OTTAWA — Executives at ProPharm Ltd., a pharmaceutical computer systems maker, got a surprise last year when their security consultant was found in the company’s boardroom well before a scheduled meeting.
The IBM consultant,
hired to provide security advice on a new virtual private network (VPN) the company had developed, walked through the front door of the company’s head office in Markham, Ont., slipped past the security guard and made his way to the boardroom completely unannounced.
George Edwards, the firm’s vice-president of retail systems, told the embarrassing story at a press briefing Wednesday, which underscored the findings of a new survey about lax executive attitudes on IT security issues from Ipsos-Reid.
“”You have CEOs out there thinking their (company’s) security is pretty good — (but) there’s loopholes everywhere,”” said Edwards. “”We thought we were pretty good, but we found 50 points where we could improve”” during a risk assessment process for the VPN.
Unfortunately, many CEOs at Canada’s mid-sized companies aren’t taking security threats seriously, according to the Ipsos-Reid survey. More than 40 per cent of the surveyed executives — who were from various mid-sized companies containing 100 to 500 employees — said that protecting their corporate data and computer networks from attack was only a moderate priority. Another 19 per cent said it wasn’t a priority at all. (Most of those interviewed came from the manufacturing and construction industries, though pharmaceutical, hospitality and utility companies were among those questioned.)
At the same time, the survey showed that 45 per cent of the 250 companies that took part had been hit with a computer virus in the past year. Twenty per cent noted an outside hacker had attacked them within that time frame, but a significant number of these CEOs — 40 per cent — said their companies didn’t have the tools to detect these hackers. Twenty-two per cent of the respondents reported computer equipment thefts, too.
“”CEOs are not sold that IT systems in Canada are secure, nor are they convinced that their own systems are overly secure or effective,”” concluded David Saffran of Ipsos-Reid.
He explained upper management at many companies don’t treat security as a top business priority, placing it as a secondary issue behind hiring/retaining staff and reducing overall expenses.
But Sgt. Charles Richer, team leader of the Royal Canadian Mounted Police’s Technological Crime Unit, presented evidence that CEOs should start losing sleep over computer crime. His department has seen a 65 per cent increase in the case file load between 2000 and 2001, and it’s more than tripled since 1997.
“”Directed denial-of-service attacks are alive and well,”” he adds. “”I personally investigated one case where the victim lost more than $100,000 a day.””
He noted that his unit has investigated internal data theft, only to discover that the company involved hadn’t even set up a password system to protect sensitive information.
“”Consistent with the survey’s findings, (we’ve found) companies aren’t putting an emphasis on security that they should,”” says Sgt. Richer.
He notes that companies can do a lot to improve overall security among businesses just by reporting a crime whenever it occurs. While many companies don’t want to do to see information about the breach go public, he says it’s important so that effect deterrents are set up in case law.
“”It’s a win-win situation”” if companies press charges, he said in a post-conference interview. “”If we start getting good sentences, it’s going to serve as a deterrent. If (companies) don’t report incidents, then hackers or attackers will go on with what they’re doing, and there’s never any results at the end that can be used against these people as a deterrent.””