Government IT security still reactive, not proactive

McAfee Canada chief Ross Allen

McAfee Canada chief Ross Allen

A report commissioned by McAfee has found a disconnect between perceived and real security in the Canadian public sector. Although 77.5 per cent of Canadian government IT security software decision-makers identify security as a strategic objective, the Leger Marketing study found that the public sector is still behind the times — being more reactive than proactive and strategic.

“Despite their larger than average IT department size, governments just don’t seem to have the time, resources or budget to effectively stay ahead of the threats curve,” said Ross Allen, vice president of Canada, U.K. and Ireland at McAfee, noted in a statement. “Understanding security challenges and threats begins at the top level of government in order to establish sufficient IT budgets that will support trusted security strategies and technologies to combat today’s ever-evolving threats more successfully.”

“McAfee’s Canadian Public Sector Security Report” found that 70 per cent of government IT security decision-makers believe they have the security infrastructure in to mitigate current breach activity, there’s a big question mark over the heads of the other 30 per cent, who admitted they don’t believe they could protect against present day threats or simply didn’t know if they could.

Contrast that to the effect breaches have had on Canadian governments. Forty per cent of respondents said they have experienced loss of productivity as a result of a data breach, 37.5 per cent suffered reputational damage and 35 per cent experienced a loss of public confidence. Anybody with information stored in the public sector may have something to be concerned about, as 30 per cent of respondents said confidential information had been lost and 30 per cent were subject to privacy investigation. Security breaches are also wreaking havoc on budgets, with 82.5 per cent of respondents estimating total IT support costs of dealing with security threats between three and 25 per cent.

“We have seen a real shift in the threat landscape over the past five or six years,” said Warren Shiau, director of research at Leger Marketing, in a statement. “There has been a significant increase in breaches resulting from end-user behaviour, and organizations need to be better prepared to manage these risks. It is not just about protecting against malicious links; it is about educating and raising the overall security awareness of employees.”

According to the study, 97.5 per cent of respondents indicated they had been exposed to some type of security challenge or threat in the last year. Confidence in their own abilities and technologies are high considering the number of respondents who have had to contend with breaches. Eighty per cent of respondents said they were “confident” or “very confident” in their ability to protect mission-critical data, but 82.5 per cent of respondents said they have experienced data loss or suffered a breach.

“Companies spent far too long with their heads in the sand,” said Chris Timmons, senior manager of information security at Edmonton-based ATB Financial, a crown corporation with 5,000 employees. “If users really want to do something, they will find a way. You need to be proactive with your security policies because users will do it, whether you want them to or not.”

The report had several recommendations, including:

  • Enhance national mechanisms to share security knowledge.
  • Enable the creation, maintenance and sharing of security best practices.
  • Bridge the private sector to help.
  • Increase awareness around the protection and movement of data.
  • Governments need to become more adept at responding to new technologies and threats.