Welcome to our fully functional beta site. We welcome all comments
informed!
The Informatica blog - Authored by Claudiu Popa

New "Big Name" Security Study Apparently Aims to Confuse, Amuse Canadian Audience

IT Security study on Canadian public and private sector is confusing at best and amusing at leastWhen TELUS and the University of Toronto's Rotman School of Management got together with the grandiose goal of getting some cold hard numbers behind the Canadian information security landscape for their "2011 Rotman-TELUS Joint Study on Canadian IT Security Practices", they probably didn't anticipate it would be that complicated to quantify the state of affairs. After all, you should just have to ask the right questions and the answers should take care of themselves, right?
 
Right-o. So the initial page trumpets its achievement of having interrogated 600 IT professionals across a wide swath of Canadian industry, promises to "provide clarity on the Canadian security landscape, especially as it relates to emerging trends in breaches, threats and preparedness." At the risk of making readers gag, it proclaims: "It's information that you won't find anywhere else - this is the only Canadian-focused study on IT security."
 
I tend to agree. We won't find this stuff anywhere else, although the rhetoric seems particularly banal: "insights on breaches in the age of global and personal hacks" <yawn> "IT complexity and what it means for senior executives" <sheesh!>  "security concerns around mobile devices in the workplace" <oh boy!>.

TELUS and The Rotman School of Management - whose motto is "a new way to think" - decided that asking a few hundred IT professionals and reporting the straight dope would be the way to go. Fair enough. So overall security breaches are apparently down 50% from last year. But last year they were up 29% over the previous year. Although they acknowledge that the discrepancies are in the reporting of breaches may be due to a variety of factors, it's all about the numbers. But wait, the study is on "IT Security Practices". So why not include some of those promised 'clarity and 'insights' instead of meaningless figures? Ah, is it because you don't want to alienate potential respondents whose participation in future years may continue to facilitate the production of this um.. "study"? No need for cynicism here. By their own admission, over the past 4 studies, some 2000 people have been interviewed, so if this year's number of 600+ is unprecedented, then we're looking at an awful lot of turnover in respondents. Is the spectre of a lack of clear baseline starting to form? The fact that this undermines the very meaning of the numbers perhaps underlined the need for bravely including other factors within those promised deliverables. And so it was.
 
To be fair, the ever-expanding scope of the report appears to now include every buzzword known to man: social media, mobile security, cloud computing, people process and technology, risk posture, breaches, privacy, internal, external monitoring, etc. are all words lifted from the intro page alone. I copy them here without hesitation because I know as well as they do, that it will endear me to search engines, but the ambitious undertaking is no less daunting because of the ridiculous promotional verbiage.  

In the interest of your time and my tireless efforts to combat reverse peristalsis, I'll pluck out a handful of gems from this landmark study to at least see you off on this year 2012 with a smile on your face:

1. Government sector insider breaches are up 28% in one year.
 
In the words of one of the august figures appointed by TELUS to help ensure the paper was received with adequate fanfare exclaimed: "This is quite alarming". Really? How about the fact that government organizations care more about compliance than the private sector, and they're all adapting to new and emerging breach notification regulations? Hmmm?

2. The number of security breaches per government organization is down but that only points to faulty approaches to IT security.
 
Huh? Wait, so. um.. no. Never mind. Have a look at this picture, then move on.

3. Over twice as many thefts, losses and other breaches were reported by government organizations than private sector firms.
 
There's a surprise! See my first point but brace yourself for my next one.

4. Blocking access to social networking sites like Facebook actually results in more breaches.
 
Wow. Really? People will defy their tyrannical overlords when told they can't access Facebook? Or is it more likely that someone in IT has simply misconfigured Internet filtering to allow certain sites (and the ever-elusive instant messaging clients) to connect via a more circuitous route? If Skype finds its own way out of your network, is that really a breach of policy? Oh, let's call it an insider security breach and report it. It'll make for good press.

5. The cost of resolving breaches "for all types of organizations" has gone from $800,000 to $80,000 in the past 2 years.
 
Before even bothering to get your head around the astronomical numbers, you should note that the figure was pegged at $400,000 three years ago, making these figures seem random at best.
 
6. The main expert engaged to decisively drive the point home concluded that "Unfortunately, the government is doing a really, really poor job in raising [security] awareness...This secrecy is not helping us at all. We need more transparency
 
Taken out of context, his words are so trivial that I wouldn't blame you if you stopped reading right here. But the inclusion of said context - his point being that unauthorized access to sensitive data is usually the fault of people more so than technology - doesn't improve matters any. "A new way to think" indeed.

If I could stomach it, I'd go on, because many more pearls of wisdom await the determined reader, but I'll stop here. Remember to take security experts - including yours truly - with a grain of salt!

Enjoy 2012 and give common sense a chance! ;)

In the early 1920s, the Enigma machine was a portable encryption machine with rotor scramblers used for encoding and decoding confidential messages....
Bleeding hearts unite, the OpenSSL Heartbleed bug threatens to impact user privacy and business security online. There's a new security vulnerability in town. It's not even that new, we just didn't know about it until now. But it's a whopper and it threatens to i...
Independent risk assessments are the most basic best practice in business.Security is about risk. And risk is about numbers. Given the high probability of suffering data security and privacy breaches, is it any wonder compan...
Netflix just the latest brand used in wave of phone text support fraudEver wonder what the use of stealing millions of email addresses is? All those often downplayed, 'low sensitivity' data breaches have massive potent...
Layered SecurityI'm often surprised at the public's disappointment with the realization that security processes are not directly analogous to the medical notion of im...
Target breach will have serious consequencesThis past Christmas season hasn't been kind to the Target chain of retail stores nor to its brand. A brazen attack took place in December that affecte...

Welcome to Informatica

Be Secure.

Be Trusted.

Follow us on