Despite growing pressure on enterprises to comply with increasing government and industry security regulations, a majority of Canadian businesses believe falling into line doesn’t make an organization secure.
“According to participants, complying with government and industry regulations is the minimum level of security required,” authors of the 2013 Telus-Rotman IT Security Study. “Compliance does not constitute the necessary level of security required in a landscape characterized by targeted, advanced threats.”
“Being compliant is not necessarily being secure,” the study quoted one participant as saying.
That observation underscores the widespread insecurity felt by many security leaders in organizations across the country who are struggling to deal with issues such as targeted attacks, data leaks, insider breaches, cloud technologies and the bring your own device trend.
- With IT security, small businesses must plan for future growth today
- ‘Frienemies’ at work – is your data safe?
In the fall of 2012 the Rotman School of Management at the University of Toronto and Telus Security Solutions held a series of round table discussions and one-on-one interviews with director level security decision makers in Vancouver, Calgary, Toronto, Ottawa and Montreal to gain insights into their security concerns and strategies. Rather than statistics, the report provided perceptions and quotes from the participants.
Among other things, authors Walid Hejazi, associate professor of business economics and academic director at Rotman, and Hernan Barros, director of product management at Telus, focused on what kept senior security leaders awake at night; how they handle the BYOD trend, the impact of legislated compliance and the emergence of new technologies.
The study found that senior security executives have four key security-related concerns:
- Has my organization been breached and I don’t know about it?
- How will the breach affect my brand?
- What are my employees doing with corporate data?
- How do I retain my security resources?
It’s almost a foregone conclusion for many of the respondents that their organization will be breached, according to the findings. This inevitability appears to be summed up by one participant who was quoted as saying: “When I started this job, I told my senior management that we will be breached within the next 18 months, so get over it now.”
There was also a consensus among participants that people are often the weakest link in an IT security system. The majority of breaches come from within the organization, either due to malicious intern of some form of careless or ill-informed action by employees, they said.
“Employees are our single greatest threat – it’s not malicious, it’s just not knowing,” according to a chief security officer of a Canadian financial firm.
Participant also expressed bewilderment with the growing difficulty of controlling employee-owned mobile devices in the workplace.
“We aren’t in control of mobile devices being used by our employees,” one participant said. “If you don’t put in certain logical controls, they’re just going to do it anyway.
The pervasiveness of the digital connected community is so entrenched now that IT organizations are going to have a real hard time grappling how to control their information.”
The security executives, however, appear to grasp the importance of their roles as custodians of customer data and its impact on their company.
“Our number one threat concern: loss of trust in our ability to protect customer data,” one participant said. “What keeps me awake at night? Any breach that could impact confidential information from our loyalty program getting into the wrong hand,” said another.