Loss of confidential data doubles
Though there’s more awareness of the security threats out there in cyberspace, the loss of confidential information and intellectual property has managed to double over the past two years.
According to the CA Canada 2008 Security and Privacy Survey, more than 20 per cent of organizations reported a loss of confidential information as a result of security attacks and breaches this year, up from 10 per cent in 2006, while loss of intellectual property doubled from eight per cent to 16 per cent.
“The nature of security threats is what’s changing,” says Renee Lalonde, vice-president of CA Canada.
In the past we saw a lot of malware, phishing and keylogging attacks.
Now we’re seeing an increase in internal breaches, mainly from
employees and ex-employees. Five years ago, less than five per cent of
survey respondents identified internal breaches as a key security
challenge ”“ this jumped to 30 per cent in 2006 and 33 per cent in 2008.
Eighty-six per cent of large Canadian organizations said they suffered
an identified security attack in the past 12 months, and of those, 17
per cent reported lost revenue, customers or other tangible assets as a
“The adoption of an enterprise security strategy is very complex,” says
Lalonde. “It’s a maturing market and it’s an evolving market.”
Organizations are now focusing on where a breach is going to come from
”“ how to address it and how to keep their security strategy evolving.
And this is where an Identity Access and Management (IAM) strategy fits
AM solutions are a key area of investment, according to the
survey, and 50 per cent of Canadian organizations not currently using
an IAM solution plan to roll one out within the next 12 to 18 months.
What that does, said Lalonde, is automate employee access privileges.
If an employee working in HR moves over to the marketing department,
for example, those HR access privileges need to be revoked and new ones
”“ based on the new role ”“ activated.
“It increases controls, it reduces
risk and makes them more secure in terms of protecting their corporate
data,” she says.
But IAM is not problem-free. Sixty per cent of survey
respondents, for example, felt that central management and enforcement
of policies that ensure audit and legal requirements was a problem for
their organization, while 59 per cent felt that the creation,
enforcement and certification of role-based access was problematic.
Securing the right budget is also paramount to an organization’s
success; 40 per cent felt that their security budget was too low, and
only 36 per cent felt confident they could protect their corporate
“There’s a lot of good work going on out there,” says Lalonde.
“We just need to continue with augmenting the strategies they’ve put in
According to the survey, 70 per cent of companies have already
adopted some form of a security strategy. “We’ve seen that companies
who invest more certainly suffer less,” she says.
Despite this, the
amount of data breaches that involve sensitive and confidential user
information is staggering, said James Quin, senior research analyst
with Info-Tech Research Group. And, in a lot of cases, it’s something
that could very easily be avoided.
“When you look at the nature of most
of the breaches, the vast majority of them would have been really easy
to avoid because the vast majority are still loss of backup tapes and
loss of laptop computers,” he says.
To protect against that,
organizations should be using encryption ”“ that way, when tapes go
missing, or when laptops are stolen, the data on them is inaccessible.
In most cases the problem has to do with human error, rather than
security systems being set up insecurely, although that was the case
with TJX (owner of Winners/Homesense), which suffered a major data
breach last year.
“But TJX was aware of that — they’re on record as
knowing that their security was insufficient and hoping that they just
wouldn’t get caught,” says Quin. “Even then it can be chalked up to
human error in that they knew there was a problem and they did nothing
Organizations should also have more rigorous internal
processes in place, and that comes down to separation of duties. “It’s
a pretty fundamental principle in security in that by separating a job,
it becomes significantly more secure, because if a user makes an error,
the second person is likely going to check it,” he says. So it’s that
much harder to steal information or accidentally lose it. But there’s
still a big sense of apathy out there and an unwillingness to spend
Some managers, for example, would rather cram many jobs
into one than have to hire more staff in order to have a segregation of
“That’s a very short-term outlook because ultimately the cost
of a breach is way more than the cost of the security solution,” says
It’s estimated the TJX breach, for example, could cost up to $1 billion
by the time everything is said and done. The answer, he said, could
come down to legislation. “
Businesses have shown for the most part if
you’re not going to force me to spend the money, I’m not going to spend
it,” he says. “We need to move toward mandatory breach notification and
back it up with significant penalties so not reporting a breach costs
you more than reporting it.”