Canadian businesses give themselves high marks for IT security, but new research from IDC Canada suggests they may be overestimating their ability to mitigate risk.
Two surveys conducted by IDC on behalf of Cisco Canada in August and September of 2014 – across sectors and business size – polled public and private sector organizations to better under their IT security policies, practices and the evolving threat environment.
Of the almost 500 businesses surveyed, more than 60 percent don’t have a security strategy or don’t know how to prepare their networks to take advantage of evolving mobile and cloud computing models.
Threat levels are rising, as are the costs of risk mitigation. According to a recent PwC survey on the global state of information security, incidents soared to a total o 42.8 million in 2014, a 48 percent jump over 2013. The total financial losses attributed to security compromises also increased 34 percent over 2013.
Almost one-quarter of Canadian companies admitted their networks had been infiltrated in the past year, and another 10 percent weren’t sure. In reality, that number is probably much higher, according to IDC analyst Kevin Lonergan, who suggests a successful breach will leave the victim unaware than attacker was ever on the network.
“Most likely the majority of organizations aren’t aware that they have been breached, and if they aware, it can be hard to assess what was accessed on the network,” he says.
Insider threats – from employees, customers and other trusted third parties inside the network ecosystem — pose the greatest risk, according PwC’s survey, yet many companies do not have an insider-threat program in place, leaving their networks open to attack.
Those same employees are using their personal devices to access data within the corporate network. But there’s a serious gap between the corporate policy on Bring Your Own Device and employee behavior. IDC found that more than one-third of respondents said they were using their personal device without knowing if their employer allowed it or even if they knew it was not sanctioned. On the other hand, only about one-third of businesses have policies and solutions in place to protect company data on employee-owned devices.
Organizations intent on realizing the cost and associated benefits a more connected, cloud-based mobile landscape offers need to factor security into all initiatives that pose potential risks to corporate and customer data. Follow these critical steps to amp up your organization’s IT security quotient:
Proactive, not reactive. Look for solutions that move beyond prevention and blocking strategies and into more continuous monitoring, says Fred Patterson, channel director of security for Cisco Canada.
“Today’s threat position themselves as legitimate files and act the way normal files do until something happens downstream. You need to address the attack before, during and after.”
–It’s strategy, stupid. Implement a risk-based approach to security that prioritizes the most valuable assets and proactively addresses the most relevant threats. Even small and mid-sized companies need to create policies to ensure data stays within defined walls. As a baseline of protection, IDC’s Warren Shiau advises data classification around sensitive information.
– Trained protection. PwC’s survey discovered that despite the evolving nature of cyber threats, many organizations have a diminished commitment to employee training and awareness programs.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net