Nearly one-quarter of respondents to a recent survey on IT security said their policies were not enforced in an acceptable way.
The survey of 300 organizations, conducted by both Telus Corp. and the University of Toronto’s Rotman school of Management, the Rotman-Telus Joint Study on Canadian IT Security Practices, was released Monday.
Of the private companies surveyed, respondents lost an average of $294,000 to cyber crime, while the average publicly-traded firm lost $637,000 per year. Government organizations lost an average of $320,000.
The organizations surveyed included companies in IT, finance, manufacturing, military and other government organizations. One-third of respondents were ranked at the director level or higher, 18 per cent were systems administrators, 18 per cent were security administrators while 26 per cent were IT or security managers.
Just 40 per cent of government respondents said “IT security strategy is in place and enforced to an acceptable degree” in their organizations, while the figure for both publicly-traded and privately-held companies was 59 per cent.
“The people that the public sector tends to attract are not paid as much as the other components of the industry,” said Yogen Appalraju, vice-president of security solutions at Burnaby, B.C.-based Telus.
Respondents at 24 per cent of the publicly-traded companies said IT security strategy was in place but is “not enforced to an acceptable degree.” The figure for privately-held companies was 22 per cent.
“Normally we find there’s a very clear strategy of what needs to be done but there tends to be a focus on technology and not too much on the people and the process,” Appalraju said.
The degree to which security was implemented depended heavily on the governance structures, said Walid Hejazi, co-author of the report and a professor at the Rotman School of Management.
“What we found is that Canadian companies are different than American and foreign companies with respect to accountability and communication in IT security,” he said.
According to the report, 60 per cent of the respondents said when evaluating their people, they do not link personnel performance objectives to IT security objectives. The others are 39 per cent more likely to be “very satisfied” with their overall IT security.
Hejazi said a greater proportion of companies in the U.S. and Europe tie personal performance to IT security.
“That’s a very important component to explaining to why some employees are more aggressive about implementing adequately.”
The report also asked IT staff about their security technologies and incidents.
All respondents said they use anti-virus and firewalls, and all respondents who spend more than five per cent of their IT budget on security use anti-spam. Ninety-eight per cent of the others used anti-spam, while 85 per cent of those who spend less than five per cent of their IT budget on security use network intrusion prevention.
Companies that spend five per cent or more of their IT budgets on security tended to get better results than those who spen less than five per cent, according to the study.
“For those respondents who spend in excess of five per cent of their IT budget on security the amount of web site defacement – the quantity of incidents came down drastically, almost 60 per cent,” Appalraju said.
Sixty-two per cent of respondents reported malware breaches, 27 reporting phishing attacks and 17 per cent reported denial of service attacks.
“When you have those kinds of attacks typically they reach executive management,” Appalraju said. “What happens is a lot of due diligence goes on after fact so you have audits that take place you have a lot of remediation that takes place.”