Skip to main content
The Globe and Mail
Support Quality Journalism.
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to
Just $1.99 per week for the first 24 weeks
Just $1.99 per week for the first 24 weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(}function setPanelState(o){dom.root.classList[o?"add":"remove"](,dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); } //

Getty Images/iStockphoto

The toll of cyber crime appears to be rising as criminals become more sophisticated and more focused on financial gain. And while businesses are doing a bit better at protecting themselves, criminals have become better at bypassing the standard security measures, experts say.

To complicate matters, more businesses are adopting cloud computing, in which they run software and store data on computers outside their own premises and their own direct control. (The term can also refer to internal or private clouds, which distribute work over multiple servers but only within an organization.)

Worries about data hold some businesses back from cloud computing. When Toronto-based technology news site surveyed about 300 small and medium businesses last September, about 35 per cent named security as their biggest concern about cloud computing.

Story continues below advertisement

But cloud computing isn't necessarily less secure, says Brian Baird, chair of the Canadian chapter of the non-profit Cloud Security Alliance and chief technology officer of the Identity Management Centre of Excellence at SaskTel in Regina.

"If you're running a completely isolated and private network on your own premises," Mr. Baird says, "then there's a pretty good likelihood of control."

Few organizations do that, however; if you're dealing with customers and partners, those services are exposed to the Internet in one way, shape or form.

Yet putting data in the cloud does not have to make it more exposed. And since good security is costly, Mr. Baird says, a major cloud service provider can usually do it better than an average small to medium business.

The basics of security are keeping anti-malware software up to date, applying security patches to software promptly and protecting the perimeter through firewalls and the like, says James Quin, lead analyst at Info-Tech Research Group in London, Ont. And those rules still apply in the cloud. But for businesses using the most popular cloud computing services, security becomes less a hands-on matter of maintaining firewalls and more a question of choosing cloud service providers wisely and asking the right questions about their security practices.

Most cloud computing today takes the form of software-as-a-service, where the cloud provider offers a complete application running on its own servers. In this model the cloud provider takes responsibility for security, and the customer's concern is making sure the provider does its job.

Customers should look for possible holes in the defences – things that may be overlooked, such as whether backup tapes are encrypted before they leave the provider's premises.

Story continues below advertisement

Would-be cloud customers can also look for "some kind of third-party validation of that cloud or the technology powering that cloud," says Eran Farajun, executive vice-president of Asigra Inc., a Toronto-based cloud backup service provider.

For instance, the Statement on Auditing Standards No. 70 (SAS 70), developed by the American Institute of Certified Public Accountants, covers internal controls including information technology and related processes. FIPS 140 is a cryptographic standard developed by the National Institute of Standards and Technology in the U.S.

No matter how good the cloud provider's security, Mr. Quin says, off-site cloud computing means data passes over a public network between the business and the service provider. If that data is at all sensitive, it should be encrypted for transmission.

One twist on security that arises in cloud computing is the need to ensure that you can get your data back if the cloud provider goes out of business or either party terminates the contract.

"You, the customer of the service, maintain ownership and control of the data at all times," Mr. Baird says. Otherwise, warns Mr. Farajun, "you might get such a secure cloud that you can't get your own data out of it."

While most cloud computing today follows the software-as-a-service model, other models called platform-as-a-service and infrastructure-as-a-service mean the customer is essentially buying raw computing power, possibly with a layer of operating software on top, rather than applications. In that case, Mr. Moss says, the customer rather than the cloud provider is responsible for the details of security, more like in the traditional computing model.

Story continues below advertisement

State of security

The median cost of cybercrime by businesses surveyed in the Second Annual Cost of Cyber Crime Study, conducted by the Ponemon Institute of Traverse City, Mich., last summer, was $5.9-million (U.S.) per business, per year. Individual businesses reported costs ranging from $1.5-million to $36.5-million a year. Computer maker Hewlett-Packard Co. of Palo Alto, Calif., sponsored the survey.

That median number was up 56 per cent from Ponemon's first survey in July, 2010.

While this particular survey has been done only twice, Ponemon Institute has studied cyber crime for years. Larry Ponemon, its chairman and founder, says the damage cyber crime does is growing as criminals have grown more sophisticated.

The apparent increase in losses could be due partly to increased reporting of security breaches, notes Mr. Quin, but there's no question cyber criminals are focusing on money. "Cyber crime is a very monetized threat," Mr. Quin says.

Criminals are going after the online targets with the biggest rewards, says Tom Moss, director of products and services for security software provider Trend Micro Canada in Ottawa. "It's not necessarily mischief any more."

Story continues below advertisement

The good news, Mr. Quin says, is that everyone is more aware of the threats.

But there's no room for complacency. Mr. Ponemon says he would give U.S. companies a grade of C+ on security today compared with perhaps a D- 10 years ago. He adds that Canadian businesses do a slightly better job than their American counterparts at security and protecting privacy – but their record is still less than exemplary.

Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies