The proportion of "insider" internet security breaches caused by employees are rising quickly within Canadian government departments and agencies, a new study shows.

IT security breaches decline

The study found that overall, IT security breaches were down nearly 50 per cent from last year. Etges suggested that this was because breaches were only reported if they resulted in a material or financial loss to the organization, and companies may be better at dealing with some types so that they no longer cause such losses. Government breaches specifically were down 23 per cent, from 22.4 per organization in 2010 to 17.3 per organization in 2011.

The average cost of breaches for all organizations was also down overall from an average of $179,508 in 2010 to $82,903 in 2011.

The top three types of breaches were:

  • Viruses and malware (45%).
  • Laptop and mobile device thefts (22%).
  • Phishing and pharming attacks (20%).

Insider breaches in the government sector grew by 28 per cent between 2010 and 2011 and are up 68 per cent since 2008, the fourth annual Telus-Rotman joint study on Canadian IT security practices reported Tuesday. They now make up 42 per cent of breaches reported by government organizations, compared to 27 per cent of breaches at public corporations and 16 per cent at private businesses.

"This is quite alarming," said Rafael Etges, director for security and risk consulting services at Telus Security Solutions, who co-authored the report with Neil Begin, program director at Telus Security Labs and Walid Hejazi, professor of business economics at the University of Toronto's Rotman School of Management.

That alarm shouldn't be necessarily eased by the fact that the number of breaches per government organization have declined slightly in the past year, Etges said, because it points to weaknesses in the government's approach to IT security.

Insider breaches include both malicious and accidental incidents, such as laptop or mobile devices losses and unauthorized access to networks or data by employees.

In fact, the latter type are reported at a much higher rate by government organizations than public and private companies, the study found:

  • Laptop or mobile device thefts were reported by 34 per cent of government organizations surveyed in the study compared to 19 per cent of private companies and 25 per cent of public companies.
  • Unauthorized access of information by employees was reported by 24 per cent of government organizations, compared to 11 per cent of private companies and 19 per cent of publicly traded companies.

The study relied on a survey of more than 600 Canadian IT professionals at government organizations, private companies and publicly traded companies. It noted that in the private sector and overall, the percentage of breaches caused by insiders is declining – down to 22 per cent in 2011 from 25 per cent in 2010.

When asked why there is such a difference in trends between the business and government sectors, Etges proposed a number of reasons.

Laptop or mobile device thefts were reported by 34 per cent of government organizations surveyed in the study compared to 19 per cent of private companies and 25 per cent of public companies.Laptop or mobile device thefts were reported by 34 per cent of government organizations surveyed in the study compared to 19 per cent of private companies and 25 per cent of public companies. iStock

For one thing, government organizations rely more heavily on technology for its IT security and less on education and awareness training than businesses do, he said.

The fact that governments often block employee access to certain services such as social networking sites may also play a role, he acknowledged.

Blocking Facebook results in breaches

The study found that blocking social networking sites leads to more security breaches as employees try to circumvent the company's security.

National defence close call

Michel Juneau-Katsuya described a narrowly averted data-breach that took place last year involving a national defence employee but not necessarily in Canada's Department of National Defence.

The employee received an email apparently from an unknown colleague using a departmental email address. It referred to a soccer game their daughters both took part in over the weekend, then asked the employee to share a classified document. Suspicious, the employee notified superiors who initiated an IT investigation. It found the "co-worker" did not exist, the email address was fake, and the email actually originated in China. It also found that the person who wrote the email had found out about the soccer game from photos posted on the employee's Facebook page.

Juneau-Katsuya said employees need to be made aware about this type of incident. In this case, the employee knew enough to be suspicious, showing how awareness can prevent data breaches, Juneau-Katsuya added.

Etges also noted that the government is an "obvious target" for people seeking unauthorized access to data.

Michel Juneau Katsuya, a former CSIS agent and manager who now advises governments and businesses on IT security, said 85 to 90 per cent of current spy cases involve an employee who was granted access to certain information. In an interview following the release of the report, he added that while it may be possible to use technical means to gain unauthorized access to certain data, "the vast majority of the time, they will get access through a person."

The key to preventing that is education and awareness training, said Juneau-Katsuya, CEO of the Northgate Group, an Ottawa-based security intelligence and research firm.

"It's not difficult," he added, noting that most employees want to do the right thing — they simply need to know the risks and how to prevent them.

"Unfortunately, the government is doing a really, really poor job in raising the awareness," he said.

He blamed a culture of secrecy that he says has long been part of both the current and previous governments.

"This secrecy is not helping us at all. We need more transparency."