People often the weak security link for Canadian firms: report

Many security leaders at Canadian firms say they fear that not knowing about a cyber breach doesn’t mean one hasn’t occurred, leading to concerns around brand reputation, notes a new report from Telus and the Rotman School of Management at the University of Toronto.

The Canadian IT Security study took a qualitative approach to its research, sitting down with IT and security decision-makers from firms across the country.

When asked what keeps these security leaders up at night, many said they have a fear that their organization has been breached and they just don’t know about it.
That’s not a completely unfounded fear, the report suggests, noting incidents such as a cyber breach of Nortel that went on undetected for years.

People are also often seeing as the weakest link in IT security, with many data breaches coming from “insiders,” usually unintentionally, the report notes.

Unfortunately, have strict policies on things like social networking and mobile devices may have the opposite effect, leading employees to break rules and leave their technology open to unmonitored threats, the report states.

If an organization bans certain sites at work, for example, and an employee accesses it through their smartphone or tablet, the risk is going unmonitored and the company could be breached undetected.

“It is critical that organizations remain open to new technologies so employees are empowered with the tools to increase productivity,” noted Hernan Barros, director of Telus Security Solutions.

“Equally important however, is that organizations ensure employees understand how to use new tools responsibly, and that adherence to security policy is made convenient and simple. Ongoing security awareness training can help ensure compliance.”

Overall, more companies should begin embracing new or popular technology requested by employees, the report recommends.

“This is not to say that IT security managers should simply say yes blindly and deploy new IT strategies without due diligence,” the report states. “Rather, security managers need to understand that simply saying no will not work.”