Indigo IT exec: ‘Don’t evangelize security as insurance’

TORONTO – With over 750,000 titles, Indigo‘s online business has grown exponentially in the last several years. This growth, however, has meant that the book retailer has had to ensure that it has the proper security measures in place to keep its customers confident in shopping online.

“With $1 million worth of trade on Visa, you’re a soft target,” said Ricky Mehra, director of IT security and internal controls, at Indigo. “That’s a risk that we mitigate.”

When it comes to implementing a security policy, Mehra said businesses have to align IT with corporate objectives.

“Don’t evangelize security as insurance,” said Mehra, who was one of five panelists at a Microsoft-sponsored roundtable Thursday. “Try to show an environment in security as a strategic enabler.”

Likewise, Pat Kewin, director of Trend Micro, said businesses need to think about aligning security requirements with business goals.

“Until that happens, organizations will have trouble getting funding,” said Kewin.

Steve Lloyd, chief security advisor at Microsoft Canada, said security needs to be thought of as part of doing your day to day business.

“Stop looking for ROI,” said Lloyd. “Security should be a part of your business plan . . . As soon as you start losing account numbers and passwords, you lose your customer’s trust.”

While computer viruses and worms continue to pop up on the Internet, phishing or identity theft attacks are on the rise and could do even more damage to a company’s reputation with customers. A recent study by Pollara found that 64 per cent of Internet users between the ages of 25 to 34 were victims of a computer virus or worm while six per cent of that same group were fell prey to phishing or ID theft schemes. Online banking customers, however, reported identity theft as the No. 1 threat at 73 per cent, with risk of network, transaction and account intrusion attacks following closely behind at 61 per cent of respondents.

Brad Biehn, director of information systems at Louis Riel School District in Manitoba, said the school board is susceptible to social engineering attacks and phishing.

“We have programs in place to give teachers access to resources so they can pass that information on to students,” he said.

Being in a school environment, Biehn said they also have to worry about online predators and cyberbullying.

In an effort to combat threats facing its customers, some financial institutions have started collaborating with one another to share security practices, said Stephan Charbonneau, vice-president of technology for Microsoft partner Titus.

“Banks are talking to competitors,” said Charbonneau, adding that they’re sharing information like certificate authentication. “A lot of organizations are coming together as a whole to deal with the solution.”

Trend Micro’s Kewin said companies are better-prepared today to deal with yesterday’s threats, such as worms and viruses. It’s the unknown, he said, that’s the most frightful for businesses.

“What comes in as spam today goes out as spyware tomorrow,” said Kewin. To help combat this, Kewin said organizations need to adopt integrated threat response systems that deal with all layers of their network.

In terms of technology, Indigo’s Mehra said industry vendors need to better collaborate with one another when developing security solutions. He said many organizations today, including Indigo, are having to manage dozens of point products from different vendors, which is time-consuming and expensive in terms of IT labour costs.

“We need some form of standardization when they write software,” said Mehra.

Microsoft Canada’s Lloyd pointed to standards bodies like OASIS (Organization for the Advancement of Structured Information Standards) as examples of vendors collaborating across product lines.

Further, Mehra said legislation like Bill 198 in Canada and Sarbanes-Oxley in the U.S. have pushed businesses to adopt standardization across the board.

Lloyd, however, pointed out that up until five years ago, just before Microsoft introduced its Trustworthy Computing initiative, security was not top of mind for software developers.

“It was basically supply and demand,” he said. “It wasn’t until the last five years that we thought about security.”

Kewin added that stronger compliance laws will also aid in boosting customer’s confidence when shopping online.

“We will start to see more teeth from a disclosure perspective,” said Kewin, pointing to California’s law that requires businesses to notify customers within 48 hours of a data breach. “These are the things that we need to deliver confidence.”

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+