Canadian IT bosses don’t fear fines: report
Care more about potential for brand damage than about government relations, study finds
Some of the people overseeing IT security at Canadian companies don’t fear government fines for data breaches nearly as much as having their CEO splashed across the front pages of newspapers for the wrong reasons.
A new report released Thursday suggests that companies believe the fines have little impact on their finances and represent a lower cost than the brand damage inflicted by negative news coverage. Paying a fine, one executive told researchers, was merely a “political statement.”
IT security professionals interviewed for the study from the University of Toronto and Telus said companies did only the minimum required to secure networks to meet government or industry regulations. When it came to government regulations, participants mentioned “the government needs to get serious,” said study co-author Walid Hejazi.
“Canadian companies are not prepared enough. We see that in the data; we see that in the responses,” said Hejazi, an associate professor at the Rotman School of Management at the University of Toronto.
There was a suggestion that if the government imposed higher standards for IT security, companies might improve their security enough to comply. However, there wasn’t interest in a one-size-fits-all government policy.
“There was discussion about the government raising the standards, but that may or may not be enough. Businesses have to step up,” Hejazi said.
The findings put a qualitative face on five years’ worth of survey numbers about the state of IT security in Canada’s public and private sectors. Those previous surveys found, among other conclusions, the number of government data breaches has been rising steadily since 2008, and the federal government has had a difficult time retaining top talent.
The private sector, this year’s study found, also had problems retaining talent.
The pervasive attitude among the more than a dozen security professionals interviewed as part of the study was that breaches would happen. However, participants worried they wouldn’t be able to identify breaches fast enough to protect their company’s information.
The biggest security threat, according to participants, wasn’t from external hackers, but from employees who unwittingly open a malicious email or carry sensitive data around on unsecured portable data devices, such as USB drives.
“The vast majority of breaches originate from inside the organization,” said study co-author Hernan Barros, director of security solutions with Telus. “Based on our discussion, organizations are starting to come around that their real big threat is internal.”
The federal government has rejected legislating basic standards for cyber-security, opting instead to share best practices with industry.