Loss of confidential data doubles in two years
By Vawn Himmelsbach
Even though there’s more awareness of cyberspace security threats, the loss of confidential information and intellectual property has doubled over the past two years.
According to the CA Canada 2008 Security and Privacy Survey, more than 20 per cent of organizations reported a loss of confidential information as a result of security attacks and breaches this year, up from 10 per cent in 2006, while loss of intellectual property doubled from eight per cent to 16 per cent.
By Vawn Himmelsbach
“The nature of security threats is what’s changing,” says Renee
Lalonde, vice-president of CA Canada. In the past we saw a lot of
malware, phishing and keylogging attacks. Now we’re seeing an increase
in internal breaches, mainly from employees and ex-employees.
Five years ago, less than five per cent of survey respondents
identified internal breaches as a key security challenge ”“ this jumped
to 30 per cent in 2006 and 33 per cent in 2008. Eighty-six per cent of
large Canadian organizations says they suffered an identified security
attack in the past 12 months, and of those, 17 per cent reported lost
revenue, customers or other tangible assets as a result.
“The adoption of an enterprise security strategy is very complex,” says
Lalonde. “It’s a maturing market and it’s an evolving market.”
Organizations are now focusing on where a breach is going to come from
”“ how to address it and how to keep their security strategy evolving.
And this is where an Identity Access and Management (IAM) strategy fits
in. IAM solutions are a key area of investment, according to the
survey, and 50 per cent of Canadian organizations not currently using
an IAM solution plan to roll one out within the next 12 to 18 months.
What that does, says Lalonde, is automate employee access privileges.
If an employee working in HR moves over to the marketing department,
for example, those HR access privileges need to be revoked and new ones
”“ based on the new role ”“ activated. “It increases controls, it reduces
risk and makes them more secure in terms of protecting their corporate
data,” she says.
But IAM is not problem-free. Sixty per cent of survey respondents, for
example, felt that central management and enforcement of policies that
ensure audit and legal requirements was a problem for their
organization, while 59 per cent felt that the creation, enforcement and
certification of role-based access was problematic.
Securing the right budget is also paramount to an organization’s
success; 40 per cent felt that their security budget was too low, and
only 36 per cent felt confident they could protect their corporate data.
“There’s a lot of good work going on out there,” says Lalonde. “We just
need to continue with augmenting the strategies they’ve put in place.”
According to the survey, 70 per cent of companies have already adopted
some form of a security strategy. “We’ve seen that companies who invest
more certainly suffer less,” she says.
Despite this, the amount of data breaches that involve sensitive and
confidential user information is staggering, says James Quin, senior
research analyst with Info-Tech Research Group. And, in a lot of cases,
it’s something that could very easily be avoided.
“When you look at the nature of most of the breaches, the vast majority
of them would have been really easy to avoid because the vast majority
are still loss of backup tapes and loss of laptop computers,” he says.
To protect against that, organizations should be using encryption ”“
that way, when tapes go missing, or when laptops are stolen, the data
on them is inaccessible.
In most cases the problem has to do with human error, rather than
security systems being set up insecurely, although that was the case
with TJX (owner of Winners/Homesense), which suffered a major data
breach last year. “But TJX was aware of that ”“ they’re on record as
knowing that their security was insufficient and hoping that they just
wouldn’t get caught,” says Quin. “Even then it can be chalked up to
human error in that they knew there was a problem and they did nothing
Organizations should also have more rigorous internal processes in
place, and that comes down to separation of duties. “It’s a pretty
fundamental principle in security in that by separating a job, it
becomes significantly more secure, because if a user makes an error,
the second person is likely going to check it,” he says. So it’s that
much harder to steal information or accidentally lose it.
But there’s still a big sense of apathy out there and an unwillingness
to spend more money. Some managers, for example, would rather cram many
jobs into one than have to hire more staff in order to have a
segregation of duties. “That’s a very short-term outlook because
ultimately the cost of a breach is way more than the cost of the
security solution,” says Quin. It’s estimated the TJX breach, for
example, could cost up to $1 billion.
The answer could come down to legislation. “Businesses have shown for
the most part if you’re not going to force me to spend the money, I’m
not going to spend it,” he says. “We need to move toward mandatory
breach notification and back it up with significant penalties so not
reporting a breach costs you more than reporting it.”