Rising IT security incidents show Canadian businesses at risk

Canadians lag behind global counterparts in IT risk spending as security incidents rise for 21% of Canadian businesses, reports Ernst & Young

Toronto (Nov. 19, 2012) – With 21% of Canadian businesses surveyed seeing more IT security incidents in the last year, companies here need to fundamentally change the way they’re approaching this kind of risk, Ernst & Young says in a new report.

What’s more, investment in the area of information security lags behind global trends. In Fighting to close the gap: Ernst & Young’s 2012 Global Information Security Survey, the firm finds that Canada is lagging behind most countries in security innovation, with little more than 5% of spending invested in new technologies and management processes targeting information security over the last 12 months.

“In recent years, businesses have made significant moves to respond to information security threats by addressing vulnerabilities with increased resources, training, governance and integration,” says Rafael Etges, Ernst & Young’s Information Security Practice Leader in Toronto. “But with better technology and smarter attacks occurring in greater numbers, short-term solutions and incremental changes are not enough. What we need now is a fundamental business transformation to close the gap.”

With a primary focus on security operations and maintenance rather than on innovation, only 36% of Canadian respondents indicate that their function fully meets their need. “Today in Canada, information security functions are fixing problems that are three to five years old, and the gap between what they are doing and should be doing has widened,” notes Etges.

In the fight to close the gap between vulnerability and security, Etges believes the information security agenda should no longer be IT led, but rather focused on the overall business strategy. It requires a fundamental business transformation, which can be achieved through the following four key steps:

1. Link information security strategy to the business strategy: Right now in Canada, 42% of respondents don’t have information security strategies. Moreover, a significant number of respondents don’t have threat intelligence programs, or assurance that their security vendors are doing what they are supposed to be doing.

2. Redesign the architecture: The successful approach will demonstrate how information security can deliver business results, allowing for innovation and incorporating new technologies.

3. Execute the transformation successfully and sustainably: Involve leaders in defining the future state, and involve the entire organization in owning the future state. Provide execution support down the road, and be transparent with challenges and fixes.

4. Conduct a deep dive into the opportunities — and the risks — presented by new technologies: Take a 360-degree look at new technologies such as social media, big data, cloud and mobile technologies to identify and offset the associated risks.

To read the complete survey findings and recommendations for organizations, visit ey.com/GISS.

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.For more information, please visit ey.com/ca.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.