Information Technology departments in government and business organizations across Canada have seen the number and cost of security breaches soar this year, and the fastest-growing cause of such breaches is often employees within those organizations, according to a new study released Tuesday.
The 2009 joint study on Canadian IT security practices - conducted by TELUS and the Rotman School of Management at the University of Toronto - surveyed more than 600 Canadian IT security professionals.
According to the study, IT security breaches - everything from viruses to intellectual property theft to abuse by employees - cost the average Canadian organization $834,149 in 2009, almost double the amount reported in last year's study. The average number of reported IT security breaches also soared to 11.3 per organization in 2009, compared to three per organization in 2008.
Walid Hejazi, a professor of business economics at the Rotman School of Management at the University of Toronto and co-author of the study, said he expected the number of security breaches to jump during a financial downturn, as businesses and government organizations scale back their IT budgets to save money. On average, the survey's respondents reported a 10 per cent drop in their IT security budgets.
But lower security budgets aren't the only reason breaches tend to soar during tough economic times - employees themselves can often be the cause of such problems.
"The threat environment worsens because when the economy goes into a downturn, job losses mount, and as people leave the organization many often take data with them," Mr. Hejazi said.
About 33 per cent of reported security breaches this year came from within companies, and unauthorized access by employees represented the fastest-growing threat area, according to TELUS Security Labs managing director and study co-author Alan LeFort.
Last year, about 17 per cent of Canadian organizations reported so-called "insider breaches." This year, that number has more than doubled to 36 per cent.
Of all the respondents surveyed, those in the government sector reported the biggest jump in security breach costs this year. Average annual security breach costs in the government sector more than tripled this year to $1,004,799, up from $321,429 in 2008.
Mr. LeFort said new data security standards and legislation means government agencies are doing much more data monitoring than in previous years, inevitably leading to more reports of security breaches. While threat levels have gone up during the economic downturn, he said, organizations are also getting better at catching breaches that were happening anyway.
"Organizations are better at detecting things," Mr. LeFort said. "It's not that they're less efficient at stopping things, it's actually the things that were happening before, they're better at noticing them and they have processes for reporting them, which in a way is good news."