It's the corporate equivalent of leaving doors and windows of your home wide open. Companies small and large in Canada continue to leave their businesses vulnerable to security breaches, according to information technology security expects.
A recent Ernst & Young survey of businesses found 21% of Canadian respondents reported an increase in IT security incidents.
That's probably not so surprising, given how many new back doors have opened into corporate IT ecosystems recently: mobile devices used for work, for example, and the growing use of cloud-based applications and services.
"It's not catastrophic, but it's something we have to keep an eye on," said Rafael Etges, Ernst & Young's information security practice leader. "Because it's not just about the volume of incidents – the nature of incidents is also changing."
Anwar Visram, an IT security expert in Burnaby, said it's not just big businesses that are at risk anymore. Because smaller businesses tend to invest little in IT security, they have become greater targets than big companies with more robust security.
"The threat landscape has changed," he said. "The guys who are attacking are going after small and medium-sized business."
He cites a recent example in the U.S., where criminals managed to steal $180,000 from a small business by setting up false payroll deduction.
There are numerous ways for criminals and hackers to make their way into a company's computer system, but Scorpion Software CEO Dana Epp said one of the most vulnerable points is weak password protection.
"They're far too easy to share, steal or guess," Epp said.
On average, a typical office worker has 20 different passwords at work, and 61% of workers use the same password for multiple programs, the number of which is increasing due to cloud-based services.
Having a weak password policy can be costly, as one local restaurant chain discovered, Epp said, when its right to process Visa credit cards was revoked after the credit card company discovered the business owner had a weak password protocol for remotely accessing the restaurant's point of sales terminal information.
Mobile device safety
Mobsafety does for mobile devices what Absolute Software's management software does for desktop and laptop computers: it allows companies to manage devices used by employees and protect the data on them.
Mobsafety CEO Nick Murray likened Mobsafety to the BlackBerry Enterprise Server, but cheaper. It can be used for company-issued or employee-owned devices.
It provides services like geofencing to prevent devices from leaving a prescribed area and a special mobile web browser, called Ranger, that restricts employees from accessing sites that are off limits for work (adult sites, online gaming, etc.) and maintains a database of known malicious sites, which are automatically blocked.
Disposable, authenticated passcodes
Scorpion Software's AuthAnvil provides two-factor authentication that allows a single passcode to be generated for each login, granting access to a variety of programs without having to enter a different password each time the user logs on.
For example, employees would use an AuthAnvil app on their smartphones each morning to generate passcodes – which can be used only once – to log onto their computers. Once logged on, they would have access to all their in-house or cloud-based programs without having to enter user names, emails or passwords – a single, unique passcode authorizes them for all their programs.
It's not just convenient – it also prevents unauthorized use of programs because the passcode can be used only by an authorized person and can never be used twice. The passcode changes for each login, is unique to the authorized user and can never be used by anyone else.
"No one can log in as you, unless they physically had your phone, as well as knew your PIN," Epp said.
If there is a breach, AuthAnvil provides tracing to determine where and when the breach occurred.
