There’s been a huge spike in the number of data breaches and their cost to companies across Canada.
Breaches cost an average of $834,149 per organization, according to recent country-wide poll.
The joint survey, released by Telus and University of Toronto’s Rotman School of Business Management also indicated that insider breaches doubled in 2009.
But the study authors said companies can tighten the lid on security by closely examining security practices adopted by firms with mobile workers or teleworkers
“Firms with mobile workers understand that employees carry valuable company information in their laptops and smartphones, and have evolved policies and means of dealing with this reality,” said Walid Hejazi, associate professor, business economics, and director of executive programs at the Rotman School of Management.
Companies with mobile workers recognize the need for laptop lockdown, says Walid Hejazi
Companies with mobile workers generally have policies that seek to pre-empt data breaches, and this contrasts with the reactive approach adopted by many firms, according to another author of the study.
“Security is not always about spending money on technology when threats surface,” said Alan Lefort, general manager for Telus Security Labs in Toronto.
“Firms with mobile workers have built security into their IT policies because they are more aware of the threats out there.”
The survey, which looked at the sate of IT security in Canadian organizations with more than 100 employees, is the second in a series of annual studies by Rotman and Telus. Results were based on over answers from 600 respondent.
They included Canadian IT security professionals and nine focus groups across the country.
According to the study, the annual average loss from IT security breaches is $834,149 this year, a 97 per cent increase from the $423,469 reported last year.
The average number of breaches per organization also shot up from three in 2008 to 11.3 in 2009. Most breaches occurred in government institutions.
Annual costs incurred on breaches by government organizations tripled — to $1 million in 2009, up from $321,000 in 2008, the report said.
Insider breaches in Canada are fast approaching numbers posted in the U.S.
In 2008, 17 per cent of Canadian organizations reported insider-related activity, while in the U.S. about 60 per cent reported the same. In 2009, insider related breaches in Canada jumped to 36 per cent, while those in the U.S. dropped to 44 per cent.
Lefort links the spike to the economic downturn, noting that budgets for security programs were slashed by an average of 10 per cent, and the average security budget was just seven per cent of a firm’s total IT budget.
“In a down economy security budgets are often slashed,” Lefort explained. “Employees may be swamped with work and challenged to follow security procedures, and sacked workers may take company data with them.”
But he also said that may of insider-related breaches were traced to employee mistakes or lack of security awareness
The study indicated, most company breaches were caused by unauthorized system access by employees.
The five fastest rising breach categories are:
- Unauthorized access to information by employees (up by 112 per cent)
- Bots within an organization (up by 88 per cent)
- Financial fraud (up by 88 per cent)
- Theft of proprietary information (up by 75 per cent)
The five breaches that remained constant or declined were:
- Pass word sniffing (down by 17 per cent)
- Phishing and pharming (down by 15 per cent)
- Denial of service attacks (down by six per cent)
- Sabotage of networks (no increase)
- Exploiting DNS (no increase)
How may companies improve their security posture without breaking the bank?
They can do that by boosting employee awareness about security threats and then get C-level backing on security policies, according to Christopher Burgess, senior security advisor for the corporate security programs office at Cisco Systems Inc. in Woodinville WA.
“You would be surprised at the number of CFOs and CIOs who just don’t get security. They generally see it as a cost centre,” said Burgess.
He said at Cisco, security awareness was intensified using an in-house PR manager to develop worldwide corporate information program that included an information video. The video targeted Cisco employees in various countries. The company didn’t incur huge costs in its production because the team was already working for the company.
A security group was then set up to study how security policies could be aligned with Cisco’s business practices. The end goal was that security polices should enable productivity.
“Security policies are no good if they hamstring workers,” Burgess noted. “When you make people choose between following a security policy and doing the right thing, that’s not a good policy.”
Hejazi noted that companies can cut costs by focusing on security right at the start, rather than spending on security products to deal with threats as they occur. “Most C-level executives refuse to spend for security unless a breach occurs. By the time it does occur, it’s often too late and the cost of dealing with the damage has been added to the implementation.”
Accountability for security must also be instituted, the Rotman School associate professor noted. “When you tie in salary increases or job security with security performance you get people’s attention.”