Skip navigation
TELUS Talks Business
Community > Talking Business > Tags > breaches

Talking Business

5 Posts tagged with the breaches tag
Sam.Marafioti
0

As Chief Information Officer of one of the largest hospitals in the country, the decisions around security that I make affect all areas of the hospital, all employees and ultimately, all patients.

 

Here are some of the pro-active actions Sunnybrook Health Sciences Centre takes in implementing processes to strengthen security.

 

To begin, I want to touch on investing in security and reporting incidents. It’s agreed that the healthcare sector is generally underreporting security incidents because we’re not systematically monitoring (this is similar to the state of adverse event reporting for patient safety, pre Baker Norton circa 2004).

 

At Sunnybrook, IT security accounts for 3 per cent of our total IT spend. We have invested in IPS technology, but not Security Information and Event Management yet.  With increased detection capabilities, we expect the number of reported incidents to increase. We don’t believe that a larger number of reported incidents indicates an increase in the type and kind of attacks, but rather that our risk management program is working to better detect what’s already happening.

 

We are proceeding with increased and formalized risk monitoring across all IT processes - not just security – and expect that this will lower the underlying security risks and improve Service Level Agreement performance.

 

Legal or best practice breach accountabilities have not materially changed in the past three years, but increasing scale and scope of IT operations demands greater management visibility and control over IT processes. Appropriate design and operations management of IT projects and systems require integrated security and process controls (ITIL, CoBIT, ISO 27002, 27005, etc.). Hospitals are not subject to some government data management requirements (e.g. FIPPA), but this will likely change in 2011.

 

 

Security accountability

 

Today, system availability and accountability for personal health information under PHIPA remain primary security concerns. We are not currently quantifying breach losses and assume these losses and investigation costs are nominal compared to reported averages for commercial, or even government - but these costs will increase due to a focus on formalized risk monitoring and investigation.

 

Trusted user breaches (malicious and non-malicious) continue to occur. We are instituting access accountability strategies for IT staff and will look at increasing inappropriate access auditing for clinical staff. The overall theme here is “Trust, but verify.”

 

Our social networking policy was instituted in 2010. It’s a policy largely based on acceptable use, not on data loss prevention.  We agree that data loss and compliance remain top concerns after system availability.

 

Secure web development was addressed this year as well, as PIA and TRA reviews are increasingly applied to all new systems. As reviews become more complex, project teams spend more time evaluating controls, designing to standards and remediating identified risks. ‘Privacy/security by design’ requires additional project resources not previously considered.

 

 

IT security, 2011

 

The creep of consumer mobile devices into enterprise is the biggest new threat vector, especially to data loss prevention. We’re managing through clear policy and strong technical controls. Smartphone vulnerabilities are being reviewed as consumer phones become corporately supported in 2011. FIPPA application to hospitals will also require review of IM considerations for lifecycle data loss management.

 

Sunnybrook currently has no formal data loss strategy, although we are expanding mobile and e-mail encryption, and will likely establish our data loss strategy as part of overall security risk program development in 2011.

 

Service level agreements for security technology deployment, monitoring, reporting and improvements are key; the major effort/expenditure is in the operations management of controls, not the decision to deploy or the technology selection itself. Vendors generally don’t have much to say about security ops management (e.g. Winmagic lifecycle management) and this remains a challenge.

 

 

A snapshot of best practices

 

  • Get the security basics right and go from there
  • Ensure IT management is focused on business risk, not just on technology
  • Security assurance is about diligence on risk across the IT spectrum

 

 

Sam Marafioti is the Chief Information Officer at Sunnybrook Health Sciences Center.

 

About Sunnybrook Health Sciences Centre


Sunnybrook Health Sciences Centre is inventing the future of health care for the one million patients the hospital cares for each year through the dedication of its more than 10,000 staff and volunteers. An internationally recognized leader in research and education and a full affiliation with the University of Toronto distinguishes Sunnybrook as one of Canada's premier academic health sciences centres. Sunnybrook specializes in caring for Canada's war veterans, high-risk pregnancies, critically-ill newborns, adults and the elderly, and treating and preventing cancer, cardiovascular disease, neurological and psychiatric disorders, orthopaedic and arthritic conditions and traumatic injuries.


This week, TELUS and the Rotman School of Management released their third annual study on Canadian IT security. Please see this week’s blogs from TELUS’ Yogen Appalraju and Rotman’s Dr. Walid Hejazi for more information about the results or go to TELUS.com/securitystudy.

772 Views 0 Comments Permalink Tags: 10-99, 100+, business, security, breaches, rotman, telus, rotman_study_2010, rotman_school_of_management
Walid.Hejazi
0

I’m intrigued by the results of the third annual study of Canadian IT security practices from the Rotman School of Management and TELUS.


Let’s talk about the results as they pertain to social networking. They may have you, your boss or your employee thinking twice about allowing it in the workplace.


This year’s results uncover a misconception:  One in four Canadian organizations are blocking access to social networking sites, citing security as the primary reason. Today, 66 per cent of employees in the government sector have access to social networking in the workplace, as do close to 80 per cent of private and public sector employees.  In both cases, organizations that block access to these sites actually bring productivity and security issues upon themselves as employees spend valuable time trying to circumvent the block or surf the sites through their mobile devices.


What does this say? As trends and technology continues to develop in this ever-changing environment, from the popular engagement with social networking to the proliferation of smartphone usage, there needs to be an increased focus on education and awareness across IT, development and employees to ensure security risks and responsibilities are understood by all.

 

Mobile phones


In keeping with the theme of security to the endpoint, we also asked respondents to share their thoughts, potentially concerns – with the proliferation of the mobile phone in the corporate space.


In our 2009 survey, we noted that mobile-related breaches - to specify, any corporate data that was shared as a result of mobile devices and laptops falling into the wrong hands or unauthorized people accessing files from employees working remotely -  were the second largest breach category.

At the same time, we noticed a growing interest in these technologies.  The main concern that has come out of this year’s data and is representative of government, private and public feedback, is the loss of a mobile device with corporate data.

But with this year’s data, we believe that the adoption of this technology does not expose companies to more breaches.  The technology is in place to ensure a secure experience, but only as long as users are educated on best practices on how to keep their devices secure.

 

 

Budgets

 

Another interesting finding from this year’s results is the budget variances between years.

 

Budgets are still well below 2008 levels, in effect, carrying over the severe measures implemented in 2009 that resulted in average budget cuts of 10 per cent.


In 2010, it was reported that security budgets were on average slightly above 6.5 per cent of IT budgets, similar to the nearly 7 per cent IT budget touted in 2009.


It is especially important to recognize the need for investment in security budgets, as the proliferation of mobile devices and social networking drive the need for new, more secure technology, governance and education. While the investment in up-to-date technology does represent a large part of the security budget, it’s necessary to allocate adequate funding to the staff and resources as well.

 

  • Findings indicate that many security professionals have broader roles with specialization in teams diminishing. It is crucial that organizations are staffed with enough experienced leadership, backed by strong executive support to ensure the best security strategy possible.

 

  • In 2009, the majority of respondents indicated that the financial crisis had not forced them to cut staffing levels; however, contractors were impacted by austerity measures.  This year, respondents note that internal staffing levels decreased.

 

  • 50 per cent of organizations are more likely to report to teams of 1-5 full-time employees and only 12 per cent reported that they report to teams of 6-10.

 

  • A potential explanation is that while these employees were employed in 2009 to oversee     contractors, in 2010 when their contracts expired, the full time employees overseeing the work were also no longer needed.

 

 

This week, TELUS and the Rotman School of Management released their third annual study on Canadian IT security (TELUS.com/securitystudy)

 

 

Dr. Walid Hejazi is a professor of business economics at Rotman School of Management.

761 Views 0 Comments Permalink Tags: 10-99, 100+, business, security, breaches, rotman, telus, rotman_study_2010, rotman_school_of_management
Yogen.Appalraju
0

Newspaper headlines will tell you that IT security issues can impact the whole business. It can drain the resources of entire teams to address a problem, slow productivity or put proprietary data in the wrong hands. Additionally, the impact on consumer confidence and the reputation of the brand have a resounding effect on a company’s bottom line.

 

The subject of security issues and breaches is not new, but we think it’s important to examine the security landscape for businesses in Canada to provide a benchmark to determine the effectiveness of our investments, the results from changes in technology and address new areas of concern. That’s why every year the Rotman School of Management and TELUS look at the effects IT security has on a business and what types of concerns business owners have about security practices.

 

The 2010 results released yesterday reflect the thoughts and feedback of more than 500 IT professionals.  The key finding this year is that Canadian security breaches rose 29 per cent.

 

The breaches increased to an average of 14.6 per year per organization in 2010 – compared with an average of 11.3 in 2009. Government reported the significant breach increase of 74 per cent, experiencing an average of 22.4 breaches per year – compared with an average of 13.4 breaches per year in 2009.


The strongest explanation behind the increase number of incidents is the significant investment in detective and reporting capabilities, employed by the government, which enables greater visibility and transparency into breaches. The proactive approach of focused investment has also led to earlier detection, ultimately lowering clean-up costs. The process of balancing risks and optimizing resources to steer the best possible course and achieve the optimal overall business bottom line is crucial to reducing breaches.

 

In addition, the study reveals a growing trend toward sophisticated attacks on high value data – this includes identity information and credit card numbers. What this says to business is that it is crucial to take a pro-active approach in securing data and implementing processes and employee education to maintain security, as we see a continued increase of more intelligent attacks.

 

The “good news” is that Canadian organizations are optimizing for today. The “bad news” is that they are still not doing enough to prepare for tomorrow.

 

In 2009, we saw that the breach levels increased significantly across all sectors, as did the associated breach costs. Currently, while the investment in defensive technology is proving effective with a decrease in breach costs, we continue to see more organizations reporting an increase of focused, intelligent attacks.

 

In planning for the future, there needs to be continued, proactive investment in security, from technology to governance to education in order to reduce the number of breaches, minimize costs to organizations and most importantly, mitigate the risk to sensitive corporate data.

 

Please join us here tomorrow to hear more about the new study and its implications from Dr. Walid Hejazi, professor of business economics at Rotman School of Management.

 

Yogen Appalraju is the vice-president of Security Solutions at TELUS.

470 Views 0 Comments Permalink Tags: 10-99, 100+, business, security, breaches, rotman, telus, rotman_study_2010, rotman_school_of_management
Yogen.Appalraju
0

Today, we announced the results of our third annual study on Canadian IT Security Practices with the Rotman School of Management. The study shows that Canadian companies experienced a 29 per cent increase in security breaches from 2009 to 2010, from an average of 11.3 per year in 2009 to an average of 14.6 per year per organization in 2010.

 

What does it mean?


First, the increase in reported security breaches can be explained by significant industry-wide investments in detective and reporting capabilities.  It’s necessary to implement up-to-date technology and focus on governance and employee education, as security is an issue that affects all employees, not only IT executives. As businesses become more proactive with security, the visibility into breaches is letting them react faster and more efficiently, thereby lowering associated costs.


But while the investment in defensive technology is decreasing breach costs, organizations are experiencing more focused attacks. The study reveals a growing trend toward sophisticated attacks on customer and citizen data. Research from our Security Labs indicates that attackers are seeking out sensitive data that can be sold or repurposed for financial gain, rather than opportunistic control of systems.


In terms of social media, this year’s study finds one in four Canadian organizations are blocking access to social networking sites, citing security as the primary driver. However, in both the private and public sectors, organizations that block these sites experienced no improvement in security and could suffer a worsening of security as employees attempt to circumvent the block.

 

The Survey

 

I’ve been asked why we partner with the world-renowned Rotman School of Management at the University of Toronto on an annual IT security study.
The answer is that we recognize that information security extends beyond the realm of IT executives. It affects the entire business, and what better way to provide an overall thought leadership perspective than to partner with a leading organization that is consistently redesigning business education to meet current industry demand?


This year’s survey analyzed data from more than 500 Canadian companies nationwide. This month at TELUS Talks Business, we’ll hear more about key insights from the study, as well as current security trends and issues from experts and customers.  Please join us.

 

I’ll leave you today with a snapshot of security breaches from the study. The top five types of breaches in 2010:
                1. Malware (worms, viruses, spyware, Trojans)
                2. Phishing and pharming
                3. Unauthorized access to information by employees
                4. Bots (zombies) within the organization
                5. Denial of service attacks

 

Technology breaches that dropped most significantly include:

1.  Abuse of wireless networks
2.  Denial of service attacks
3.  Website defacement

 

Access the full report at www.telus.com/securitystudy

 

Yogen Appalraju is the vice-president of security solutions at TELUS. 

Create a profile and join the conversation. Ask your questions about IT security and we’ll pose them to the experts for response here on TELUS Talks Business.

636 Views 0 Comments Permalink Tags: 10-99, 100+, security, breaches, it_security, rotman, study, rotman_study_2010, rotman_school_of_management
Ben.Sapiro
0

As an employee of a national communications company, I get a lot of emails about strong passwords and I get constant reminders about the security policies in place to protect our customers’ information. Over the past decade I’ve worked in various roles helping companies make sure their networks, computers and data are secure from unauthorised access. However there’s always been a nagging question in mind – how much is enough security when it comes to your business data?

 

When I first started in information security, a seasoned consultant told me a joke involving guards, safes and tall fences – the joke wasn’t that funny (thus I spare you a retelling), but the punch line was “and even then I can’t guarantee your data will be secure”. What the joke lacked in humour, it made up for in insight; no matter what you do, it will never be perfectly secure – there will always be a new virus, a smarter hacker or a smaller flash drive to lose at an airport.

 

However, while we’ll never achieve perfect security, perhaps we can get to the right level of security to meet our business needs without inconveniencing us in the process. What we really want is to be reasonably secure against the real problems we will face, or more simply put – we want to be secure enough.

 

Part of secure enough is understanding the risks you face and selecting the right processes and technology to address the problem – for example:

 

  • If you’ve got credit card data, you need to protect it; firewalls, encryption and intrusion detection are the right place to start.
  • Employees working from home – try secure connectivity technology and user education to make sure they practice good security
  • Outsourcing technology – look at audits and clear policies to confirm your partner keeps your data secure

 

The other part of secure enough is knowing what your peers in the industry are doing; having the data to know what other’s consider reasonable. If you can achieve the same (or better) level of security as your industry peers your customers are more likely to view you as secure enough.

 

To help solve the challenge of determining what Canadian businesses consider to be secure enough, a team at TELUS Security Labs entered into a joint research initiative with the Rotman business faculty at the Univeristy of Toronto. Every year, we survey a few hundred Canadian businesses from all sectors then use the data to compile and publish the Canadian IT Security Practices Report.

 

Last year we learnt a great deal about what secure enough looks like, including:

 

  • The best performing organizations spent 15% of their IT budget on information security (but the majority organizations spent an average of 7% and didn’t perform well)
  • Business successfully invested in technology to detect and analyse security breaches
  • The number of security breaches quadrupled but businesses invested in operational processes that helped reduce the cost of dealing with the breaches
  • Preventing unauthorised access to information by employees was the fastest growing problem for Canadian businesses

 

The data contained in the survey report (the report is available at telus.com/securitysurvey), provides managers with justification for improving their IT security by:

 

  • Expanding their security budget to address an evolving threat landscape
  • Investing in people and processes to leverage technology more effectively in detecting and preventing breaches
  • Working with the business to make sure customer data is kept safe

 

At the start of August we opened up the 2010 survey and now we’re looking for Canadian business managers to tell us and our co-researchers at the University of Toronto about their perspectives on security and the challenges they face.

 

Help define what secure enough looks like by taking the 2010 security survey today (telus.com/securitysurvey).

 

Ben Sapiro is a Research Director in TELUS Security Labs, one of North America’s leading information security research organizations. Ben is a co-author of the Rotman-TELUS IT Security Practices Survey and works with the Canadian executives to help define security strategies. In his spare time Ben works on emerging solutions for securing the cloud and on-demand computing services.

658 Views 0 Comments Permalink Tags: strategy, 10-99, 100+, business, security, data, labs, business_data, protecting, breaches, access, survey, it_security, rotman


Actions

Popular Blog Posts

Share
Subscribe to emails from TELUS Subscribe to blog
TELUS.com  |  Legal  |  Privacy policy  |  © 2012 TELUS Communications Company