Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

How much Canadian personal information will be lost next year?

image of Dave Senf IDC

1-Aug-2013 - IDC Canada has created a model for sizing and forecasting...

the amount of security breaches that Canadian organizations will be experience.

“I’ve never seen it done before, not in this marketplace,” said David Senf, VP Infrastructure Solutions at IDC Canada. “We did a study for a provincial government office to help them understand how many more calls they’re going to get based on Bill C-12 – the amendment to PIPEDA that requires breach disclosure.”

While the bill hasn’t passed yet, when it does it will be Canadian law that after a breach you will have to meet with the office and decide what to disclose about your breach.

“They asked, ‘Are we going to get deluged with all kinds of calls?’ Our job was to find out,” Senf said. “The model we built is massive, with all kinds of inputs, including survey, StatsCan, and managed services data, amounting to 4 billion records that had to be sorted down to 4 thousand incidents.”

In 2011 3.5 million records of personal information in confidential data were lost or stolen. IDC believes that number is going to climb to over 4 million by 2015.

“There are fewer breaches occurring,” Senf said. “When they occur, more records are being lost. It shows the attackers are getting better. They’re not randomly targeting through botnets – they’re going after highly placed individuals to get access to specialized data. It’s much more specific and targeted than in the past.”

The study examined the likelihood organizations would face attack, and the number of businesses by size and vertical, and what data is taken in an attack.

While 27% of Canadians work in companies with from 100-1,000 employees, the proportion of breaches is 39%.

“Indicating that attackers are interested in midsize organizations, which are in the unfortunate position of not having invested in services and technology to properly protect themselves.” 

For large organizations the trend flattens out during the forecast period. It increases slightly, although not as much as the rise in midsize firm attacks.

“Large organizations are getting better at protecting themselves... they’re learning the attack landscape, and they know how to take care of the basics, which is 80+% of the job,” said Senf. “By virtue of their size means they will still lose more individual records, although the growth of malware and loss is in midsize and small organizations.”

The reason for the increased growth is due to the lack of budget for personnel. Midsize firms typically have few staffers who do security only. It usually takes a portion of time from an individual who is otherwise working on PC break/fix, responding to email outages, and network maintenance, instead of responding to attacks and taking countermeasure to ensure the network and data are safe.

The IDC study shows sources of data loss in Canada, including probability, and impact across 12 different areas.

Servers show the lowest probability of attack, and yet the highest impact. Whereas removable media has the highest probability of attack and the lowest impact – the recent Election Ontario breach notwithstanding. 

“We tried to find out the lowest egress point, and gave an average size in the number of records,” Senf said. 

Regarding preparedness for changes to PIPEDA, the study asked what organizations think of C-12? Do they even know about it?

Outside of the financial industry few organizations do, and yet the new law is going to be big for those organizations. 

Currently 35% of organizations report via PIPEDA. The majority of organizations are unaware – 73%.

“Canada doesn’t have mandatory breach reporting at the federal level. Alberta has it. It’ll likely be 2013 by the bill passes, in which case PIPEDA will have more teeth. It changes the Canadian compliance landscape. 

Senf noted that the figures represented are forecasted.

“One breach could blow these numbers out of the water,” he said.