Skip navigation
TELUS Talks Business
Community > Talking Business > Tags > rotman

Talking Business

8 Posts tagged with the rotman tag
michaelargast
0

Big data and data analytics are rapidly changing business, open government and citizen services, security and privacy. Whether it’s easily mapping a bus route using Google Maps thanks to open access to data provided by your local transit provider, discovering correlations between magnesium deficiencies and migraines, or uncovering a breach in your organization’s security infrastructure, big data is here to stay and will have dramatic impacts on us in the future.

 

But what is Big Data? The core aspects of big data to consider are that:

 

(a) It is increasingly easy to gather, store and manage very large datasets
(b) Using data analytics and correlation engines we can extract value from these datasets in ways to drive new opportunities
(c) If you can do it for good, others can do it for evil

 

Big data and data correlation are being used for good in a number of ways. Have you recently had a credit card cancelled by the issuer without reporting fraud yourself? Most people are not aware that the majority of credit card related breaches are not discovered by the consumer, merchant or transaction processor, but by Visa, Mastercard and American Express. Those three companies have huge datasets and correlation capabilities that enable them to see patterns in fraud and relate them back to the specific sources of a breach, usually becoming aware of these problems before the troubled organizations. Gathering more data, and finding ways to sift through that data is incredibly important to the future of security.

 

In the Enterprise, we see security event and incident management tool (SEIM) deployments as the front line of this approach. By aggregating system logs and looking for anomalies, and over time being able to sort out the wheat from the chaff, an organization is able to take a more effective stance as it relates to security events. Often, when organizations have failed to put effective logging techniques in place, it is nearly impossible to actually determine the source or cause of a breach, infection or data loss. But when the tools are in place and properly used, over time organizations are able to become more aware of when incidents are occurring as they occur, and reduce the impact and spread of events, thus the costs associated with them. The Rotman survey we do annually shows that organizations who invest in log and SIEM tools consistently experience improved security outcomes.

 

However, the bad guys also have access to these same tools. In addition to the huge databases of stolen credit card numbers and other personal information available on the web for small change, criminals are increasingly using big data techniques to correlate individual pieces of information on victims into richer profiles, which can be sold for higher values. Bringing together a credit card number with address, name, date of birth and mother’s maiden name results in a much richer profile for an identity thief to wreak havoc. Researchers have also used data correlation techniques to bring together public voting records, land records, anonymized health care studies and social security or insurance numbers to reveal information that was never intended.

 

If your organization is responsible for verifying identity in order to establish credit, provide access to resources, sell services or other reasons, it is important to keep in mind how easy, and cheaply this information can be gathered for malicious purposes, and develop effective countermeasures to prevent fraud. That fraud has costs both to your organization and the individuals who suffer the identity theft.

 

So, keep in mind the value of data, how easily it can be gathered, tools available for analysis, and find ways to use it for your advantage and to offset the risks to your organization.

 

Michael Argast, TELUS Security Solutions

592 Views 0 Comments Permalink Tags: 10-99, 100+, business, security, it_security, rotman, enterprise, it, big_data, value, security_infrastructure
Walid.Hejazi
0

The view discussed in last week’s Security 360, Evolution, attack or collapse: Three Views on the Future of IT Security was that IT security will be enhanced sufficiently through natural evolution. Ie. Without things needing to get much worse before they get better.

 

The two views discussed below are not so optimistic.

 

Second View: A Digital Pearl Harbor

 

During our meetings, Rafael Etges, Director of Security & Risk Consulting at TELUS Security Solutions and Neil Begin, Program Director at TELUS Security Labs, and I discussed the potential of a "digital Pearl Harbor." A digital Pearl Harbor has been defined as a "sophisticated attack on our digital workings [which] could create widespread misery: everything from power failures to train wrecks."

 

Has a digital Pearl Harbor occurred? Well, there was an event that came to light in 2011 that is a candidate: Operation Shady RAT, just recently uncovered by McAfee.

 

It is purportedly the biggest-ever series of cyber attacks, involving infiltration of 72 organizations including the United Nations, governments and large companies around the world. The campaign, spanning at least five-years, and engineered by sophisticated hackers (controlled possibly by a foreign government) targeted the governments of Canada, the United States, Taiwan, India, South Korea and Vietnam; the Association of Southeast Asian Nations (ASEAN); the International Olympic Committee (IOC); the World Anti-Doping Agency; and an array of companies, from defense contractors to high-tech enterprises.

 

McAfee highlighted the breach of the UN’s IT system: the hackers broke into the computer system of the UN Secretariat in Geneva in 2008, hid there, unnoticed for nearly two years, and quietly combed through reams of secret data. What is interesting is that McAfee learned of the extent of the hacking campaign when its researchers discovered logs of the attacks while reviewing the contents of a “command and control” server that they had discovered in 2009 as part of an investigation into security breaches at defense companies.

 

Although the information on the server went back 5 years, there is no information on how long before that the breaches had taken place. Also, many of the breaches discovered were in progress before they were discovered by McAfee. Hence it is likely there are many breaches currently in progress that are yet undetected. This should be a real wake-up call for everyone.

 

One might think that this wake-up call would bring about a change in the mindset that would predictably follow such a significant breach. However, this never happened, and the industry is still treating these big threats, for the most part, as business as usual, although there are of course exceptions.

 

Nevertheless, this reaction, or better still, non-reaction is probably because no one is known to have died or have lost their life savings as a result of these breaches, even though the organizations involved suffered a massive amount of direct and indirect damage, both financial and reputational.

 

As stated in a 2003 article by Scott Berinato “Before Internet security changes in fundamental ways, we will have to feel as shocked and vulnerable as all Americans did reading the newspaper and listening to the radio on the morning of Dec. 7, 1941 (or watching television on Sept. 11, 2001).”

 

Is a huge catastrophe, involving life-threatening events or irreparable financial losses to a population, necessary to generate this support? A “digital Pearl Harbor" would suggest, for example, that a natural target could be the entire financial system (and not just one institution), or SCADA systems controlling critical infrastructure.

 

None of these have yet occurred on a massive scale. However, the recent state-sponsored attacks involving the Iranian power infrastructure (the Stuxnet incident) and the US and Canadian government agencies involved in the 'Shady RAT' operation uncovered by McAfee could be considered close-calls: the immediate damage that could have been realized is enormous.

 

Think of the impact of an explosion at the Nuclear facility that could have been caused by Stuxnet? Or, as noted in the Ottawa Citizen on Aug 2, 2011, “... the U.S. Department of Homeland Security last week confirmed the worries of many cyber security experts by warning that the infamous Stuxnet computer worm, blamed for last summer's shutdown of Iran's uranium enrichment plants, could be re-purposed by hackers and directed at other targets. Already, Stuxnet can spy on - and reprogram - the industrial control systems that operate much of North America's critical infrastructure.”

 

Think of the potential impact of an attack using a derivative of Stuxnet against a nuclear facility in a country like Canada, the US, Europe or anywhere where it is clearly the case the facility is being used solely for energy needs? Or how about an attack on any critical infrastructure? The damage can be enormous.

 

Furthermore, think about the financial damage that could be caused if those behind the breach of the US and Canadian government agencies used the information for immediate financial gain – remember that it is possible that these breaches are being used for financial and perhaps national security purposes by those involved, but even more likely, those behind these breaches will use that information over time and in a way that will not be revealed until it’s too late.

 

This means that the use of that information will not be immediately aggressive so as not to reveal the hackers, and hence there is likely not going to be abrupt changes in financial markets, critical services, industrial control systems, etc. But the possibility to do so exists, which can cause significant financial loses and perhaps significant loss of life. What all this tells us is that these vulnerabilities are present, and they need to be taken more seriously. Therefore, those that adhere to this view believe that it will not be until a disastrous event occurs before IT security is taken seriously enough.

 

Third View: Sustained Collapse in IT Security

 

There is a third view which conjectures that a Digital Pearl Harbor won’t do it – that is, it won’t bring about a fundamental change in the mindset around IT Security.

 

Rather, there will need to be a large, sustained catastrophe for the general public and IT managers to change their core perceptions and to adopt personal and cyber security in any meaningful and responsible way. There will need to be an event where the Internet and the devices connected to it will be painted as personally dangerous and threatening.

 

According to this view, a digital Pearl Harbor as an event, will be too short-lived to have the desired change vis-à-vis IT security. Change, on a massive scale, would need to come from decades-long, sustained pressures on entire populations.

 

At present, there seems to be just enough good guys to put out the fires and cleanup the wreckage so the average netizen will hardly notice the new internet crater on the way to work in the morning. Supporting this view is the fact that in the immediate aftermath of 9/11, there was widespread support for enhanced security. However, after just a few years, frustrations set in and air travelers and the public generally felt the enhanced security was unnecessary – many felt governments were overdoing it. So not even 9/11 did it, vis-à-vis security around terrorism.

 

The two views indicate that things are going to need get much worse before a fundamental change is seen in IT security. It's in contrast to the first view discussed last week, which said things don’t necessarily need to get worse before they get better.

 

Those that believe in this most optimistic view would argue that there is equilibrium in place and hence there is no fundamental change needed – it is just necessary for security to continue to evolve with the threat environment.

 

Only time will tell which view will prevail.

 

This summer, TELUS Talks Business bring you Security 360, a one-of-a-kind limited series on information security from Dr. Walid Hejazi, professor of international business at Rotman School of Management and a world-renowned expert on IT security. Dr. Hejazi has primed the TELUS-Rotman Joint Study on Canadian IT Security Practices on behalf of Rotman since its inception and has unique perspective and insight into IT security in Canadian business. Your comments and questions are welcome here.

 

Attention IT security professionals – your perspectives matter. For the 4thstraight year, TELUS Security Labs and the Rotman School of Management at the University of Toronto, are partnering to conduct a study on Canadian IT security practices. It’s the only original Canadian research of its kind. Add your perspective to the research (input is anonymous) and you could win a BlackBerry Playbook and receive a complimentary copy of the results. Click here to take the survey: http//www.telus.com/securitystudy

641 Views 0 Comments Permalink Tags: 10-99, 100+, 1-9, business, rotman, enterprise, telus_security_solutions, telus_security_labs, walid_hejazi, security_360, telus_rotman_joint_study, canadian_it_security
Allison.Vale
0

Today, the conclusion of 15 Minutes with Yogen Appalraju, vice-president of TELUS Security Solutions:


9. Do you foster a culture of innovation in your workplace, and if so, how?

I think staying current with what’s going on in the marketplace is what will ultimately ensure your survival. At TELUS, we are absolutely trying to push the envelope on the product and development life cycle so we can launch products quicker. So much around us is changing, we need to launch services that adopt and bring out the value in new innovative technologies.


10. Social media has grown exponentially in a very short space of time yet business owners are unsure how to optimize social media.  Has your company invested resources in social media as a communications tool, or are you waiting for a more robust success model?


Absolutely. Jeff Lowe (TELUS VP Marketing, Enterprise), together with a fantastic centre of partners, has fully embraced it for business. Our company is really working in an advanced way to embrace social networking.


11. What book are you reading for business?

 

I’m finishing a book up called The Checklist Manifesto: How to Get Things Right, by Atul Gawande. It is really about how you can manage and control the results of what you’re doing by taking a methodical approach. Checklists enable you to be consistent and methodical in getting the results you are trying to achieve.


12. Based on what you learned in 2010, what will you do differently in 2011?

 

What I’m going to really focus on is what are the 10 most important things I want to achieve in 2011, and then make sure that I’m consciously trying to spend time on those 10 things, so I get the results I’m looking for. One priority includes spending more time with my customers across Canada.  Another area is to launch several new products in 2011 including a Managed Secure Mobility service that allows organizations to secure mobile devices in a consistent manner irrespective if it’s a blackberry, iPad or Android device.

 

13. What do you want to be able to say about your results in 2011 when we talk again in 12 months?


That those very important priorities I just mentioned have been successfully accomplished.


14. What is your 2011 resolution for your part of the business?


I’d like our team to continue the success we’ve had in 2010 in driving and growing our security business, and to ensure we’re doing it in a manner in which the team continues to be motivated and passionate about what they do.


TELUS Security Solutions was formed with the merger of TELUS business resiliency and the strategic acquisition of Assurent Secure Technologies in 2006. Today, TELUS Security Labs is a leading leading provider of security research, backing security vendors, large enterprise, and government organizations in North America, Europe, and Asia. In Canada, Yogen Appalraju (pictured) leads a national team of more than 165 that specializes in managed services, security products and consulting, supporting organizations in designing and implementing world-class security capabilities.

 

Yogen Appalraju resized for Web.jpg
TELUS and the Rotman School of Management just released their third annual study on Canadian IT security. For a copy of the report, go to TELUS.com/securitystudy or leave a comment and request it.

790 Views 0 Comments Permalink Tags: 10-99, 100+, 1-9, business, security, rotman, 15_minutes, security_solutions
Sam.Marafioti
0

As Chief Information Officer of one of the largest hospitals in the country, the decisions around security that I make affect all areas of the hospital, all employees and ultimately, all patients.

 

Here are some of the pro-active actions Sunnybrook Health Sciences Centre takes in implementing processes to strengthen security.

 

To begin, I want to touch on investing in security and reporting incidents. It’s agreed that the healthcare sector is generally underreporting security incidents because we’re not systematically monitoring (this is similar to the state of adverse event reporting for patient safety, pre Baker Norton circa 2004).

 

At Sunnybrook, IT security accounts for 3 per cent of our total IT spend. We have invested in IPS technology, but not Security Information and Event Management yet.  With increased detection capabilities, we expect the number of reported incidents to increase. We don’t believe that a larger number of reported incidents indicates an increase in the type and kind of attacks, but rather that our risk management program is working to better detect what’s already happening.

 

We are proceeding with increased and formalized risk monitoring across all IT processes - not just security – and expect that this will lower the underlying security risks and improve Service Level Agreement performance.

 

Legal or best practice breach accountabilities have not materially changed in the past three years, but increasing scale and scope of IT operations demands greater management visibility and control over IT processes. Appropriate design and operations management of IT projects and systems require integrated security and process controls (ITIL, CoBIT, ISO 27002, 27005, etc.). Hospitals are not subject to some government data management requirements (e.g. FIPPA), but this will likely change in 2011.

 

 

Security accountability

 

Today, system availability and accountability for personal health information under PHIPA remain primary security concerns. We are not currently quantifying breach losses and assume these losses and investigation costs are nominal compared to reported averages for commercial, or even government - but these costs will increase due to a focus on formalized risk monitoring and investigation.

 

Trusted user breaches (malicious and non-malicious) continue to occur. We are instituting access accountability strategies for IT staff and will look at increasing inappropriate access auditing for clinical staff. The overall theme here is “Trust, but verify.”

 

Our social networking policy was instituted in 2010. It’s a policy largely based on acceptable use, not on data loss prevention.  We agree that data loss and compliance remain top concerns after system availability.

 

Secure web development was addressed this year as well, as PIA and TRA reviews are increasingly applied to all new systems. As reviews become more complex, project teams spend more time evaluating controls, designing to standards and remediating identified risks. ‘Privacy/security by design’ requires additional project resources not previously considered.

 

 

IT security, 2011

 

The creep of consumer mobile devices into enterprise is the biggest new threat vector, especially to data loss prevention. We’re managing through clear policy and strong technical controls. Smartphone vulnerabilities are being reviewed as consumer phones become corporately supported in 2011. FIPPA application to hospitals will also require review of IM considerations for lifecycle data loss management.

 

Sunnybrook currently has no formal data loss strategy, although we are expanding mobile and e-mail encryption, and will likely establish our data loss strategy as part of overall security risk program development in 2011.

 

Service level agreements for security technology deployment, monitoring, reporting and improvements are key; the major effort/expenditure is in the operations management of controls, not the decision to deploy or the technology selection itself. Vendors generally don’t have much to say about security ops management (e.g. Winmagic lifecycle management) and this remains a challenge.

 

 

A snapshot of best practices

 

  • Get the security basics right and go from there
  • Ensure IT management is focused on business risk, not just on technology
  • Security assurance is about diligence on risk across the IT spectrum

 

 

Sam Marafioti is the Chief Information Officer at Sunnybrook Health Sciences Center.

 

About Sunnybrook Health Sciences Centre


Sunnybrook Health Sciences Centre is inventing the future of health care for the one million patients the hospital cares for each year through the dedication of its more than 10,000 staff and volunteers. An internationally recognized leader in research and education and a full affiliation with the University of Toronto distinguishes Sunnybrook as one of Canada's premier academic health sciences centres. Sunnybrook specializes in caring for Canada's war veterans, high-risk pregnancies, critically-ill newborns, adults and the elderly, and treating and preventing cancer, cardiovascular disease, neurological and psychiatric disorders, orthopaedic and arthritic conditions and traumatic injuries.


This week, TELUS and the Rotman School of Management released their third annual study on Canadian IT security. Please see this week’s blogs from TELUS’ Yogen Appalraju and Rotman’s Dr. Walid Hejazi for more information about the results or go to TELUS.com/securitystudy.

772 Views 0 Comments Permalink Tags: 10-99, 100+, business, security, breaches, rotman, telus, rotman_study_2010, rotman_school_of_management
Walid.Hejazi
0

I’m intrigued by the results of the third annual study of Canadian IT security practices from the Rotman School of Management and TELUS.


Let’s talk about the results as they pertain to social networking. They may have you, your boss or your employee thinking twice about allowing it in the workplace.


This year’s results uncover a misconception:  One in four Canadian organizations are blocking access to social networking sites, citing security as the primary reason. Today, 66 per cent of employees in the government sector have access to social networking in the workplace, as do close to 80 per cent of private and public sector employees.  In both cases, organizations that block access to these sites actually bring productivity and security issues upon themselves as employees spend valuable time trying to circumvent the block or surf the sites through their mobile devices.


What does this say? As trends and technology continues to develop in this ever-changing environment, from the popular engagement with social networking to the proliferation of smartphone usage, there needs to be an increased focus on education and awareness across IT, development and employees to ensure security risks and responsibilities are understood by all.

 

Mobile phones


In keeping with the theme of security to the endpoint, we also asked respondents to share their thoughts, potentially concerns – with the proliferation of the mobile phone in the corporate space.


In our 2009 survey, we noted that mobile-related breaches - to specify, any corporate data that was shared as a result of mobile devices and laptops falling into the wrong hands or unauthorized people accessing files from employees working remotely -  were the second largest breach category.

At the same time, we noticed a growing interest in these technologies.  The main concern that has come out of this year’s data and is representative of government, private and public feedback, is the loss of a mobile device with corporate data.

But with this year’s data, we believe that the adoption of this technology does not expose companies to more breaches.  The technology is in place to ensure a secure experience, but only as long as users are educated on best practices on how to keep their devices secure.

 

 

Budgets

 

Another interesting finding from this year’s results is the budget variances between years.

 

Budgets are still well below 2008 levels, in effect, carrying over the severe measures implemented in 2009 that resulted in average budget cuts of 10 per cent.


In 2010, it was reported that security budgets were on average slightly above 6.5 per cent of IT budgets, similar to the nearly 7 per cent IT budget touted in 2009.


It is especially important to recognize the need for investment in security budgets, as the proliferation of mobile devices and social networking drive the need for new, more secure technology, governance and education. While the investment in up-to-date technology does represent a large part of the security budget, it’s necessary to allocate adequate funding to the staff and resources as well.

 

  • Findings indicate that many security professionals have broader roles with specialization in teams diminishing. It is crucial that organizations are staffed with enough experienced leadership, backed by strong executive support to ensure the best security strategy possible.

 

  • In 2009, the majority of respondents indicated that the financial crisis had not forced them to cut staffing levels; however, contractors were impacted by austerity measures.  This year, respondents note that internal staffing levels decreased.

 

  • 50 per cent of organizations are more likely to report to teams of 1-5 full-time employees and only 12 per cent reported that they report to teams of 6-10.

 

  • A potential explanation is that while these employees were employed in 2009 to oversee     contractors, in 2010 when their contracts expired, the full time employees overseeing the work were also no longer needed.

 

 

This week, TELUS and the Rotman School of Management released their third annual study on Canadian IT security (TELUS.com/securitystudy)

 

 

Dr. Walid Hejazi is a professor of business economics at Rotman School of Management.

761 Views 0 Comments Permalink Tags: 10-99, 100+, business, security, breaches, rotman, telus, rotman_study_2010, rotman_school_of_management
Yogen.Appalraju
0

Newspaper headlines will tell you that IT security issues can impact the whole business. It can drain the resources of entire teams to address a problem, slow productivity or put proprietary data in the wrong hands. Additionally, the impact on consumer confidence and the reputation of the brand have a resounding effect on a company’s bottom line.

 

The subject of security issues and breaches is not new, but we think it’s important to examine the security landscape for businesses in Canada to provide a benchmark to determine the effectiveness of our investments, the results from changes in technology and address new areas of concern. That’s why every year the Rotman School of Management and TELUS look at the effects IT security has on a business and what types of concerns business owners have about security practices.

 

The 2010 results released yesterday reflect the thoughts and feedback of more than 500 IT professionals.  The key finding this year is that Canadian security breaches rose 29 per cent.

 

The breaches increased to an average of 14.6 per year per organization in 2010 – compared with an average of 11.3 in 2009. Government reported the significant breach increase of 74 per cent, experiencing an average of 22.4 breaches per year – compared with an average of 13.4 breaches per year in 2009.


The strongest explanation behind the increase number of incidents is the significant investment in detective and reporting capabilities, employed by the government, which enables greater visibility and transparency into breaches. The proactive approach of focused investment has also led to earlier detection, ultimately lowering clean-up costs. The process of balancing risks and optimizing resources to steer the best possible course and achieve the optimal overall business bottom line is crucial to reducing breaches.

 

In addition, the study reveals a growing trend toward sophisticated attacks on high value data – this includes identity information and credit card numbers. What this says to business is that it is crucial to take a pro-active approach in securing data and implementing processes and employee education to maintain security, as we see a continued increase of more intelligent attacks.

 

The “good news” is that Canadian organizations are optimizing for today. The “bad news” is that they are still not doing enough to prepare for tomorrow.

 

In 2009, we saw that the breach levels increased significantly across all sectors, as did the associated breach costs. Currently, while the investment in defensive technology is proving effective with a decrease in breach costs, we continue to see more organizations reporting an increase of focused, intelligent attacks.

 

In planning for the future, there needs to be continued, proactive investment in security, from technology to governance to education in order to reduce the number of breaches, minimize costs to organizations and most importantly, mitigate the risk to sensitive corporate data.

 

Please join us here tomorrow to hear more about the new study and its implications from Dr. Walid Hejazi, professor of business economics at Rotman School of Management.

 

Yogen Appalraju is the vice-president of Security Solutions at TELUS.

470 Views 0 Comments Permalink Tags: 10-99, 100+, business, security, breaches, rotman, telus, rotman_study_2010, rotman_school_of_management
Yogen.Appalraju
0

Today, we announced the results of our third annual study on Canadian IT Security Practices with the Rotman School of Management. The study shows that Canadian companies experienced a 29 per cent increase in security breaches from 2009 to 2010, from an average of 11.3 per year in 2009 to an average of 14.6 per year per organization in 2010.

 

What does it mean?


First, the increase in reported security breaches can be explained by significant industry-wide investments in detective and reporting capabilities.  It’s necessary to implement up-to-date technology and focus on governance and employee education, as security is an issue that affects all employees, not only IT executives. As businesses become more proactive with security, the visibility into breaches is letting them react faster and more efficiently, thereby lowering associated costs.


But while the investment in defensive technology is decreasing breach costs, organizations are experiencing more focused attacks. The study reveals a growing trend toward sophisticated attacks on customer and citizen data. Research from our Security Labs indicates that attackers are seeking out sensitive data that can be sold or repurposed for financial gain, rather than opportunistic control of systems.


In terms of social media, this year’s study finds one in four Canadian organizations are blocking access to social networking sites, citing security as the primary driver. However, in both the private and public sectors, organizations that block these sites experienced no improvement in security and could suffer a worsening of security as employees attempt to circumvent the block.

 

The Survey

 

I’ve been asked why we partner with the world-renowned Rotman School of Management at the University of Toronto on an annual IT security study.
The answer is that we recognize that information security extends beyond the realm of IT executives. It affects the entire business, and what better way to provide an overall thought leadership perspective than to partner with a leading organization that is consistently redesigning business education to meet current industry demand?


This year’s survey analyzed data from more than 500 Canadian companies nationwide. This month at TELUS Talks Business, we’ll hear more about key insights from the study, as well as current security trends and issues from experts and customers.  Please join us.

 

I’ll leave you today with a snapshot of security breaches from the study. The top five types of breaches in 2010:
                1. Malware (worms, viruses, spyware, Trojans)
                2. Phishing and pharming
                3. Unauthorized access to information by employees
                4. Bots (zombies) within the organization
                5. Denial of service attacks

 

Technology breaches that dropped most significantly include:

1.  Abuse of wireless networks
2.  Denial of service attacks
3.  Website defacement

 

Access the full report at www.telus.com/securitystudy

 

Yogen Appalraju is the vice-president of security solutions at TELUS. 

Create a profile and join the conversation. Ask your questions about IT security and we’ll pose them to the experts for response here on TELUS Talks Business.

636 Views 0 Comments Permalink Tags: 10-99, 100+, security, breaches, it_security, rotman, study, rotman_study_2010, rotman_school_of_management
Ben.Sapiro
0

As an employee of a national communications company, I get a lot of emails about strong passwords and I get constant reminders about the security policies in place to protect our customers’ information. Over the past decade I’ve worked in various roles helping companies make sure their networks, computers and data are secure from unauthorised access. However there’s always been a nagging question in mind – how much is enough security when it comes to your business data?

 

When I first started in information security, a seasoned consultant told me a joke involving guards, safes and tall fences – the joke wasn’t that funny (thus I spare you a retelling), but the punch line was “and even then I can’t guarantee your data will be secure”. What the joke lacked in humour, it made up for in insight; no matter what you do, it will never be perfectly secure – there will always be a new virus, a smarter hacker or a smaller flash drive to lose at an airport.

 

However, while we’ll never achieve perfect security, perhaps we can get to the right level of security to meet our business needs without inconveniencing us in the process. What we really want is to be reasonably secure against the real problems we will face, or more simply put – we want to be secure enough.

 

Part of secure enough is understanding the risks you face and selecting the right processes and technology to address the problem – for example:

 

  • If you’ve got credit card data, you need to protect it; firewalls, encryption and intrusion detection are the right place to start.
  • Employees working from home – try secure connectivity technology and user education to make sure they practice good security
  • Outsourcing technology – look at audits and clear policies to confirm your partner keeps your data secure

 

The other part of secure enough is knowing what your peers in the industry are doing; having the data to know what other’s consider reasonable. If you can achieve the same (or better) level of security as your industry peers your customers are more likely to view you as secure enough.

 

To help solve the challenge of determining what Canadian businesses consider to be secure enough, a team at TELUS Security Labs entered into a joint research initiative with the Rotman business faculty at the Univeristy of Toronto. Every year, we survey a few hundred Canadian businesses from all sectors then use the data to compile and publish the Canadian IT Security Practices Report.

 

Last year we learnt a great deal about what secure enough looks like, including:

 

  • The best performing organizations spent 15% of their IT budget on information security (but the majority organizations spent an average of 7% and didn’t perform well)
  • Business successfully invested in technology to detect and analyse security breaches
  • The number of security breaches quadrupled but businesses invested in operational processes that helped reduce the cost of dealing with the breaches
  • Preventing unauthorised access to information by employees was the fastest growing problem for Canadian businesses

 

The data contained in the survey report (the report is available at telus.com/securitysurvey), provides managers with justification for improving their IT security by:

 

  • Expanding their security budget to address an evolving threat landscape
  • Investing in people and processes to leverage technology more effectively in detecting and preventing breaches
  • Working with the business to make sure customer data is kept safe

 

At the start of August we opened up the 2010 survey and now we’re looking for Canadian business managers to tell us and our co-researchers at the University of Toronto about their perspectives on security and the challenges they face.

 

Help define what secure enough looks like by taking the 2010 security survey today (telus.com/securitysurvey).

 

Ben Sapiro is a Research Director in TELUS Security Labs, one of North America’s leading information security research organizations. Ben is a co-author of the Rotman-TELUS IT Security Practices Survey and works with the Canadian executives to help define security strategies. In his spare time Ben works on emerging solutions for securing the cloud and on-demand computing services.

658 Views 0 Comments Permalink Tags: strategy, 10-99, 100+, business, security, data, labs, business_data, protecting, breaches, access, survey, it_security, rotman


Actions

Popular Blog Posts

Share
Subscribe to emails from TELUS Subscribe to blog
TELUS.com  |  Legal  |  Privacy policy  |  © 2012 TELUS Communications Company