According to a recent report released by McAfee - conducted by Leger Marketing, titled, “McAfee’s Canadian Public Sector Security Report,” - 77.5 per cent of Canadian government IT security software decision-makers identify security as a strategic objective. The findings also suggest that for the most part, government bodies seem to be more reactive than proactive and strategic when it comes to managing and implementing their security strategies.

“Despite their larger than average IT department size, governments just don’t seem to have the time, resources or budget to effectively stay ahead of the threats curve,” said Ross Allen, Vice President, Canada, U.K. and Ireland at McAfee, Inc. “Understanding security challenges and threats begins at the top level of government in order to establish sufficient IT budgets that will support trusted security strategies and technologies to combat today’s ever-evolving threats more successfully.”

Sixty-two point five per cent (62.5%) of respondents indicated that identifying security threats is a bigger challenge when compared with remediating attacks. However, 57.5 per cent (57.5%) of respondents reported more time was spent on remediation efforts, which indicates a reactionary approach to security. Almost 88 per cent (87.5%) of respondents reported difficulty in learning about new threats and solutions, while dealing with existing security issues.

Other Key Findings:

Security Threats In the Past 12 Months

• 97.5% have been exposed to some type of security challenge or threat over the past year
• While 80% of respondents were ‘confident’ or ‘very confident’ in their ability to protect mission critical data, 82.5% have experienced data loss or suffered from a breach
• The most common types of threats dealt with over the past year were virus attacks (75%), malware (60%), end-user exposure to malicious websites (40%), network attacks (37.5%), and end-user installation of unauthorized applications on computer or mobile devices (35%)

Impact of Data Breaches and Cost of Threats Suffered

• 40% of respondents experienced loss of productivity as a result of a data breach
• 37.5% suffered reputational damage and 35% experienced a loss of public confidence
• 30% have lost confidential information
• 30% were subject to a privacy investigation
• 82.5% of respondents estimated the total IT support costs of dealing with security threats are between three to 25% (55% from 3-10%; 27% from 11-25%)

Understanding of and Protecting Against Breach Activity

• While 70% indicated they have the security infrastructure in place to mitigate current breach activity, 30% do not believe they can protect against present-day breach activity or said they don’t know
• 37.5% do not understand their current risk exposure
• 77.5% of government IT managers and IT specialists indicated a disconnect between themselves and their CIOs and Directors when it comes to their perception of real and perceived threats
• IT managers and IT specialists are more likely to emphasize a need to focus budget on end-user behaviour and staffing (audit, tracking, education and IT security skillsets), while CIOs and Directors are more likely to focus IT budgets on the purchase of products, services and functionality
• Most respondents learn about emerging threats from industry publications (67.5%) and colleagues (52.5%), followed by mainstream media coverage and other technology vendors, each at 37.5%
• The biggest security concerns are network security (72.5%), data centre security (62.5%), mobile security (57.5%) and bring your own device (BYOD) security (55%)

Social Media and BYOD

• 62.5% of respondents allow their employees to access social media sites and 56 per cent of those believe this increases their exposure to risk
• Of the 37.5% who do not allow their employees to access social media sites, 73.3% believe this mitigates risk
• 40% allow BYOD and access to the network, but of those, only 25% have a sound security policy in place for BYOD

Management Approach and Security Investment

• While only 22.5% manage networks, devices, systems, databases and endpoints from a single or unified console, 45% would prefer having an integrated single management view or outsourcing it to a third-party service provider (32.5%)
• 50% indicate that 21% or more of IT time is spent on ensuring IT security is compliant with regulations; while 22.5% estimate this to take between 41% and 60% of IT time
• 65% indicate new security software purchases in the next 12 months are ‘likely’ or ‘100% certain, while 25% are ‘neutral’ and 10% are ‘not likely’ or ‘not likely at all’ to purchase new software
• 80% of respondents say security will require an increase in spending over the next one to three years
• Although 50% do not feel lack of budget is the primary factor inhibiting security investment, 42.5% indicated lack of budget was the number one factor inhibiting security investment
• Other than lack of budget, the greatest factors inhibiting security investment are poor interoperability of solutions (37.5%), the complexity of security software (32.5%) and little recognition of security problems (30%)

“We have seen a real shift in the threat landscape over the past five or six years,” said Warren Shiau, Director of Research at Leger Marketing. “There has been a significant increase in breaches resulting from end-user behaviour and organizations need to be better prepared to manage these risks. It is not just about protecting against malicious links, it is about educating and raising the overall security awareness of employees.”

Conclusions/Recommendations

• Enhance national mechanisms to share security knowledge. Security issues are not static - they are constantly evolving. Governments must look for cost-effective ways to share information about e merging threats and especially those that are introduced with new corporate initiatives such as cloud computing and bring your own device (BYOD).
• Enable the creation, maintenance and sharing of security best practices. Securing government organizations is more than just about investing in new security countermeasures. Government organizations need more guidance when it comes to successfully deploying and maintaining security tools that are not only effective against attacks, but are also cost-effective. In some instances, acquired technologies are never implemented and as a result, many do not reach their full potential. The sharing of information across all levels and departments of governments will help increase user awareness levels about what security technologies exist, how to properly integrate them and how to measure their effectiveness.
• Bridge the private sector to help. In the cases of threat knowledge and enabling protective programs, the government should build bridges with the private sector to build better capacity for expertise, training initiatives and best practices.
• Increase awareness around the protection and movement of data. Malicious activity has transitioned away from the intent to create computing chaos to benefits from outcomes like financial gain and embarrassment. Having an understanding of an organization’s storage policies and the value of its data will help make prioritizing efforts easier to ensure better protection.
• Governments need to become more adept at responding to new technologies and threats. One example is BYOD where only 25 per cent (25%) of respondents have a sound security policy in place. As trends such as the consumerization of IT continue to grow in popularity, more people rely on their personal and corporate-owned mobile devices to do their jobs. Governments need to be build mechanisms where they see the onset of emerging technologies and must engage early so they can gain knowledge, develop protection strategies and share information across the country.

“Companies spent far too long with their heads in the sand,” said Chris Timmons, Senior Manager of Information Security at Edmonton-based ATB Financial, a crown corporation with 5,000 employees. “If users really want to do something, they will find a way. You need to be proactive with your security policies because users will do it, whether you want them to or not.”

About the Report McAfee Canada commissioned Leger Marketing to interview IT security software decision-makers in Federal, Provincial and Municipal governments. The interviews were completed during the month of February 2012 and included a total of 40 randomly selected IT security software decision makers with final decision making authority on security software purchases, or selection, within the total population of Canadian government top IT security software professionals. The interviews represent a “snapshot” of the current Government security software landscape and are indicative of government IT security experience, behaviour and intent; they are not, however, equivalent to a probability sample yielding quantitative margin of error.

Other IT news about McAfee