The number of IT security breaches reported by Canadian enterprises has dropped by 50 per cent, and even incidents caused by employees has gone down, according to the fourth annual research report by Telus and the Rotman School of Management.
Telus, which released findings from its survey in an on-demand Webcast with CIO Canada last week, said the decrease in reported breaches is a first since the company began working with Rotman on the project in 2008. On average, respondents said they had suffered seven security breaches in the last 12 months, compared to an average of about 14 security breaches in 2010.
The study, which is based on 600 responses from Canadian public and private-sector organizations, defines an IT security breach as any incident involving data loss or a similar issue resulted in financial losses, damage to corporate reputation or disciplinary action of some kind.
Rafael Etges, research director with Telus Security Solutions, said that while overall incidents have gone down, those which occur are becoming more sophisticated and targeted.
“We see viruses and malware in two groups: the regular kind that what most virus systems will prevent, which is becoming like the background noise that most organizations are giving to the IT department to handle, and the really sophisticated malware that’s looking for financial data, or part of a larger attack combined with social engineering,” he said.
Although many security incidents have been traced to “insider attacks” by rogue employees or former staff members, Telus and Rotman looked instead at insider breaches that may also have been committed in ignorance or accidentally. These too have gone down slightly, to 22 per cent of all reported breaches from 25 per cent last year. However there was a difference here in the public vs. private sector, with government organizations reporting slightly higher insider breaches.
Peter Macaulay, head of corporate security at the Province of Ontario, said the research findings were consistent with his experience. Every month, he said Ontario blocks about 20.8 million e-mail messages, but in the last year it’s become more deliberate than mass spam. Specific individuals are getting dangerous items in their inbox.
“The emails are encrypted and embedded in the message, circumventing old forms of detection,” he said. “We’ve had some difficulty in analyzing specific packets. We’ve now deployed tools more specific to the application layer, and monitoring is more around the higher-profile application rather than the network as a whole.”
One of the challenges in an organization like the province is how large and how much is going on. Etges said a new area in this year’s research included a look at the relationship between organizational complexity and the degree of IT security problems. Those with a high degree of complexity reported 26 breaches compared with three or more for simple environments. The most complex organizations also said the average annual losses from IT security incidents was more than $169,000, compared with just more than $31,000 for very low-complexity organizations.
“You could also argue that highly complex organizations like banks or retailers would be expected to suffer more breaches,” he admitted. “But the numbers we are showing are to give a sense of the size of the problem . . . it’s about the relative positioning of that risk.”
Macaulay said an important first step is sharing more information between organizations. “It’s no good saving that great breach story for the next conference you attend,” he said, adding that while education is an ongoing issue, results improve if training and policies are regularly refreshed. “It almost shows that the more security is in people’s faces they do actually feel more secure and adhere to policies.”
Training comes down in part to communication and leadership, which need to be seen as a critical security skill, Etges argued.
“The people aspect of security is something we have collectively overlooked in the past,” he said. “Human behavior is not actually our forte. It’s never been. We’re not trained to manage and drive human behavior. It’s something that mostly out of the comfortable zone for security practitioners.”
The Telus-Rotman study also looked at mobile device security, and found that 40 per cent of respondents viewed loss of data as their No. 1 concern. Most saw lots of opportunity for mobile computing along with the threats, however, and Etges said he expected mobile security to improve in future research as more technologies are deployed and policies developed.