OTTAWA – George Edwards thought that his company’s security measures were pretty good until the day a third-party assessor came in to test the steps ProPharm had taken to protect itself from attacks.
But when the person sent by IBM to test the company’s security system walked right into its Markham, Ont.-based offices, it realized it hadn’t taken everything into account, said Edwards, a vice-president at the company, which supplies computer technology to pharmacies. And when the assessor asked who the CSO was, Edwards was once again at a loss.
“We were thinking we’re pretty good,” he said. Edwards was speaking during an event held here Wednesday, where the results of an Ipsos-Reid study on Canadian CEO’s attitudes towards security were announced. [Please see Ipsos Reid: Security low priority to Canadian CEOs.]
But, he noted, the outside evaluation showed the company there were many areas in which it could stand improvement.
ProPharm’s once half-hearted approach to security isn’t that different from the attitude of other Canadian companies, according to a poll conducted by Ipsos-Reid. Security is only a second priority concern for Canadian CEOs, said David Saffran, a senior vice-president and managing director to Ipsos-Reid Corp.
In a poll of 250 CEOs, protecting the company from malicious attacks came in fourth in a list of priorities, behind reducing the company’s overall expenses, maintaining and building revenues, and hiring qualified staff.
This lukewarm approach to security could come at a cost. According to RCMP statistics, cybercrime is up 65 per cent from last year. And a large number of hacking events go unreported each year, as companies are afraid of going public with such information, said Sgt. Charles Richer, a team leader with the technological crime unit at the RCMP in Ottawa.
Cyber attacks have gotten more sophisticated since the days of Mafia Boy, Richer said. Though unable to go into details of the cases he’s investigated, Richer said in one denial of service attack, a company was losing $100,000 a day.
Theft of data is happening at a good pace, he said. Smart card cloning through reverse engineering is also possible, if there isn’t enough security.
Although individual viruses aren’t as common as they once were, more worms are starting to appear, Richer said.
“We’re investigating things that could have been prevented,” he said.
Many of the crimes are internally generated, Richer said. In many cases, the attack is either generated from within the network or the victim knows the perpetrator.
In many cases, people are the weakest link. “Human issues are at the heart of the matter,” Richer said. That’s why it’s essential to train and communicate with employees.
In the Ipsos-Reid study, 46 per cent of CEOs reported being hit with a widespread infection by malicious software, and 20 per cent admitted to being hit by an external hacker in the past year.
To combat such attacks, it’s important to get an outside assessment of your security system while it’s still in the design phase, ProPharm’s Edwards said.
The company was forced to undergo such an assessment in order to comply with the Ontario government’s requirements.
As a supplier to pharmacies, the company is more attuned to the importance of protecting confidential information than most companies, but this is something all organizations have to worry about, Edwards said.
Among the measures that IBM recommended to ProPharm was the creation of a poison pill for the Linux boxes at pharmacies. If a box is stolen and then used to connect to the ProPharm network through which insurance claims are validated, then not only will the connection be severed, but the computer will be sent a command to commit suicide.
Once the system was in place, ProPharm then had a third party test it through ethical hacking.
“You shouldn’t proof read your own work,” Edwards said.