The good news is that businesses are getting better at detecting security attacks. Now, businesses just have to get better at working to remediate against and prevent those attacks.
“Detection alone is not security,” Ben Sapiro, research director for the security practice at
Telus Security Labs, told attendees at the
SecTor Security Education Conference Wednesday in Toronto. “A lot of work is being done on finding the problems, but not enough on solving them.”
Sapiro presented his own spin on the recent study on Canadian IT security practices by
Telus and the
Rottman School of Management, which notes – among other findings – that from last year to this year, businesses discovered almost four times as many breaches, but the cost per breach went down.
Sapiro said this is because companies have become better at discovering when they’re being attacked, largely because of the importance of compliance legislation in both the Canada and the US over the last few years.
“Last year, people were experiencing a similar number of breaches, they just weren’t finding them,” Sapiro said.
But the problem is that many business execs back off their security pushes when “they’ve got all the little checkmarks from their lawyers” that they are able to detect any attempted breaches.
The Telus/Rotman study takes a look at how much companies are spending on security to be happy with their security posture. In the 2008 edition of the study, businesses were happiest when spending five per cent of their overall IT budget on security, that is to say that further investment in security did not equate with further satisfaction in their actual security posture. In 2009, that figure jumped threefold to 15 per cent, largely because of the increasing costs of dealing with all the breaches that are now being discovered.
