TELUS Talks Business correspondent Etan Vlessing recently attended a TELUS presentation, in association with Autonomy, an HP company called "Data Protection in a mobile world". This blog summarizes why Cloud-based backup technology is important for mobile data protection.

No blue-sky thinking here: Cloud-based backup technology allows users to store and retrieve data via the Internet from anywhere in the world, anytime.

It turns out even a data storage guru can face a blank computer screen just before a big keynote speech.  Stephen Spellicy, director of enterprise data protection at Autonomy, a division of HP, on Wednesday recalled last year waking up in a San Francisco hotel room and powering up his laptop computer, only to discover his entire hard drive had been wiped as he slept.

“I had no access”, he remembered, “Hours before he was to make a key trade show presentation”.

IT had pushed down a new security patch across the network, which placed encryption software on the hardrive, Spellicy said of the IT mishap back at corporate headquarters.  So did Spellicy panic? And was he able to recover his presentation in time for his conference address?  It turns out organizations are today crawling with mobile employees dealing with the very same challenges of data storage, loss and recovery.  And that threatens IT departments scrambling to secure and protect company information and apps on employee-owned mobile devices and tablets that access corporate networks from remote locations.  Organizations routinely used cumbersome and manually intensive external USB backup drives and rewritable CD/DVDs to backup data and protect against viruses, power failures and accidental deletions.  But what about data protection at the edge, with on-the-go employees like Spellicy in his San Francisco hotel room?  Today’s on-the-go employees are armed with laptops, smart phones and tablets, and may need to recover and access corporate information from remote locations due to any number of disaster scenarios.

“Our IT departments are struggling with how to manage information as it grows in the wilds”, Spellicy told a panel on data protection in a mobile world in Toronto.  “After all, no organization has a walled garden in today’s fast-changing mobile world”.

“Information is spreading out to the edge, and we’re losing control of information, and we have to bring that control back in”, Spellicy added.

CLOUD-BASED BACKUP

Recall our data storage guru and his lost presentation in San Francisco.  Too busy to make sense of the data loss, Spellicy recalled rushing down to the hotel lobby and purchasing a Netbook with a Windows operating system.

“I fired it up and launched a recovery page, and pulled down my required information, as well as my web email, and restored the information I needed for the trade show”, Spellicy explained.

That was fast, not surprising for a techno geek like Spellicy.  But remote access to his corporate data, and online recovery, was made possible by the use of Autonomy’s cloud-based connected technology. In effect, Spellicy was able to remain connected to his corporate network and to instantly and easily recover lost data.

“I needed to be able to recover the information I was working with, which was critical to doing my job at the tradeshow”, he recalled.  Here cloud-based data protection is migrating from traditional desktop servers to the edge of a corporate network, whether that’s mobile devices like the iPhone and iPad, Android smartphones and other browser-enabled mobile devices increasingly in use by mobile employees.  Autonomy’s Connected Backup technology allows mobile devices to find and view protected documents and other corporate data, and securely use that information anytime and anywhere.  Connected Backup means on-the-go workers never have to feel disconnected.

Even as Spellicy’s main laptop computer proved useless at the San Francisco conference, he could still use the Netbook and an SSL VPN as a web browser to securely access his corporate network, and use the backup app to identify and retrieve corporate files.  All that’s needed is a backup subscription service, a secure password and a secure Internet connection. Here the MyRoam technology allowed Spellicy to use any web browser to access files, even in a hotel lobby while using a kiosk computer.

“Go to the computer, fire up Internet Explorer, put in a simple URL to the Connected Backup app, put your username password in and you can literally bring down the content that you’re looking for”, Spellicy explained.  He adds “The Connected Backup technology is purpose-built for tablets. At the same time, the MyRoam feature enables smartphone access to files by tapping into a device’s web browser, if required”.

DATA ARCHIVING

Fast and flexible cloud-based storage and access to business information has more uses than recovering from a hard disk crash. Spellicy pointed to Autonomy’s Intelligent Data Operating Layer (IDOL) search engine platform, which enables effective records management and archiving for organizations. Why would an organization need IDOL to gather up corporate information, process, store and serve it up on command?  The ability to identify, sort through and retrieve stored information becomes crucial, for example, to complete internal investigations, or outside litigation and regulatory requests.

“When a lawyer gets an email asking for information to be supplied to a court case, data needs to be recovered to remain compliant”, Spellicy explained.  Here the Connected Backup app has a range of options to browse and search protected data using keywords and concept queries. The result is critical corporate information, ­ whether stored contracts, documents or agreements, ­ becomes more easily identified and accessed.  Spellicy insisted Autonomy’s IDOL search and discovery tools may well prove invaluable when top execs and in-house counsel are looking for the proverbial needle in a haystack to meet a litigation or regulatory request.

“We can make sense of the information that we’re storing. And we can leverage that in a litigation request, he said of the IDOL search engine platform.  In effect, IDOL enables a look into the haystack to intuitively spot and retrieve the needle. IDOL learns over time what information is and how it’s being used in the infrastructure”, Spellicy said.

IT DEPARTMENTS

Of course, if corporate IT departments do not encourage mobile employees to back-up and store data in the clouds, then retrieval and access of protected corporate data from remote locations would not be nearly as easy.

“A good IT policy will have devices, typically corporate-owned devices, backed up regularly”, Spellicy insisted. Leveraging the clouds is also about making IT departments more agile and responsive, and very much about the bottom line as virtualization reduces storage costs and risks. That’s help at hand for IT departments increasingly asked to control and protect ever-bigger volumes of corporate data with fewer resources. For one thing, Spellicy argued roughly 85% of data generated by corporate organizations today is unstructured data, or the stuff employees create everyday and which is not stored in the data center.

Cloud-based data protection technologies can allow IT departments to reduce the risks and costs of storing this growing unstructured data burden.

“We need to be able to deal with this growing data load with limited time in the day, limited time to backup data, and with limited bandwidth in remote locations with which to access and use the information”, Spellicy argued.

By Etan Vlessing

The Connected Backup solution from Autonomy, an HP company, is the world's leading data protection solution and the service supporting TELUS' Desktop Backup.  www.telus.com/desktopbackup

We're looking back on 2011 and some of the most "liked," "tweeted" and commented tech-focused blog posts at Telus Talks Business.

One of my contributions that garnered a lot of traffic was on how to best protect your smartphone.

After all, today's mobile devices are like pocket computers, as they can perform many of the same tasks as your PC or Mac – including accessing email, browsing the web, playing media and getting work done – so protecting them and the potentially sensitive data that resides on it is critical.

Here are a few ideas to shielding your device – and thus, yourself -- from scams, viruses and identity theft with these following smartphone safety tips.

Back it up

The first line of defense is to back up your smartphone regularly in case it's lost, stolen or compromised. The easiest and least expensive way to do it is to connect the smartphone to a computer – via USB cable or wireless Bluetooth – and synchronize the data between the two devices. Should you need a new smartphone, all the info will be copied back onto the new device.

There are also many "cloud" services that can wirelessly back up your contacts and other information to a password-protected website.

Lock it out

Speaking of passwords, ensure you've set up a 4-digit PIN (personal identification number) to use your smartphone – and don't use 0000, 1111 or 1234 or any other numbers easy to guess. Sure, a PIN is a bit inconvenient, but you'll get used to it quickly and will be thankful if you can't find your mobile phone.

You could also draw a pattern to gain access to your smartphone, which is popular on many Android phones, or use facial recognition technology, though it's generally not as secure as a PIN or pattern. Some phones have a fingerprint scanner, too.

"Take it to the second and third level by using password protection on any applications that contain personal or confidential information," advises Chris Stier, managing director for NetQin Mobile, one of the world's leading mobile security providers with roughly 10 million registered users. For example, those who do mobile banking on their phone should create a password that's at least seven characters long and contains letters, numbers and symbols.

Software protection

"Threats like malware, hacking and spamming have always existed for traditional PCs, but a smartphone attack can be even more damaging," cautions Stier. "You likely have personal and business information stored on it, personal conversations and messages that can be recorded and your location can be also tracked."

As such, software to protect against malware (malicious software) is "critical" for a mobile device today, says Stier.

NetQin Mobile, for example, offers a free antivirus smartphone solution and a more robust "premium" option for $1 to $2 per month. The software works on Android, BlackBerry, Windows Mobile and Symbian devices (not Apple's iOS platform).

Remote control

If your smartphone is lost or stolen, there are free mapping tools to remotely track the GPS-enabled device on a computer, smartphone or tablet. Note: if your phone was stolen it's recommended to give this info to authorities rather than you trying to retrieve it.

These same tools, such as Apple's Find My iPhone and BlackBerry Protect, can also remotely wipe the smartphone clean, making it ring loudly (if, say, left under the cushions) or display a message on the screen (such as "Please call me").

You need to set up these tracking apps ahead of time, so be sure to do that before it's too late. Here are some tips to setting this all up.

Check your statement

Finally, it's recommended to check your monthly statement carefully for suspicious calls and SMS (text messaging) charges.

"Comb through your bill closely because you might find charges made without your consent," says Stief. "If you find any, contact your carrier immediately to dispute the charges and they'll identify the company or service for you."

There's already a lot you need to worry about when you're traveling with your smartphone, tablet or laptop – such as keeping them powered up so they're ready for business, accidentally leaving them behind in the back of a taxi or preventing someone from snooping over your shoulder at your work.

Now you can add one more concern: free public Wi-Fi networks that are in fact "rogue" connections set up by malicious types.

"The basic idea is someone in vicinity has created a 'free Wi-Fi network' that you connect to, but in doing so, you’re allowing them to tap into your info, access your files and possibly steal your personal identity too," says Tim Bajarin, president of Creative Strategies, a tech consultancy in Campbell, Calif.

These 'rogue' networks are really individuals – perhaps in a nearby van -- who have software to hack into your systems. And because the majority of people's laptops and other devices are not protected, they're a lot more susceptible than you think," Bajarin adds.

In fact, New York-based independent security consultant Dino A. Dai Zovi says he and a colleague, Shane Macaulay, authored a tool called KARMA to demonstrate the risk of unprotected wireless networks. "KARMA acts as a promiscuous access point that masquerades itself as a wireless network," explains Dai Zovi. "It makes the victim connect to our rogue wireless network automatically."

Rogue operators will often craft network names similar to the name of the hotel or the coffee shop where you're attempting to connect, such as "HiltonFreeWireless" or "StarbucksFreePlus," respectively. One careless click and *poof* -- your data is exposed.

So, what to do?

The first tip is to avoid free public Wi-Fi altogether, if you can. "When I go to hotel, I make sure they have a wired [Ethernet] connection,” says Bajarin. "And if I want to go wireless on my laptop or other devices in my hotel room, I bring an Airport Express with me," he adds, referring to Apple’s compact wireless router.

Or you can bring your connection via WAN-enabled laptops, USB sticks with cellular connectivity or you can create a mobile hotspot through a nearby smartphone or tablet.

If you're going to use free public Wi-Fi, be sure to have VPN (Virtual Private Network) access, says Dai Zovi. "Otherwise, everything you do can be easily monitored by anyone nearby." Citing recent Firesheep attacks, Zovi says that even password-based networks can be attacked by malicious types. Firesheep is an extension for the Firefox browser that can grab your login credentials for sites such as Facebook and Twitter. On a related note, make sure all security software on your device is updated regularly, enable firewalls and encrypt sensitive data, if possible.

Bajarin says if you must use free Wi-Fi, "get on, get what you need and get off -- and don't do any financial things until you’re back at home."

Only through secured connections and some common sense can you keep personal and professional data safe from malicious types waiting to attack through free public Wi-Fi networks.

Marc Saltzman is one of North America's most recognized and trusted technology experts. Based in Toronto, Marc currently contributes to nearly 50 publications, has authored 14 books and is the host of CTV News Channel's "Tech Talk," CNN's "Tech Time" and Cineplex's "Gear Guide" (seen in movie theatres across Canada).

LindaOJ here again and as I am on the road working, I will be writing this blog partly in Geneva and the rest of it in Ireland. Now, this might sound an easy task but believe me it has been quite stressful. When I arrived in Geneva and settled into my hotel, Dave (my husband and business partner) set up my laptop so that I could connect to the Internet. Unfortunately it was not long before we both realised that the in-room Internet connection at the hotel was not working!

But wait… we have WiFi available if we work in the lobby, which also acts as the business centre. We trundled down to the lobby only to find the WiFi was not working either. This continued for the entire stay at this hotel and I for one was very disappointed. I then asked Dave if we purchased a ‘magic stick’ (as I like to call them) would that solve our problem. Unfortunately he quickly pointed out it might only work in Geneva and prove to be very expensive.

Sometimes WiFi at hotels can be a little confusing

Given these experiences, I decided to interview Dave on the technology challenges I am experiencing whilst on the road. I should share with you that he does have a lot of expertise in this area and has worked in this field for many years.

What kind of technology problems do business travelers experience these days?

Your story illustrates a common problem, in that many business travelers these days require constant connectivity to keep in touch with their business information systems. Some examples of what we expect to access are e-mail, company directories, and telephone and conferencing services. It’s easy to take this access for granted when you’re at the office, but when you’re on the road it can often be a difficult challenge. Typical issues are problems connecting to the company network; large expense that comes from roaming charges on mobile phones; and security concerns when using public Internet access points.

Let’s concentrate on company network connectivity. What exactly are the issues?

When we are at the office, our computers are usually connected to the company network rather than directly to the Internet. This means that we might have access to servers containing our company data, internal web pages with important information, and more. However, these internal systems are typically not accessible from the Internet. The answer is to use a Virtual Private Network (VPN) solution. This typically consists of a device installed in your company network that will allow your laptop to securely connect to the company network across the Internet. Once you’re connected through the VPN, it’s just like being in the office!

The VPN Solution did not work in our hotel. Why not and is there another solution?

There are different types of VPN solutions from different vendors. Unfortunately some VPN solutions make use of technology that can be difficult for hotels or cafes to work with, and this causes the VPN connection to fail. I would recommend checking with the hotel in advance if your VPN solution is supported. If you are a frequent traveler, I’d consider adding support for several types of VPN solution into your company network.

Cost is a big concern for many small business owners, including myself. What advice can you give on how to save money when using a mobile phone abroad?

The problem here is Roaming—the traveller’s enemy! Virtually all mobile phone carriers charge extra for you to use your mobile phone abroad as they need to cover the cost of data agreements with carriers located in other countries. To cut down on calling and data costs, you should try to get your phone ‘unlocked’ – which simply means it can work with SIM cards from another operator. When you arrive at your destination country, obtain a SIM card to enable your phone to work directly on the in-country network. You can pay-as-you-go at substantially lower rates. Alternatively you may be able to pre-purchase a travel pack from your carrier to work more cost effectively. If you have a VoIP phone service (such as Skype for example) you may also be able to use your laptop as a phone.

Security is definitely a concern more than ever these days for us all, can you offer some simple tips in this area?

When travelling you need to be mindful of several things: keeping your technology safe, and keeping the information safe you access with your technology. If you are travelling with your laptop for instance, you should keep it stored in secure location (such as a hotel safe) when you’re not using it. In terms of protecting information, make sure to connect only to wireless networks you consider somewhat trustworthy, such as that provided by your hotel. However, be aware that any other hotel guest might be able to snoop on your activities unless you’re using a VPN solution as we discussed earlier. Those are my top two tips!

Thanks to Dave we now have some great ideas on how not to suffer the challenges I have been going through. However, I realise that I am not able to control every aspect of what we have been talking about and ultimately, technology challenges will always be there.

Now that we are arrived safe and sound in Ireland, I smiled with relief when the hotel receptionist assured us we had WiFi in our room. We unpacked and decided to check our emails. We were disappointed to find we had a very weak signal where our room was located and could not access the Internet. At one point we were walking up and down the corridor with my iPhone checking where the best signal could be found!

Eventually we mentioned to the hotel staff we needed the Internet to work in our room and they offered us three room choices, along with keys. We trotted off with Dave’s laptop only to find none of them were any better than the room we already had. Luckily for us the hotel staff were excellent and they promised us we could check out a room that was being vacated at noon the next day. Our luck was in and after checking that the Internet signal was strong we re-packed our suitcases and moved rooms.  We have been busy since then playing catch up with email and suchlike and looking forward to a nice drink in the bar before dinner, which we feel is well deserved after all our Internet woes.

Be prepared seems to be the best advice I can offer anyone traveling for work and expecting to use the Internet. Seek help from your telecommunications company (such as TELUS) who have solutions for most of the challenges we run into.

We leave for the UK on Sunday, and I am already anticipating what problems might arise when we arrive at our next hotel, but I always like to think positive so I am sure everything will be fine.

“It has become appallingly obvious that our technology has exceeded our humanity.”

– Albert Einstein

Do you have any similar stories as mine? If so how did you deal with your technology challenges when traveling?

Linda Ockwell-Jenner is a President of Motivational Steps  and Co-Founder of the Small Business Community Network (SBCN) based in Waterloo  Region. Find out more about Linda at www.motivationalsteps.com and www.sbcncanada.org

This week in 15 Minutes is Michael Murphy, Vice President & General Manager of Symantec (Canada). Symantec (www.symantec.com) is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Its well-known Norton products protect consumers from cybercrime with technologies like anti-virus, anti-spyware, phishing protection, and reputation-based technologies codenamed SONAR, Quorum and Insight. Symantec has 18,500 worldwide employees. Based in Mountainview, California, it reported revenue of $5.99 billion (USD) in 2010. (Canadian operations contributed roughly $190 million USD.)

This is part one of a three-part interview.

1.            What’s your favourite new technology of 2010? And why?

The iPad. Aside from the cool factor…it’s not going to my replace my PC or laptop or my home computer but, for someone like me, who travels a lot and reads a lot, it is a tremendous device. I used to carry two or three inches of paper in my briefcase. An inch of it was Symantec work and there were industry magazines and my usual collection, The Economist, Harvard Business Review, and some hobby magazines. When I go for an overnight trip I don’t even need to bring my laptop. And I carry a smaller briefcase!

2.            Successful business people often reference the ways in which their personal experiences inform their work. How do your personal experiences with technology influence your professional life?

The root of what I am is a technology guy. Even my hobbies, which are based around home theatre, home automation, I’m always examining the technology that is new. Not all of them are good, of course. There is a hard separation between my work life and my professional life when it comes to technology.

3.            In what specific ways did technology play a role in growing your business in the last 12 months?

Last year, there was an advent of bad or malicious technologies, malware. We developed the good technology to combat the bad technology. You saw a lot of targeted threats moving to individuals, small businesses and consumers, targeting information for the purpose of identity theft. You also heard of Wiki Leaks and the malicious insider gathering information and leaking it to a lot of countries’ embarrassment. If you look at the technology and the threat landscape, that’s probably the biggest. There’s also been this move to the consumerization of IT – that is, employees want to bring in every new device, whether it be an iPhone or iPad or DROID into the work environment, much to the chagrin of the IT department who like standards and organization. This obviously introduced a lot of risk but this afforded Symantec the opportunity to develop new technology and release it into the marketplace…such as reputation-based technology. Reputation, by its nature, takes the strength in numbers, the opinions or capabilities formed by the millions of users out there, to protect others that may not be part of that group. Case in point,  SONAR – that has been in our consumer products for four years now and has only just been introduced in our enterprise products –  there are 175 million individual customer machines or PCs in the world that have contributed data to our reputation-based system starting in 2007. More than 39 million of those customers have voluntarily opted in and actively contribute data about their systems, about the applications and files that they use. At this point our Insight Technology (a cloud-based approach) has 2.5 billion thumbnails that allows us the “reputation” to determine good from bad.

Reputation is based on age, source, origin, behaviour. That was always the challenge. We didn’t know what was good so we spent all of our efforts in the industry focussing on the bad. But the bad is so big that you can’t protect against all of it. The analogy I use since 9/11 is, when you’re travelling by airplane, going through security is an onerous task. You’ve seen the signs, the things that are banned from airplanes. There’s a point that list becomes so long, that you might as well say, ‘Everything is banned except for these five things on the Good List’: a book, a wallet, reading glasses, your child …you can’t bring your shoes, until after they’ve been scanned.

4.            If you could invent a technology to solve a current business problem of yours, what is the problem and what would the technology do?

A lot of threats today are to information data because that’s where that the lifeblood of humankind is now. The biggest challenge customers have today that isn’t easily solvable – although there is work being done on it – is context. Being able to assess and analyze the context and relevance of information we are creating today. There’s obviously an explosion of information, a lot of unstructured data that we create at social networks, or volumes of data at home at work, digital media, photos…and we share all that. That data doesn’t sit in databases in a structured form. Very little categorization is applied to it. As humans our brains can easily classify information based on its sensitivity or its risk i.e. this is important and is something I might not want to share with my family or with my neighbours or with colleagues. In the business world, there are context engines that we have. Data-loss prevention technology does its best to looks at words or words in sentences, to be able to suggest that this information needs to be treated differently, but because we haven’t advanced very far on artificial intelligence in being able to make computers do what the human brain and experience and rational thought can do, that’s a piece of technology that could go a long way.

5.            In your position, are you aware of – or even an early adopter of – technology that has yet to come to mass market, but that you believe will surface eventually and change lives?

There are filtering engines that exist in software that prevent bad things from coming in to networks or households and there’s filtering capabilities that prevent certain data from going out. But they’re not foolproof because they have a hard time keeping up with the context. I have three young children and they spend loads of times on the Internet and I have concerns. You take the physical world, the world of the playground and the community street and we’re good at street-proofing our kids, but how do we street-proof them on the Internet? You can spend a lot of time talking to your kids, saying don’t talk to strangers [or] if somebody approaches you or gives you something because in the physical world they can touch, they can see, they can experience. In the electronic world it’s a little harder. It’s anonymous. How do you know the 10-year-old on the other end isn’t a 40-year-old?

6.            So technology is created to be more insightful?

Yes, and it’s an incremental milestone of achievement. I’ve seen that. I’m talking about defensive technologies that prevent less social engineering of individuals, whether it be older people getting swindled out of their retirement funds or whether it be people being duped for identity theft or children being bullied in the playground or even younger children being exploited by online predators. It runs the gamut from the young to the very old. They’re no different than the physical world scams of yesterday, they’re just anonymous now and remote because of the Internet.

Friday: I.D. theft; user authentication; data encryption. Where to begin?

Do you leave the doors of your house open all day? Didn’t think so. How well are your computer systems protected? Tell us about the last time you had a security breach or a virus froze operations. How did you handle it? What's top of mind for your IT security teams in 2011?

As Chief Information Officer of one of the largest hospitals in the country, the decisions around security that I make affect all areas of the hospital, all employees and ultimately, all patients.

Here are some of the pro-active actions Sunnybrook Health Sciences Centre takes in implementing processes to strengthen security.

To begin, I want to touch on investing in security and reporting incidents. It’s agreed that the healthcare sector is generally underreporting security incidents because we’re not systematically monitoring (this is similar to the state of adverse event reporting for patient safety, pre Baker Norton circa 2004).

At Sunnybrook, IT security accounts for 3 per cent of our total IT spend. We have invested in IPS technology, but not Security Information and Event Management yet.  With increased detection capabilities, we expect the number of reported incidents to increase. We don’t believe that a larger number of reported incidents indicates an increase in the type and kind of attacks, but rather that our risk management program is working to better detect what’s already happening.

We are proceeding with increased and formalized risk monitoring across all IT processes - not just security – and expect that this will lower the underlying security risks and improve Service Level Agreement performance.

Legal or best practice breach accountabilities have not materially changed in the past three years, but increasing scale and scope of IT operations demands greater management visibility and control over IT processes. Appropriate design and operations management of IT projects and systems require integrated security and process controls (ITIL, CoBIT, ISO 27002, 27005, etc.). Hospitals are not subject to some government data management requirements (e.g. FIPPA), but this will likely change in 2011.

Security accountability

Today, system availability and accountability for personal health information under PHIPA remain primary security concerns. We are not currently quantifying breach losses and assume these losses and investigation costs are nominal compared to reported averages for commercial, or even government - but these costs will increase due to a focus on formalized risk monitoring and investigation.

Trusted user breaches (malicious and non-malicious) continue to occur. We are instituting access accountability strategies for IT staff and will look at increasing inappropriate access auditing for clinical staff. The overall theme here is “Trust, but verify.”

Our social networking policy was instituted in 2010. It’s a policy largely based on acceptable use, not on data loss prevention.  We agree that data loss and compliance remain top concerns after system availability.

Secure web development was addressed this year as well, as PIA and TRA reviews are increasingly applied to all new systems. As reviews become more complex, project teams spend more time evaluating controls, designing to standards and remediating identified risks. ‘Privacy/security by design’ requires additional project resources not previously considered.

IT security, 2011

The creep of consumer mobile devices into enterprise is the biggest new threat vector, especially to data loss prevention. We’re managing through clear policy and strong technical controls. Smartphone vulnerabilities are being reviewed as consumer phones become corporately supported in 2011. FIPPA application to hospitals will also require review of IM considerations for lifecycle data loss management.

Sunnybrook currently has no formal data loss strategy, although we are expanding mobile and e-mail encryption, and will likely establish our data loss strategy as part of overall security risk program development in 2011.

Service level agreements for security technology deployment, monitoring, reporting and improvements are key; the major effort/expenditure is in the operations management of controls, not the decision to deploy or the technology selection itself. Vendors generally don’t have much to say about security ops management (e.g. Winmagic lifecycle management) and this remains a challenge.

A snapshot of best practices

• Get the security basics right and go from there
  
• Ensure IT management is focused on business risk, not just on technology
  
• Security assurance is about diligence on risk across the IT spectrum
  

Sam Marafioti is the Chief Information Officer at Sunnybrook Health Sciences Center.

About Sunnybrook Health Sciences Centre

Sunnybrook Health Sciences Centre is inventing the future of health care for the one million patients the hospital cares for each year through the dedication of its more than 10,000 staff and volunteers. An internationally recognized leader in research and education and a full affiliation with the University of Toronto distinguishes Sunnybrook as one of Canada's premier academic health sciences centres. Sunnybrook specializes in caring for Canada's war veterans, high-risk pregnancies, critically-ill newborns, adults and the elderly, and treating and preventing cancer, cardiovascular disease, neurological and psychiatric disorders, orthopaedic and arthritic conditions and traumatic injuries.

This week, TELUS and the Rotman School of Management released their third annual study on Canadian IT security. Please see this week’s blogs from TELUS’ Yogen Appalraju and Rotman’s Dr. Walid Hejazi for more information about the results or go to TELUS.com/securitystudy.

Newspaper headlines will tell you that IT security issues can impact the whole business. It can drain the resources of entire teams to address a problem, slow productivity or put proprietary data in the wrong hands. Additionally, the impact on consumer confidence and the reputation of the brand have a resounding effect on a company’s bottom line.

The subject of security issues and breaches is not new, but we think it’s important to examine the security landscape for businesses in Canada to provide a benchmark to determine the effectiveness of our investments, the results from changes in technology and address new areas of concern. That’s why every year the Rotman School of Management and TELUS look at the effects IT security has on a business and what types of concerns business owners have about security practices.

The 2010 results released yesterday reflect the thoughts and feedback of more than 500 IT professionals.  The key finding this year is that Canadian security breaches rose 29 per cent.

The breaches increased to an average of 14.6 per year per organization in 2010 – compared with an average of 11.3 in 2009. Government reported the significant breach increase of 74 per cent, experiencing an average of 22.4 breaches per year – compared with an average of 13.4 breaches per year in 2009.

The strongest explanation behind the increase number of incidents is the significant investment in detective and reporting capabilities, employed by the government, which enables greater visibility and transparency into breaches. The proactive approach of focused investment has also led to earlier detection, ultimately lowering clean-up costs. The process of balancing risks and optimizing resources to steer the best possible course and achieve the optimal overall business bottom line is crucial to reducing breaches.

In addition, the study reveals a growing trend toward sophisticated attacks on high value data – this includes identity information and credit card numbers. What this says to business is that it is crucial to take a pro-active approach in securing data and implementing processes and employee education to maintain security, as we see a continued increase of more intelligent attacks.

The “good news” is that Canadian organizations are optimizing for today. The “bad news” is that they are still not doing enough to prepare for tomorrow.

In 2009, we saw that the breach levels increased significantly across all sectors, as did the associated breach costs. Currently, while the investment in defensive technology is proving effective with a decrease in breach costs, we continue to see more organizations reporting an increase of focused, intelligent attacks.

In planning for the future, there needs to be continued, proactive investment in security, from technology to governance to education in order to reduce the number of breaches, minimize costs to organizations and most importantly, mitigate the risk to sensitive corporate data.

Please join us here tomorrow to hear more about the new study and its implications from Dr. Walid Hejazi, professor of business economics at Rotman School of Management.

Yogen Appalraju is the vice-president of Security Solutions at TELUS.