TORONTO – Canadian businesses see employees who unintentionally download viruses or spyware as a greater risk to the security of their IT systems than hackers, according to a study released by a cadre of technology vendors and service providers on Tuesday.
More than half of the 565 senior-level decision makers who responded to a survey commissioned by Fusepoint Managed Services, Sun Microsystems and Symantec Corp. said they believe their organization’s confidential and private data is at risk. This is despite the fact that 92 per cent use antivirus software, 43 per cent say they use encryption technology and 85 per cent say they have firewalls in place.
Dr. Clemens Martin, a professor in the IT Security Group at the University of Ontario Institute of Technology, said the survey results indicate a need to improve the way in which users are trained in security policies.
“IT departments do not have a great track record in terms of creating exciting programs,” he said.
Michael Murphy, Canadian vice-president of Symantec Corp., said user education about IT needs to become as embedded into business processes as the rules around physical security.
“People didn’t want to be identified with a tag hanging from a lanyard,” Murphy pointed out. “But everyone walks around with a badge now . . . a lot of IT departments lack the skill set to develop courseware in security.” Symantec offers some packaged education products to meet that need, Murphy added.
Andy Canham, the recently-appointed president of Sun Microsystems of Canada, said the responsibility for vendors is to make sure the technology doesn’t make education more difficult. “It has to be a no-brainer,” he said. “It has to be implicit and systemic in the way they do business, so that the IT departments can just deal with the (security) issues, not the products.”
Murphy agreed, calling for greater integration among security products and the rest of the enterprise. “The anti-virus (software) has to talk to the firewall,” he said. “It has to become part of the network infrastructure, the desktop infrastructure.”
The survey showed 57 per cent of respondents feel only somewhat confident that their IT department could withstand an attack. This is at a time when executives said threats are becoming much more sophisticated. Martin offered a demonstration of a “spear-phishing” attack that uses a bogus e-mail and Web site to deceive a user into handing over a password to secure information. This year’s Zotob worm, Murphy pointed out, was created and deployed in only six days, where comparable malware took six months to develop. Security experts are now keeping watch for “Warhol threats,” which appear with the speed of artist Andy Warhol’s 15 minutes of fame, Murphy added.
Fusepoint president George Kerns said the acceleration of virus and bug creation is making it even more difficult for IT departments to respond appropriately. “It’s been happening on the Friday nights,” he said. “There’s no guarantee the threat is going to hit in the middle of the day on a Wednesday, when everyone is at work.”
Although 27 per cent of large businesses said they thought a security breach could cost their organizations $1 million or more, 38 per cent had no idea what the impact would be. That’s because measuring the consequences of poor IT security involves so many intangibles, Martin said.
“The problem is not understood like (the impact of) an earthquake or a flood or a car theft,” he said. “We need more research to show the links.”
The trust issues that surfaced from high profile breaches at ChoicePoint and MasterCard earlier this year make the impact more apparent, Canham said. “(Security) may begin to define who you want to do business with,” he said. “It takes it way beyond the CIO’s office.”
The survey was conducted by Leger marketing between Oct. 28 and Nov. 9, and the results are believed to be accurate within plus or minus four per cent, 19 times out of 20.
Late Tuesday, Symantec’s security response team upgraded the severity of the latest variant of the Sober worm W32.Sober.X@mm, to a level three on a scale of one to five, with five being the most serious.