While data breaches have multiplied, research suggests many Canadian businesses aren’t fully equipped to deal with the heightened threat.
Seventy per cent of businesses polled in a recent survey consider security a “Top 5” priority – 12 per cent fewer than last year.
It recorded and reported on these firms’ strategies to eliminate data breaches, according to Andrew Bisson, vice-president, consulting services at Ottawa-based Branham Group.
On the one hand, Canadian firms have taken definite steps to meet today’s threats, Bisson said. On the other, “businesses need to realize these threats are evolving.”
It’s a view echoed by Michael Murphy, vice-president and general manager of Symantec Canada Corp.
Over the past few years, he said, Canadian companies have done a good job protecting against threats, diligently using anti-virus software, spyware, firewalls and identity management tools.
And all of these are likely to be top security investment items in 2009, the Branham report indicates.
Yet merely focusing on these tools may not be the best approach, Murphy suggests, as hackers today are “motivated by a different kind of asset.”
The greatest threat today is to the value of your data, he said. “That’s the Holy Grail worth protecting.”
The underground market for information – where stolen data is bought and sold – is thriving, Murphy noted. Information for sale in this market is collectively valued at $1.7 billion, an amount greater than the GDP of many developing nations.
To firms that are victims of data breaches, the costs can be enormous and the damage irreparable, said Branham Group’s Bisson. Through a single breach a company can lose 11 per cent of its customer base overnight.
Interestingly, 44 per cent of executives polled in the Branham-Symantec study estimated the average cost of a data breach at less than $5,000.
One group in Canada doing an exceptional job of protecting against data breaches is the Canadian military, Murphy said.
Traditionally, he said, the military has protected its physical data assets well, and has simply translated these policies to the electronic world. Businesses, however, are lagging.
Murphy said identity management – controlling at all times who has access to data – is part of the answer.
In the past, he said, we spent on infrastructure and did well. Now we need to focus on protecting information.
Confronting the enemy within
Previously, businesses have been able to protect all of their data by erecting a big fence around their company. Today that approach isn’t likely to be effective, as the greatest threat is usually on the inside, Murphy said.
For instance, he recalled how at one New York hospital, an employee was hawking patient records online for $1,500. He managed to sell 3,000 records before being caught.
In a down economy, Murphy said, individuals may be more likely to turn to criminal behaviour.
The influx of Gen Y into the workplace has intensified the challenge, he noted. It’s made sensitive information more easily accessible, as younger employees work from home or a coffee shop, and carry company data on a handheld device or laptop.
All this leaves data more vulnerable to interception.
Education is just as important as tools and technologies, said the Symantec Canada general manager. Employees, he said, are ultimately responsible for security, not the CSO or CIO. “If you can integrate [security practices] into daily routines, you’ll be better off dealing with the insider threat.”
Many companies, the Symantec exec said, are focusing on tightening passwords or using encryption – but this isn’t the right approach.
Password protection passé
Investing heavily in pre-emptive measures, such as data encryption won’t work, Murphy said, because these aren’t fool-proof, not by a long shot.
He said in the old days, when people stole data, time was against them – they had to break in, quickly take want they wanted and make a hasty exit.
“Today, you could take a hard drive or laptop to your underground lair, and would have the time, privacy, and resources to help you decrypt it and gain access to the information.”
Relying too heavily on passwords to control access to data isn’t a great idea, he suggests. He said writing down a password on a sticky note wouldn’t be a problem, if there isn’t enough data in the account, in the first place, to cause a major breach.
And sticky notes or not, today’s worms are sophisticated enough to crack most passwords, Murphy said.
Companies, he said, need to store their data knowing it could be easily intercepted, despite investments in firewalls, passwords or encryption.
He does not recommend consolidating sensitive information at a single location.
“Most databases contain far more information in one place than they need to,” the Symantec exec said. “There’s no need to have social insurance numbers, banking information, and addresses in one database.”
Instead he recommends data separation, with access based on keys. “So if someone does access the files, they get pieces, not all of the information.”
If all the information does need to reside in one place, Murphy suggests multi-factor authentication, such as combining a password with a swipe card, a biometric facial scan, or a thumbprint.
While each of these has its drawbacks – such as reports of gummy bears cracking thumbprint locks – together they can provide formidable security.
At the same time, he said, companies should assess the value of the information, before building “million dollar fences around five dollar assets.”
Seventy-two per cent of Canadian businesses outsource some part of their IT security.
Murphy says this makes sense in the current economic climate where most companies are looking to cut costs. “But I would approach outsourcing with caution.”
He said core elements of the security strategy should still remain with the firm’s executives, and vendors you outsource to shouldn’t receive free access to all company files and data.
It’s crucial to carefully scrutinize the credentials of companies you outsource to, he said.
“Check certifications and accreditation. This will improve trust and enhance service-level agreements.”