IT security incidents up for 1 in 5 Canadian firms: Survey

Canada lagging behind global counterparts in information security investments

More than one-fifth (21 per cent) of Canadian businesses have seen more IT security incidents in the last year, found a survey by Ernst & Young.

And investment in the area of information security lags behind global trends, found In Fighting to Close the Gap: Ernst & Young's 2012 Global Information Security Survey, which polled 1,800 employers in 64 countries.

Just five per cent of spending was invested in new technologies and management processes targeting information security over the last 12 months, found the report.

"In recent years, businesses have made significant moves to respond to information security threats by addressing vulnerabilities with increased resources, training, governance and integration," said Rafael Etges, Ernst & Young's information security practice leader in Toronto. "But with better technology and smarter attacks occurring in greater numbers, short-term solutions and incremental changes are not enough. What we need now is a fundamental business transformation to close the gap."

With a primary focus on security operations and maintenance rather than on innovation, only 36 per cent of Canadian respondents indicate that their function fully meets their need.

"Today in Canada, information security functions are fixing problems that are three to five years old, and the gap between what they are doing and should be doing has widened," said Etges.

In the fight to close the gap between vulnerability and security, the information security agenda should no longer be IT led, but rather focused on the overall business strategy.

According to Ernst & Young, it requires a fundamental business transformation, which can be achieved through the following four key steps:

Link information security strategy to the business strategy: Right now in Canada, 42 per cent of respondents don't have information security strategies. Moreover, a significant number of respondents don't have threat intelligence programs, or assurance that their security vendors are doing what they are supposed to be doing.

Redesign the architecture: The successful approach will demonstrate how information security can deliver business results, allowing for innovation and incorporating new technologies.

Execute the transformation successfully and sustainably: Involve leaders in defining the future state, and involve the entire organization in owning the future state. Provide execution support down the road, and be transparent with challenges and fixes.

Conduct a deep dive into the opportunities — and the risks — presented by new technologies: Take a 360 degree look at new technologies such as social media, big data, cloud and mobile technologies to identify and offset the associated risks.

Latest stories