A recent study comparing IT security approaches by Canadian and American enterprises done by the Info-Tech Research Group in partnership with ITBusiness.ca revealed that most IT managers are still terrified of external threats like viruses, but aren’t as afraid of the great threat from within — internal IT security policy snafus.
More than 1,600 North American IT managers (including over 1,000 Americans and 550 Canadians) were asked to rate the importance of security against seven different security threats, including security policy user compliance, internal user malfeasance, generic external threats (like viruses), random attacks (like password crackers), targeted external attacks, and protection of the physical server room or data centre.
The results, which were calibrated from the respondents’ ranking of certain kinds of threats as “very” or “extremely” important, showed that Americans’ and Canadians’ attitudes toward IT security seem virtually identical, never straying farther than a few percentage points’ difference.
The No. 1 concern was generic external threats, with more than 70 per cent of both Canadian and American IT managers calling it “very” or “extremely” important. This didn’t surprise Brian Bourne, president of security consulting firm CMS Consulting and a member of the steering committee of the Toronto Area Security Klatch, an IT security user group. “Everyone gets spam and viruses, and it’s a very visible problem. Its impact on security is easy to understand. But what most people don’t understand is that when you do security really well, nothing happens. It’s hard to understand the value of nothing happening,” he said.
Bourne has found that companies tend to get worked up over spam and viruses because it has an easily identifiable impact on productivity. Said Bourne: “When it comes to a leakage of information, which could also obviously have an effect on productivity, they really don’t seem to worry that much.”
They’re not blind to the data-leakage problem — the second-most feared security threat is random attacks, which 60 per cent of Canadian IT managers and 56 per cent of American IT managers rated as “very” or “extremely” important in the battle against IT breaches (the fear of targeted attacks came in second-to-last, with half of the American respondents, and just over half of the Canadians, saying it was “very” or “extremely” important). Bourne said that this concern isn’t even close to the fever pitch it should be hitting, in spite of the threat’s easy understandability: “password cracking is happening on a mass basis.” He estimated that issues like server vulnerability are resulting in even small businesses getting five to 20 attacks daily, while larger companies get many more.
Conan Lear, IT manager for Sporting Life Inc., got wise to this ages ago. “I don’t worry about spam or viruses on a day-to-day basis. You have off-the-shelf software in place for that,” he said. “It’s the random attacks where they search for servers (that are worrisome).” He said that Sporting Life has been the victim of a few random attacks.
Bourne has found that many of his clients are alarmingly laissez-faire when it comes to their data. “I hear, ‘Who would care about me?’ A major manufacturing company told me even if they got in and took our information, they’d still be better off,” he said. “What I see is that they’re not concerned with data leakage and they trust their users.”
The idea of hardcore corporate espionage by a seemingly trustworthy employee might make for good movies and entertaining press, but the IT managers surveyed weren’t being kept up at night by visions of internal sabotage — it was the second-to-last most feared threat, and was deemed “very” or “extremely” important by only around 45 per cent of those surveyed.
More troubling, though, according to Bourne, was security policy compliance’s middling placement squarely in the middle of the pack, with “very” or “extremely” importance ranking around the early- (Americans) to mid-fiftieth (Canadians) percentile. He stressed the problems that can arise from even the most innocent of security policy infractions: “Say you get an e-mail attachment. You know you shouldn’t open it, but you just have to see this file of naked dancing pigs. These employees aren’t trying to be malicious — they just want to see the pigs!” Bourne worries that the focus on external IT security threats can cause havoc — and have. “It’s like building an impenetrable wall without policing the inside,” he said.
He has found that among small companies, very few have IT security policies, while among the mid-market enterprises, only about half do. Even the biggies, which almost always have them, can fall behind on enforcement. “I get companies asking me, ‘Where can I download a security policy from the web?’” said Bourne. Once a security policy is in place, though, it is important to do a regular audit of the users, processes, and appliances covered within.
Lear does a quarterly review and update of his company’s policy, and keeps a stern eye on the IT proceedings at Sporting Life. “Policy adherence is my No. 1 concern. I feel my risk is more inside the network. Not necessarily the users, but let’s say a photocopy guy come in and installs some software, and then that starts chewing up my network bandwidth.”
He also stresses good practices to his workers, working one-on-one with those who have experienced an IT security breach (or having the department sit in) and sending out communiqués of the muddle to all employees to learn from. Bourne suggests awareness training that goes outside the box-most people know not to open e-mail attachments from strangers, for example, but, he said, they may not be able to detect social engineering techniques that can be used to glean sensitive company information.
The least pressing category was the possibility of a security breach via mobile devices like laptops or PDAs — only 40-odd per cent cited protection against such threats as “very” or “extremely” important.
While Info-Tech managing director Michael O’Neil said in the report that the result made sense, since most companies don’t have mobile devices, Bourne said that he was surprised by the result: “I can’t think of a single company that doesn’t have at least one laptop or PDA, and if you have one, you ‘have’ them, and it’s an attack factor for your facility.” Lear, too, was very concerned about the potential security threat there. “With wireless access from PDAs, and people carrying around USB flash drives, what if someone dropped them in the pub on Friday night?”
The physical aspect of this potential security threat was more visible in the third-highest concern-a little over 50 per cent of the American IT managers, and almost 60 per cent of the Canadian IT managers surveyed ranked protection of physical data centres as “very” or “extremely” important.”
More on the Info-Tech/IT Business Group security report in the Jan. 12 issue of Computing Canada.