from employees and ex-employees. Five years ago, less than five per cent of survey respondents identified internal breaches as a key security challenge ”“ this jumped to 30 per cent in 2006 and 33 per cent in 2008. Eighty-six per cent of large Canadian organizations said they suffered an identified security attack in the past 12 months, and of those, 17 per cent reported lost revenue, customers or other tangible assets as a result.
“The adoption of an enterprise security strategy is very complex,” says Lalonde. “It’s a maturing market and it’s an evolving market.” Organizations are now focusing on where a breach is going to come from ”“ how to address it and how to keep their security strategy evolving. And this is where an Identity Access and Management (IAM) strategy fits in. I
AM solutions are a key area of investment, according to the survey, and 50 per cent of Canadian organizations not currently using an IAM solution plan to roll one out within the next 12 to 18 months. What that does, said Lalonde, is automate employee access privileges. If an employee working in HR moves over to the marketing department, for example, those HR access privileges need to be revoked and new ones ”“ based on the new role ”“ activated.
“It increases controls, it reduces risk and makes them more secure in terms of protecting their corporate data,” she says.
But IAM is not problem-free. Sixty per cent of survey respondents, for example, felt that central management and enforcement of policies that ensure audit and legal requirements was a problem for their organization, while 59 per cent felt that the creation, enforcement and certification of role-based access was problematic.
Securing the right budget is also paramount to an organization’s success; 40 per cent felt that their security budget was too low, and only 36 per cent felt confident they could protect their corporate data.
“There’s a lot of good work going on out there,” says Lalonde. “We just need to continue with augmenting the strategies they’ve put in place.”
According to the survey, 70 per cent of companies have already adopted some form of a security strategy. “We’ve seen that companies who invest more certainly suffer less,” she says.
Despite this, the amount of data breaches that involve sensitive and confidential user information is staggering, said James Quin, senior research analyst with Info-Tech Research Group. And, in a lot of cases, it’s something that could very easily be avoided.
“When you look at the nature of most of the breaches, the vast majority of them would have been really easy to avoid because the vast majority are still loss of backup tapes and loss of laptop computers,” he says.
To protect against that, organizations should be using encryption ”“ that way, when tapes go missing, or when laptops are stolen, the data on them is inaccessible. In most cases the problem has to do with human error, rather than security systems being set up insecurely, although that was the case with TJX (owner of Winners/Homesense), which suffered a major data breach last year.
“But TJX was aware of that — they’re on record as knowing that their security was insufficient and hoping that they just wouldn’t get caught,” says Quin. “Even then it can be chalked up to human error in that they knew there was a problem and they did nothing about it.”
Organizations should also have more rigorous internal processes in place, and that comes down to separation of duties. “It’s a pretty fundamental principle in security in that by separating a job, it becomes significantly more secure, because if a user makes an error, the second person is likely going to check it,” he says. So it’s that much harder to steal information or accidentally lose it. But there’s still a big sense of apathy out there and an unwillingness to spend more money.
Some managers, for example, would rather cram many jobs into one than have to hire more staff in order to have a segregation of duties.
“That’s a very short-term outlook because ultimately the cost of a breach is way more than the cost of the security solution,” says Quin.
It’s estimated the TJX breach, for example, could cost up to $1 billion by the time everything is said and done. The answer, he said, could come down to legislation. “
Businesses have shown for the most part if you’re not going to force me to spend the money, I’m not going to spend it,” he says. “We need to move toward mandatory breach notification and back it up with significant penalties so not reporting a breach costs you more than reporting it.”
Last modified on June 16, 2008
In the past we saw a lot of malware, phishing and keylogging attacks. Now we’re seeing an increase in internal breaches, mainly from employees and ex-employees. Five years ago, less than five per cent of survey respondents identified internal breaches as a key security challenge ”“ this jumped to 30 per cent in 2006 and 33 per cent in 2008. Eighty-six per cent of large Canadian organizations said they suffered an identified security attack in the past 12 months, and of those, 17 per cent reported lost revenue, customers or other tangible assets as a result.
“The adoption of an enterprise security strategy is very complex,” says Lalonde. “It’s a maturing market and it’s an evolving market.” Organizations are now focusing on where a breach is going to come from ”“ how to address it and how to keep their security strategy evolving. And this is where an Identity Access and Management (IAM) strategy fits in. I
AM solutions are a key area of investment, according to the survey, and 50 per cent of Canadian organizations not currently using an IAM solution plan to roll one out within the next 12 to 18 months. What that does, said Lalonde, is automate employee access privileges. If an employee working in HR moves over to the marketing department, for example, those HR access privileges need to be revoked and new ones ”“ based on the new role ”“ activated.
“It increases controls, it reduces risk and makes them more secure in terms of protecting their corporate data,” she says.
But IAM is not problem-free. Sixty per cent of survey respondents, for example, felt that central management and enforcement of policies that ensure audit and legal requirements was a problem for their organization, while 59 per cent felt that the creation, enforcement and certification of role-based access was problematic.
Securing the right budget is also paramount to an organization’s success; 40 per cent felt that their security budget was too low, and only 36 per cent felt confident they could protect their corporate data.
“There’s a lot of good work going on out there,” says Lalonde. “We just need to continue with augmenting the strategies they’ve put in place.”
According to the survey, 70 per cent of companies have already adopted some form of a security strategy. “We’ve seen that companies who invest more certainly suffer less,” she says.
Despite this, the amount of data breaches that involve sensitive and confidential user information is staggering, said James Quin, senior research analyst with Info-Tech Research Group. And, in a lot of cases, it’s something that could very easily be avoided.
“When you look at the nature of most of the breaches, the vast majority of them would have been really easy to avoid because the vast majority are still loss of backup tapes and loss of laptop computers,” he says.
To protect against that, organizations should be using encryption ”“ that way, when tapes go missing, or when laptops are stolen, the data on them is inaccessible. In most cases the problem has to do with human error, rather than security systems being set up insecurely, although that was the case with TJX (owner of Winners/Homesense), which suffered a major data breach last year.
“But TJX was aware of that — they’re on record as knowing that their security was insufficient and hoping that they just wouldn’t get caught,” says Quin. “Even then it can be chalked up to human error in that they knew there was a problem and they did nothing about it.”
Organizations should also have more rigorous internal processes in place, and that comes down to separation of duties. “It’s a pretty fundamental principle in security in that by separating a job, it becomes significantly more secure, because if a user makes an error, the second person is likely going to check it,” he says. So it’s that much harder to steal information or accidentally lose it. But there’s still a big sense of apathy out there and an unwillingness to spend more money.
Some managers, for example, would rather cram many jobs into one than have to hire more staff in order to have a segregation of duties.
“That’s a very short-term outlook because ultimately the cost of a breach is way more than the cost of the security solution,” says Quin.
It’s estimated the TJX breach, for example, could cost up to $1 billion by the time everything is said and done. The answer, he said, could come down to legislation. “
Businesses have shown for the most part if you’re not going to force me to spend the money, I’m not going to spend it,” he says. “We need to move toward mandatory breach notification and back it up with significant penalties so not reporting a breach costs you more than reporting it.”
Published in
News
Tagged under
Latest from Jennifer Brown
-
Nominations now open for 2012 Security Director of the Year
We are now accepting nominations for the 2012 Security Director of the Year. Do you know someone who fits that…
Latest Videos
-
Thomas Gerstenecker was unable to accept the Canadian Security Director of the Year award in person but was able to… -
-
-
