TORONTO — With a recent survey showing Canadian organizations are still concerned about security, IBM Canada Ltd. said it will try to address those worries by investing $40 million in IT security services over the next five years, including opening a new security operations centre in Markham, Ont.
Canadians need to start taking a holistic approach to security, said Michael Small, security practice leader for IBM Global Services. Currently, he said, security is addressed with Band-Aids.
Security isn’t just about ensuring information is available; it’s also about confidentiality and protecting an organization’s integrity, he said.
It’s also a top concern among Canadian organizations, according to a survey conducted by IDC Canada. Security ranked third overall behind network upgrades or improvements and Microsoft operating system across the 460 companies surveyed.
Among the security concerns Canadian companies are still grappling with, anti-virus detection and protection, network security and perimeter defence, and e-mail spam and security ranked the highest.
“”Things we thought organizations might have had a handle on, they’re still grappling with,”” said Steve Poelking, the director of research for infrastructure and applications at IDC Canada in Toronto, speaking at an IBM press conference announcing the security centre.
Almost 60 per cent of the organizations surveyed, which were comprised of small, medium and large businesses, said they had experienced a virus attack. Others also admitted to having their networks hacked and to experiencing denial of service attacks.
But very few of those organizations — less than 20 per cent — attempted to calculate the costs of such security breaches.
“”You have to know what your costs are,”” Poelking said.
The security centre will help companies design security management programs, make sure they meet regulatory requirements, do vulnerability assessments and provide 24/7 real-time monitoring. The centre will also have a lab in which organizations can run simulations to test their safeguards against vulnerabilities.
Security threats are real, and they happen all the time, but we often don’t hear about them, said René Hamel, vice-president of computer forensics services for Inkster Group in Toronto, which investigates security breaches.
Incidents such as embezzlement, intellectual property theft and money laundering are common events, but you don’t hear about them, he said. His company follows electronic trails to try to locate the individual behind the keyboard responsible for security breaches.
Viruses are only one type of threat companies have to worry about, Hamel said. They also need to be concerned about internal threats from employees.
But this is something companies don’t like to hear about.
Employees are using anonymous proxy servers more and more, making it difficult to track them unless a company has the ability to react quickly, before logs are overwritten, he said. Monitoring tools and the maintenance of logs are critical, he said.
Companies need to make sure they have policies and controls in place for when employees leave — not only to cut off their access to e-mail and applications but to make sure they don’t walk out with CDs burned with company information. They also need to be more diligent about backups, he said. Once a week for a medium-sized company is not enough, Hamel said.
“”People, believe it or not, are not, to this day, as tight on backup schedules as they should be,”” he said.
In one case Hamel is currently working on, some culprits were able to extract information from a company and are threatening to go public with that information unless the company gives them money. They have requested that a bank card be sent to them, which they intend to then use to withdraw money. And not all bank machines are equipped with cameras, he said.
Attackers are becoming more sophisticated, he said, and the law is slowly catching up.