Canadian data breaches: The only thing that will lead to change

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://ca.finance.yahoo.com/blogs/dashboard/canadian-data-breaches-only-thing-lead-change-154929154.html

It may be difficult to prove this statistically, but it is highly unlikely
anyone will be able to guilt Canadian companies into spending more money to
fend off potential computer security attacks.

This week EMC Corp. released the results of a worldwide survey conducted by
research firm Vanson Bourne that showed only 58 per cent of technology
professionals here think their bosses are confident in the security and
performance of their computer systems. In other words, you could reasonably
infer that many executives would not be able offer their customers much
assurance that their company won’t be brought down by hackers, lose
personal information or worse.

Even if you interpreted it another way – that the 58 per cent shows at
least more than half have faith in their computer security – it’s possible
that faith is misplaced. After all, 53 per cent of executives surveyed also
said they had suffered at least one technology incident in the last 12
months. The word “incident,” this case, could mean a lot of things, but
even if it only refers to computer systems crashing for a few minutes,
there are obviously a lot of companies still grappling with technology
glitches. Overall, Canada ranked 9th out of 16 countries in terms of
deploying advanced security products.

“This needs to be elevated to the boardroom,” EMC Canada managing director
Michael Sharun told reporters at a briefing about the survey results. Part
of the problem, he suggested, is that certain industries are less tied to
their computer systems than others. In oil and gas, for example, “even amid
downtime, the oil is still there.”

There’s even more to it than that, though. Although the EMC research is
more useful than similar studies because it actually has a decent amount of
Canadian-specific data, individual companies aren’t likely to be motivated
to improve our international standing in data protection out of some vague
sense of patriotism. They’re only really interested in the fate of their
own organizations, and even then, it’s only when a technology disaster
becomes public knowledge. When Adobe admitted last month it suffered a
breach that compromised 150 million users, you can be sure there will be a
commitment to better computer security.

No matter how high-profile the incident, however, companies never seem to
learn from the mistakes of others. Few would want to go through the hell
that Sony experienced with the data breach involving its PlayStation online
network two years ago, for instance. Yet the EMC study’s figures on
security lapses are consistent with similar surveys from Symantec, McAfee
and Telus, among others.

Instead of focusing on the trust or confidence of the people who run
Canadian companies, as EMC did, perhaps Canadian companies should ask
themselves how well their customers would rate them in computer security.
And then maybe they should actually have the courage to ask some of those
customers directly with their own research. If scary statistics and even
scarier news stories aren't driving them to improve, direct feedback from
the people they claim to care about is probably the only thing that will.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.