Information exodus: when layoffs mean data leakage

According to a study released Tuesday by Telus and the Rotman School of
Management, annual breach costs for Canadian businesses have almost
doubled in the last year from $423,469 to $839,149 per organization. A
key contributor to this growth is the number of employees, dismissed
from their jobs, who take valuable data with them.

“As job losses mount, the threat to the environment rises,” says Walid
Hejazi, a professor of business economics at the Rotman School and one
of the co-authors of the report, Rotman — Telus: Joint Study on
Canadian IT Security Practices. The study polled about 50 participants
in nine focus groups across Canada, focusing on organizations with 100
or more employees.

This is the second annual study for Rotman and Telus. The organizations
undertook the study to provide Canadian businesses with relevant
domestic data. Too often, says Hejazi, Canadian businesses get their IT
security information from U.S. sources. But Canada has a very different
threat landscape from the U.S. — government, health care, financial
systems and privacy regulation are all handled very differently up here.

“As a business professor at the Rotman School, (I say) we need to
develop clarity. It’s very, very important that information be allowed
to flow.”

Despite the rise in challenges to security due to the economic
downturn, preparedness on the part of Canadian businesses has not risen
commensurately, says Hejazi.

The fastest growing IT security threats are: unauthorized access of
data by employees; the prevalence of bots; and theft, often of laptops
or mobile devices that are left unattended or are improperly secured.
The biggest concerns, according to the Rotman-Telus report, are: damage
to brand reputation; time lost to cleaning up breaches; customers lost;
facing regulating action; and facing litigation.

Throwing money at the problem, i.e. increasing security budgets, can
help, says Alan Lefort, managing director of Telus Security Labs,
provided that money is invested wisely. According to the report,
Canadian companies best equipped to deal with security spent 15 per
cent of their IT budgets on it. The average is seven per cent, says
Lefort. At those levels, companies are struggling to keep up.

But money isn’t the only, or even the best remedy, says Lefort. There’s
a tendency to think that investing in IT security is enough to avoid
the potential pitfalls, and also a pervasive mindset that the biggest
threats are malware like viruses and Trojans. But that’s the “nuisance
stuff,” says Lefort. “It’s not the type of threat that has intent or
purpose.”

It’s targeted attacks aimed at specific data that organizations should
be mindful of. “A fundamental mindshift needs to occur,” he says. “You
can be a target.” Smaller companies may actually be more of a target
than larger ones because of perceived or actual weakness.
“Organizations need to come to terms with that. This is now the medium
of organized crime.”

There are steps that can be taken that would have minimal impact on
budgets but pay dividends when it comes to strengthening IT security.
Education of workforce and measurement of security objectives, for
example, are paramount when it comes to enforcing security, but both
are often glossed over by Canadian companies.

According to the Rotman-Telus study companies that applied business
metrics to IT security effectiveness increased its perceived value for
47 per cent — that can have a dramatic impact on raising the profile of
security in an organization and may help secure more dollars for
security when budget time rolls around.

Measurement is also important for companies that choose to outsource
their security needs. Outsourcing has remained constant during the
recession, but companies should become experts in their own security
needs before turning over the reins to an outside party, says Lefort.
“If you want to delegate something to someone else, you should probably
know how to do it yourself.”

Measuring the effectiveness of an outsourcing partner is key, he says,
and companies that do handle security outsourcing diligently are likely
to experience a smaller number of breaches. According to the study, 60
per cent of companies polled said they are willing to outsource
security operations.

Education and strong leadership may be the most important factors when
it comes to maintaining security, according to Cisco Systems director
and senior advisor for corporate security programs, Christopher Burgess.

Burgess says his company is “blessed” to have a leader like John
Chambers, the company’s chairman and CEO, because he places such a high
value on security. “If you don’t have leadership, you will encounter
the equivalent of pushing a noodle up Mount Everest with your nose.”

Every person from Chambers down to entry level is responsible for the
organization’s security, says Burgess, and must agree to abide by the
company’s code of business conduct.

Employees are a company’s greatest strength “but also your greatest
weakness.” People are “random access device,” acting in unpredictable
ways, exposing a company to security dangers either by design or more
likely carelessness or lack of foresight.

Cisco’s education program offers positive messages, says Burgess. The
emphasis is not on schooling employees on what not to do, but how to
respond effectively to certain situations. If an employee is confronted
with a tailgater, i.e. someone who follows them into a secure area
without using the appropriate pass, it is that employee’s
responsibility to act appropriately and direct the tailgater to a
security desk. Cisco developed a script that employees can follow if
they find themselves in that situation so they are prepared and can
diffuse any discomfort the situation might create.

Cisco also runs a rewards program for non-security employees that
demonstrate security diligence. Cash rewards and plaques are handed out
twice a year.

Security is a three-legged stool, says Burgess, made up of process,
technology and people. Without strength in each of those areas, the
stool will fall over.