George Edwards thought his company’s security measures were top-notch until the day a third-party assessor came in to test the steps ProPharm had taken to protect itself from attacks.
When the person sent by IBM to test the company’s security system walked unimpeded into ProPharm’s Markham, Ontario-based offices, there was a quick realisation that not even basic physical security had been taken into account, said Edwards, a vice-president at the company, which supplies computer technology to pharmacies. And when the assessor asked who the chief security officer was, Edwards was once again at a loss.
"We were thinking we’re pretty good," he said.
Edwards was speaking during a seminar held recently in Ottawa, where the results of an Ipsos-Reid study on Canadian CEOs’ attitudes towards security were announced.
He said the outside evaluation showed the company that there were many areas in which it could be improved.
ProPharm’s once ill-conceived approach to security isn’t that different from other Canadian companies. For most, security is only a secondary concern, said David Saffran, a senior vice-president and managing director at Ipsos-Reid.
In a survey of 250 CEOs, protecting the company from malicious attacks ranked fourth in a list of priorities behind reducing the company’s overall expenses, maintaining and building revenues, and hiring qualified staff.
This lukewarm approach to security could come at a cost. According to RCMP statistics, cybercrime is up 65 per cent from last year. And a large number of hacking events go unreported each year, as companies are afraid of going public with such information, said Sgt. Charles Richer, a team leader with the RCMP’s technological crime unit in Ottawa.
Cyberattacks have become more sophisticated since the days of Mafia Boy, Richer said, referring to the Canadian teenager who managed to shut down several high-profile US Web sites in 2000. Though unable to go into details of the cases he’s investigated, Richer said in one denial of service attack, a company was losing $US100,000 a day.
Theft of data is happening at a disturbing rate, he said. Smart card cloning through reverse engineering is also possible, if there isn’t enough security. "We’re investigating things that could have been prevented," Richer said.
Although individual viruses aren’t as common as they once were, more worms are starting to appear, he added.
Many of the crimes are internally generated. Often, the attack is generated from within the network, or the victim knows the perpetrator.
Often, people are the weakest link. "Human issues are at the heart of the matter," Richer said, which is why it’s essential to train and communicate with employees.
The Ipsos-Reid study also found that 46 per cent of CEOs reported being hit with a widespread infection by malicious software, and 20 per cent admitted to being hit by an external hacker in the past year.
To combat such attacks, it’s important to get an outside assessment of your security system while it’s still in the design phase, Edwards said.
ProPharm was forced to undergo such an assessment in order to comply with the Ontario government’s requirements.
As a supplier to pharmacies, the company is more aware of the importance of protecting confidential information than most companies, but this is something all organizations have to worry about, Edwards said.
Among the measures that IBM recommended to ProPharm was the creation of a “poison pill” for the Linux boxes at pharmacies. If a box is stolen and then used to connect to the ProPharm network through which insurance claims are validated, then not only will the connection be severed, but the computer will be sent a command to commit suicide.
Once the system was in place, ProPharm then had a third party test it through ethical hacking.
"You shouldn’t proofread your own work," Edwards said.