McAfee Report Reveals a Disconnect Between Perceived and Real Security Levels in Canadian Governments
McAfee Report Reveals a Disconnect Between Perceived and Real Security
Levels in Canadian Governments Eighty per cent were ‘Confident’ or ‘Very Confident’ in their
Ability to Protect Mission Critical Data, Yet 82.5 per cent Experienced
a Data Breach in the Past 12 Months Markham, ON - June 14, 2012 - According to a recent report released
today by McAfee - conducted by Leger Marketing, titled, “McAfee’s
Canadian Public Sector Security Report,” - 77.5 per cent of Canadian
government IT security software decision-makers identify security as a
strategic objective. The findings also suggest that for the most part,
government bodies seem to be more reactive than proactive and strategic
when it comes to managing and implementing their security strategies. “Despite their larger than average IT department size, governments
just don’t seem to have the time, resources or budget to effectively
stay ahead of the threats curve,” said Ross Allen, Vice President,
Canada, U.K. and Ireland at McAfee, Inc. “Understanding security
challenges and threats begins at the top level of government in order to
establish sufficient IT budgets that will support trusted security
strategies and technologies to combat today’s ever-evolving threats
more successfully.” Sixty-two point five per cent (62.5%) of respondents indicated that
identifying security threats is a bigger challenge when compared with
remediating attacks. However, 57.5 per cent (57.5%) of respondents
reported more time was spent on remediation efforts, which indicates a
reactionary approach to security. Almost 88 per cent (87.5%) of
respondents reported difficulty in learning about new threats and
solutions, while dealing with existing security issues. Other Key Findings: Security Threats In the Past 12 Months
● 97.5% have been exposed to some type of security challenge or
threat over the past year
● While 80% of respondents were ‘confident’ or ‘very
confident’ in their ability to protect mission critical data, 82.5%
have experienced data loss or suffered from a breach
● The most common types of threats dealt with over the past year were
virus attacks (75%), malware (60%), end-user exposure to malicious
websites
(40%), network attacks (37.5%), and end-user installation of
unauthorized applications on computer or mobile devices (35%) Impact of Data Breaches and Cost of Threats Suffered
● 40% of respondents experienced loss of productivity as a result of
a data breach
● 37.5% suffered reputational damage and 35% experienced a loss of
public confidence
● 30% have lost confidential information
● 30% were subject to a privacy investigation
● 82.5% of respondents estimated the total IT support costs of
dealing with security threats are between three to 25% (55% from 3-10%;
27% from 11-25%) Understanding of and Protecting Against Breach Activity
● While 70% indicated they have the security infrastructure in place
to mitigate current breach activity, 30% do not believe they can protect
against present-day breach activity or said they don’t know
● 37.5% do not understand their current risk exposure
● 77.5% of government IT managers and IT specialists indicated a
disconnect between themselves and their CIOs and Directors when it comes
to their perception of real and perceived threats
● IT managers and IT specialists are more likely to emphasize a need
to focus budget on end-user behaviour and staffing (audit, tracking,
education and IT security skillsets), while CIOs and Directors are more
likely to focus IT budgets on the purchase of products, services and
functionality
● Most respondents learn about emerging threats from industry
publications (67.5%) and colleagues (52.5%), followed by mainstream
media coverage and other technology vendors, each at 37.5%
● The biggest security concerns are network security (72.5%), data
centre security (62.5%), mobile security (57.5%) and bring your own
device (BYOD) security (55%) Social Media and BYOD
● 62.5% of respondents allow their employees to access social media
sites and 56 per cent of those believe this increases their exposure to
risk
● Of the 37.5% who do not allow their employees to access social
media sites, 73.3% believe this mitigates risk
● 40% allow BYOD and access to the network, but of those, only 25%
have a sound security policy in place for BYOD Management Approach and Security Investment
● While only 22.5% manage networks, devices, systems, databases and
endpoints from a single or unified console, 45% would prefer having an
integrated single management view or outsourcing it to a third-party
service provider (32.5%)
● 50% indicate that 21% or more of IT time is spent on ensuring IT
security is compliant with regulations; while 22.5% estimate this to
take between 41% and 60% of IT time
● 65% indicate new security software purchases in the next 12 months
are ‘likely’ or ‘100% certain, while 25% are ‘neutral’ and 10%
are ‘not likely’ or ‘not likely at all’ to purchase new
software
● 80% of respondents say security will require an increase in
spending over the next one to three years
● Although 50% do not feel lack of budget is the primary factor
inhibiting security investment, 42.5% indicated lack of budget was the
number one factor inhibiting security investment
● Other than lack of budget, the greatest factors inhibiting security
investment are poor interoperability of solutions (37.5%), the
complexity of security software (32.5%) and little recognition of
security problems (30%) “We have seen a real shift in the threat landscape over the past five
or six years,” said Warren Shiau, Director of Research at Leger
Marketing. “There has been a significant increase in breaches
resulting from end-user behaviour and organizations need to be better
prepared to manage these risks. It is not just about protecting against
malicious links, it is about educating and raising the overall security
awareness of employees.” Conclusions/Recommendations
● Enhance national mechanisms to share security knowledge. Security
issues are not static - they are constantly evolving. Governments must
look for cost-effective ways to share information about e
merging threats
and especially those that are introduced with new corporate initiatives
such as cloud computing and bring your own device (BYOD).
● Enable the creation, maintenance and sharing of security best
practices. Securing government organizations is more than just about
investing in new security countermeasures. Government organizations need
more guidance when it comes to successfully deploying and maintaining
security tools that are not only effective against attacks, but are also
cost-effective. In some instances, acquired technologies are never
implemented and as a result, many do not reach their full potential. The
sharing of information across all levels and departments of governments
will help increase user awareness levels about what security
technologies exist, how to properly integrate them and how to measure
their effectiveness.
● Bridge the private sector to help. In the cases of threat knowledge
and enabling protective programs, the government should build bridges
with the private sector to build better capacity for expertise, training
initiatives and best practices.
● Increase awareness around the protection and movement of data.
Malicious activity has transitioned away from the intent to create
computing chaos to benefits from outcomes like financial gain and
embarrassment. Having an understanding of an organization’s storage
policies and the value of its data will help make prioritizing efforts
easier to ensure better protection.
● Governments need to become more adept at responding to new
technologies and threats. One example is BYOD where only 25 per cent
(25%) of respondents have a sound security policy in place. As trends
such as the consumerization of IT continue to grow in popularity, more
people rely on their personal and corporate-owned mobile devices to do
their jobs. Governments need to be build mechanisms where they see the
onset of emerging technologies and must engage early so they can gain
knowledge, develop protection strategies and share information across
the country. “Companies spent far too long with their heads in the sand,” said
Chris Timmons, Senior Manager of Information Security at Edmonton-based
ATB Financial, a crown corporation with 5,000 employees. “If users
really want to do something, they will find a way. You need to be
proactive with your security policies because users will do it, whether
you want them to or not.” About the Report
McAfee Canada commissioned Leger Marketing to interview IT security
software decision-makers in Federal, Provincial and Municipal
governments. The interviews were completed during the month of February
2012 and included a total of 40 randomly selected IT security software
decision makers with final decision making authority on security
software purchases, or selection, within the total population of
Canadian government top IT security software professionals. The
interviews represent a “snapshot” of the current Government security
software landscape and are indicative of government IT security
experience, behaviour and intent; they are not, however, equivalent to a
probability sample yielding quantitative margin of error. About McAfee
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC),
is the world's largest dedicated security technology company. McAfee
delivers proactive and proven solutions and services that help secure
systems, networks, and mobile devices around the world, allowing users
to safely connect to the Internet, browse and shop the Web more
securely. Backed by its unrivaled Global Threat Intelligence, McAfee
creates innovative products that empower home users, businesses, the
public sector and service providers by enabling them to prove compliance
with regulations, protect data, prevent disruptions, identify
vulnerabilities, and continuously monitor and improve their security.
McAfee is relentlessly focused on constantly finding new ways to keep
our customers safe. http://www.mcafee.com. McAfee Canada is headqua
rtered in Markham, Ontario, with regional
offices across Canada. The company's Consumer Software Research and
Development facility in based in Waterloo, Ontario. About Leger Marketing
Leger Marketing - the largest Canadian-owned polling firm - also owns
The Research Intelligence Group (TRIG) in the United States,
LegerWeb.com, the biggest panel in Canada with 400,000 panelists, Leger
Analytics, for advanced statistical analysis, and Leger Strategic
Consulting, a division that specializes in communication and strategic
positioning. -30 -
Ability to Protect Mission Critical Data, Yet 82.5 per cent Experienced
a Data Breach in the Past 12 Months Markham, ON - June 14, 2012 - According to a recent report released
today by McAfee - conducted by Leger Marketing, titled, “McAfee’s
Canadian Public Sector Security Report,” - 77.5 per cent of Canadian
government IT security software decision-makers identify security as a
strategic objective. The findings also suggest that for the most part,
government bodies seem to be more reactive than proactive and strategic
when it comes to managing and implementing their security strategies. “Despite their larger than average IT department size, governments
just don’t seem to have the time, resources or budget to effectively
stay ahead of the threats curve,” said Ross Allen, Vice President,
Canada, U.K. and Ireland at McAfee, Inc. “Understanding security
challenges and threats begins at the top level of government in order to
establish sufficient IT budgets that will support trusted security
strategies and technologies to combat today’s ever-evolving threats
more successfully.” Sixty-two point five per cent (62.5%) of respondents indicated that
identifying security threats is a bigger challenge when compared with
remediating attacks. However, 57.5 per cent (57.5%) of respondents
reported more time was spent on remediation efforts, which indicates a
reactionary approach to security. Almost 88 per cent (87.5%) of
respondents reported difficulty in learning about new threats and
solutions, while dealing with existing security issues. Other Key Findings: Security Threats In the Past 12 Months
● 97.5% have been exposed to some type of security challenge or
threat over the past year
● While 80% of respondents were ‘confident’ or ‘very
confident’ in their ability to protect mission critical data, 82.5%
have experienced data loss or suffered from a breach
● The most common types of threats dealt with over the past year were
virus attacks (75%), malware (60%), end-user exposure to malicious
websites
(40%), network attacks (37.5%), and end-user installation of
unauthorized applications on computer or mobile devices (35%) Impact of Data Breaches and Cost of Threats Suffered
● 40% of respondents experienced loss of productivity as a result of
a data breach
● 37.5% suffered reputational damage and 35% experienced a loss of
public confidence
● 30% have lost confidential information
● 30% were subject to a privacy investigation
● 82.5% of respondents estimated the total IT support costs of
dealing with security threats are between three to 25% (55% from 3-10%;
27% from 11-25%) Understanding of and Protecting Against Breach Activity
● While 70% indicated they have the security infrastructure in place
to mitigate current breach activity, 30% do not believe they can protect
against present-day breach activity or said they don’t know
● 37.5% do not understand their current risk exposure
● 77.5% of government IT managers and IT specialists indicated a
disconnect between themselves and their CIOs and Directors when it comes
to their perception of real and perceived threats
● IT managers and IT specialists are more likely to emphasize a need
to focus budget on end-user behaviour and staffing (audit, tracking,
education and IT security skillsets), while CIOs and Directors are more
likely to focus IT budgets on the purchase of products, services and
functionality
● Most respondents learn about emerging threats from industry
publications (67.5%) and colleagues (52.5%), followed by mainstream
media coverage and other technology vendors, each at 37.5%
● The biggest security concerns are network security (72.5%), data
centre security (62.5%), mobile security (57.5%) and bring your own
device (BYOD) security (55%) Social Media and BYOD
● 62.5% of respondents allow their employees to access social media
sites and 56 per cent of those believe this increases their exposure to
risk
● Of the 37.5% who do not allow their employees to access social
media sites, 73.3% believe this mitigates risk
● 40% allow BYOD and access to the network, but of those, only 25%
have a sound security policy in place for BYOD Management Approach and Security Investment
● While only 22.5% manage networks, devices, systems, databases and
endpoints from a single or unified console, 45% would prefer having an
integrated single management view or outsourcing it to a third-party
service provider (32.5%)
● 50% indicate that 21% or more of IT time is spent on ensuring IT
security is compliant with regulations; while 22.5% estimate this to
take between 41% and 60% of IT time
● 65% indicate new security software purchases in the next 12 months
are ‘likely’ or ‘100% certain, while 25% are ‘neutral’ and 10%
are ‘not likely’ or ‘not likely at all’ to purchase new
software
● 80% of respondents say security will require an increase in
spending over the next one to three years
● Although 50% do not feel lack of budget is the primary factor
inhibiting security investment, 42.5% indicated lack of budget was the
number one factor inhibiting security investment
● Other than lack of budget, the greatest factors inhibiting security
investment are poor interoperability of solutions (37.5%), the
complexity of security software (32.5%) and little recognition of
security problems (30%) “We have seen a real shift in the threat landscape over the past five
or six years,” said Warren Shiau, Director of Research at Leger
Marketing. “There has been a significant increase in breaches
resulting from end-user behaviour and organizations need to be better
prepared to manage these risks. It is not just about protecting against
malicious links, it is about educating and raising the overall security
awareness of employees.” Conclusions/Recommendations
● Enhance national mechanisms to share security knowledge. Security
issues are not static - they are constantly evolving. Governments must
look for cost-effective ways to share information about e
merging threats
and especially those that are introduced with new corporate initiatives
such as cloud computing and bring your own device (BYOD).
● Enable the creation, maintenance and sharing of security best
practices. Securing government organizations is more than just about
investing in new security countermeasures. Government organizations need
more guidance when it comes to successfully deploying and maintaining
security tools that are not only effective against attacks, but are also
cost-effective. In some instances, acquired technologies are never
implemented and as a result, many do not reach their full potential. The
sharing of information across all levels and departments of governments
will help increase user awareness levels about what security
technologies exist, how to properly integrate them and how to measure
their effectiveness.
● Bridge the private sector to help. In the cases of threat knowledge
and enabling protective programs, the government should build bridges
with the private sector to build better capacity for expertise, training
initiatives and best practices.
● Increase awareness around the protection and movement of data.
Malicious activity has transitioned away from the intent to create
computing chaos to benefits from outcomes like financial gain and
embarrassment. Having an understanding of an organization’s storage
policies and the value of its data will help make prioritizing efforts
easier to ensure better protection.
● Governments need to become more adept at responding to new
technologies and threats. One example is BYOD where only 25 per cent
(25%) of respondents have a sound security policy in place. As trends
such as the consumerization of IT continue to grow in popularity, more
people rely on their personal and corporate-owned mobile devices to do
their jobs. Governments need to be build mechanisms where they see the
onset of emerging technologies and must engage early so they can gain
knowledge, develop protection strategies and share information across
the country. “Companies spent far too long with their heads in the sand,” said
Chris Timmons, Senior Manager of Information Security at Edmonton-based
ATB Financial, a crown corporation with 5,000 employees. “If users
really want to do something, they will find a way. You need to be
proactive with your security policies because users will do it, whether
you want them to or not.” About the Report
McAfee Canada commissioned Leger Marketing to interview IT security
software decision-makers in Federal, Provincial and Municipal
governments. The interviews were completed during the month of February
2012 and included a total of 40 randomly selected IT security software
decision makers with final decision making authority on security
software purchases, or selection, within the total population of
Canadian government top IT security software professionals. The
interviews represent a “snapshot” of the current Government security
software landscape and are indicative of government IT security
experience, behaviour and intent; they are not, however, equivalent to a
probability sample yielding quantitative margin of error. About McAfee
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC),
is the world's largest dedicated security technology company. McAfee
delivers proactive and proven solutions and services that help secure
systems, networks, and mobile devices around the world, allowing users
to safely connect to the Internet, browse and shop the Web more
securely. Backed by its unrivaled Global Threat Intelligence, McAfee
creates innovative products that empower home users, businesses, the
public sector and service providers by enabling them to prove compliance
with regulations, protect data, prevent disruptions, identify
vulnerabilities, and continuously monitor and improve their security.
McAfee is relentlessly focused on constantly finding new ways to keep
our customers safe. http://www.mcafee.com. McAfee Canada is headqua
rtered in Markham, Ontario, with regional
offices across Canada. The company's Consumer Software Research and
Development facility in based in Waterloo, Ontario. About Leger Marketing
Leger Marketing - the largest Canadian-owned polling firm - also owns
The Research Intelligence Group (TRIG) in the United States,
LegerWeb.com, the biggest panel in Canada with 400,000 panelists, Leger
Analytics, for advanced statistical analysis, and Leger Strategic
Consulting, a division that specializes in communication and strategic
positioning. -30 -