When Elections Ontario earlier this summer reported a data breach with the personal information of as many as 2.4 million Ontario voters going unaccounted for after two memory sticks went missing, it served to highlight that Canadians may not be as secure as they previously thought. And in developing a methodology for predicting the volume of personal confidential Canadian data that will be lost next year alone, David Senf notes that the results reveal that Canadian firms still have a ways to go when it comes to thinking about data security and compliance.
Speaking at a session during last week’s SECtor security education conference in Toronto, Senf, IDC Canada’s infrastructure solutions research director broke down the research firm’s new methodology of forecasting of number of data security breaches within Canadian companies.
The results, he said, were surprising.
While he wouldn’t name names, the IDC findings reveal that as of last year, 3.5 million confidential data and personal information were lost or stolen from Canadian organizations, a figure that will jump to over 4 million by 2015. This is a particularly illuminating fact when considering that the findings also show a whopping 86 per cent of Canadian firms believed their enterprise IT environment to be a secure one, Senf says.
The created model, Senf notes, breaks down sources of data loss in Canada — including probability and impact across 12 different areas — incorporating more than 4 billion records including inputs from Statistics Canada, managed services data and survey findings. “We spoke to the top 800 firms in Canada to see what are the things that trouble (them) from an IT standpoint. It used to be cost and security topping the list but those have dropped down,” says Senf.
These days, he added, firms are concerned about the IT department’s ability to adapt and change. While larger organizations have a general handle on data security and compliance, budget and personnel restrictions are affecting the ability of midsize firms to be agile enough to handle more than network maintenance and develop a sound network strategy for malware attacks and data breaches, Senf explains.
Among the findings:
- PIPEDA preparedness varies by industry, with the financial services sector most compliant (90 per cent) followed by manufacturing and construction (80 per cent), and the telecom, retail, and government respectively behind.
- Server ranks as the technology area that will receive the “highest security investment in the next two months” followed by wireless, web apps and the wired network.
- Only 35 per cent of Canadian organizations report via PIPEDA, with 73 per cent currently unaware of the federal law.
- When it comes to the organizational plan for boosting security awareness, 52 per cent said they had an active plan in place while 23 per cent notes the lack of a plan but were considering one.
The IDC model ultimately reveals that attackers are growing ever more savvy and specific in targeting company personnel to obtain access to sensitive data; so while there are less data breaches happening across the country, more records are being lost when they do happen. And in light of the fact mandatory data breach notification may soon become federal law in Canada with proposed amendments to privacy law Personal Information Protection and Electronic Documents Act (PIPEDA) with Bill C-12, companies would do best to get their IT house in order sooner rather than later.
Bottom line, Canadian organizations need to effectively change the way the IT operates by developing a more proactive approach rather than spending time merely reacting to problems, says Senf, adding that outside of the financial services industry, few Canadian firms fully grasp the implication of PIPEDA. This includes more security education in-house, along with the pre-emptive deployment of security tools such as antivirus software, network firewalls, VPN and content filtering/URL blocking.
“In the past IT would react to events in batch form – at the end of a quarter for example. We are now in age when IT needs to respond, on behalf of the business, to real-time events,” he says.
Get more valuable advice by watching Allstream’s on-demand Webinar: Managed Security: What you don’t know can hurt you.