TORONTO — A recent survey found that Canadians organizations are concerned about security, and IBM Canada Ltd. on Tuesday said it wants to help Canadians address those concerns by investing $40 million in IT security services over the
next five years and to open a new security operations centre in Markham, Ont.
Canadians need to start taking a holistic approach to security, said Michael Small, the security practice leader for IBM Global Services. They are currently taking a Band-Aid approach, he said.
Security isn’t just about making sure information is available, it’s also about the confidentiality of information and about protecting an organization’s integrity, he said.
It’s also a top concern among Canadian organizations, according to a survey conducted by IDC Canada. Security ranked third overall behind network upgrades or improvements and Microsoft operating system upgrades among the 460 companies surveyed.
Among the security concerns still worrying Canadian companies, antivirus detection and protection, network security and perimeter defence, and e-mail spam and security ranked the highest.
“”Things we thought organizations might have had a handle on, they’re still grappling with,”” said Steve Poelking, the director of research for infrastructure and applications at IDC Canada in Toronto, speaking at an IBM press conference announcing the security centre.
Almost 60 per cent of the organizations surveyed, which were comprised of small, medium and large businesses, said they had experienced a virus attack. Others also admitted to having their networks hacked and to experiencing denial of service attacks. But very few of those organizations — less than 20 per cent — attempted to calculate the costs of such security breaches.
“”You have to know what your costs are,”” Poelking said.
The security centre will help companies design security management programs, make sure they meet regulatory requirements, do vulnerability assessments and provide 24/7 real-time monitoring. The centre will also have a lab in which organizations can run simulations to test their safeguards against vulnerabilities.
Security threats are real, and they happen all the time, but we often don’t hear about them, said René Hamel, the vice-president of computer forensics services for Inkster Group, which investigates security breaches. Incidents such as embezzlement, intellectual property theft and money laundering are common events, but you don’t hear about them, he said. His company follows electronic trails to try to locate the individual behind the keyboard responsible for security breaches.
Viruses are only one type of threat companies have to worry about, Hamel said. They also need to be concerned about internal threats from employees. This is something they don’t like to hear about.
Employees are using anonymous proxy servers more and more, making it difficult to track them unless a company has the ability to react quickly, before logs are overwritten, he said. Monitoring tools and the maintenance of logs are critical, he said.
Companies need to make sure they have policies and controls in place for when employees leave — not only to cut off their access to e-mail and applications but to make sure they don’t walk out with CDs burned with company information. They also need to be more diligent about backups, he said. Once a week for a medium-sized company is not enough, Hamel said.
“”People, believe it or not, are to this day not as tight on backup schedules as they should be,”” he said.
In one case he’s currently working on, some culprits were able to extract information from a company and are threatening to go public with that information unless the company gives them money. They want a bank card sent to them, which they will use to withdraw money. And not all bank machines are equipped with cameras, he said. Attackers are becoming more sophisticated, he said, and the law is slowly catching up.