Canadian companies and government organizations collectively lose $1.25 million annually, on average, to IT security breaches, and nearly a quarter of firms here are dissatisfied with their own security policies, a recent survey reveals.
Respondents to the poll, conducted by the University of Toronto’s Rotman School of Management and Telus Corp., also indicated they have greater confidence in their organization’s privacy policies than in its security strategies.
The survey – titled Rotman-Telus Joint Study on Canadian IT Security Practices – covered 300 private, publicly-traded and government organizations across the country.
Directors, C-level executives, managers and security administrators were queried about their organization’s overall IT security posture, governance structures, budgets, breaches and security initiatives.
The survey report provided the following sector-wise breakup of annual losses as a result of security breaches:
- Government organizations lose an average of $320,000;
- Private companies lose $294,000; and,
- The cost to publicly traded firms is $637,000.
The poll results suggest that in many Canadian organizations privacy is a greater priority than security.
Sixty-five per cent of the respondents said their organization’s privacy policies are enforced to an acceptable degree, but only 54 per cent made the same claim about security strategies.
“Canadian C-level executives don’t appear to have an appreciation of security issues,” according to Walid Hejazi, professor of business economics at Rotman, and one the survey report’s authors.
The Rotman-Telus report findings align with the conclusions of yet another survey, conducted last year by the Canadian Advanced Technology Alliance (CATAAlliance).
The CATAAlliance study had polled 322 persons – most from large enterprises – including CIOs, project managers and a variety of frontline IT security staff, such as network operators and systems auditors.
Sixteen per cent of respondents to that poll identified lack of IT security best practices as the top challenge to their organization, while 15 per cent cited data protection.
In the Rotman-Telus survey, government sector respondents were evenly split in their perception about their organization’s IT security strategy.
While 40 per cent felt that strategy is “enforced to an acceptable degree,” another 40 per cent said the opposite – namely: the strategy is “not enforced to an acceptable degree.”
Three per cent said while their organizations had a security strategy it isn’t enforced; 10 per cent said the strategy is still in development, and eight per cent indicated they don’t have an overall IT security strategy.
Fifty-nine per cent of respondents in both private companies and publicly traded firms said their IT security strategies are enforced to an acceptable degree.
Twenty-two per cent of private companies and 24 per cent of publicly traded companies said their IT security strategies are not enforced to an acceptable degree. Three per cent of private company respondents and two per cent of respondents from publicly-traded companies said they have security strategies but are not enforcing them.
Thirteen per cent of private firms and 14 per cent of publicly-traded firms are still developing IT security strategies. Three per cent of private companies and one per cent of publicly-traded companies do not have an overall IT security strategy.
The wide variation in executive compensation across organization types might be influencing security posture, said Yogen Appalraju, vice-president of security solutions at Burnaby, BC-based Telus.
The average salary for a director ranges from $84,000 to $106,000, annually.
High earners – or those with an annual salary of more than $100,000 – are nearly twice as likely to have obtained the various IT security and network management certifications than those in a lower income bracket.
“People in the public sector tend to be paid less than their counterparts in the private sector,” Appalraju said.
Forty-seven per cent of respondents from privately held organizations were high earners compared with 32 per cent in publicly-traded companies, and 18 per cent in government organization.
Hejazi believes accountability has a strong influence on the nature of security governance and posture in an organization. “Security policies are at a more mature level in U.S. and European firms because these organizations tie security enforcement to personal performance evaluation of executives and personnel involved.”
In Canada, the motivation seems to be different.
Hejazi said security investment in Canada has caught up with the U.S. largely due to the need for complying with Canadian regulations such as Payment Card Industry (PCI) standards and the Personal Information Protection and Electronics Document Act (PIPEDA).
In Canada, about 40 per cent of respondents indicated that security is part of their personal evaluation, while this number is 50 per cent in the U.S. and 85 per cent in Europe and Asia.
In Canada, Hejazi said, security performance, communications relating to risk and security, and attitudes towards accountability aren’t measured as often.
Canadian organizations generally do not communicate frequently about security policies and issues with their workforce. Only 14 per cent of organizations here communicate at least once a month, and only one-third (33 per cent) communicate at least once a quarter.
Security risk assessments in Canadian organizations are also largely held only once a year. 50 per cent of respondents said they perform an annual risk assessment.
Companies should concentrate not so much on increasing IT security budgets as on implementing a balanced budget strategy that takes into account both technology and personnel training, said Appalraju of Telus.
He said companies that spend five per cent of their IT budgets on security tend to get better results than those that spend less than five per cent.
“What’s the point of having security management systems in place if you don’t have the people that are competently trained to run these machines?”
