Canadian businesses are resigning themselves to being hacked: study

TORONTO – Canadian businesses have set themselves up to be hacked, and a new study has found that some companies believe that it’s almost inevitable they’ll fall victim to a security breach.

Telus and the Rotman School of Management at the University of Toronto says its annual study on IT security found a “pervasive sense of vulnerability” at many corporations.

“Security managers are not very confident that they can identify whether a breach actually occurred or whether they’re actually in the midst of a current breach,” said Walid Hejazi, a professor of business economics at Rotman.

He said the findings suggest Canadian companies are operating with “a false sense of security.”

The fifth edition of the study, released Thursday, used qualitative evidence to back up past quantitative reports. Instead of compiling hard numbers, it relayed anecdotes from various industries around the country.

In one of the interviews, a chief information officer for a large company, told Hejazi that when he was hired, he laid it out for his bosses.

“I told senior management that we will be breached within the next 18 months, so get over it now,” the report quotes the unnamed senior executive as predicting.

The executive declined to offer further comment when asked if a breach actually occurred.

Hejazi said the findings are reminiscent of the troubles that former technology giant Nortel Networks faced when international hackers broke into its corporate computers and accessed information for nearly a decade.

The Nortel security breach gave hackers “plenty of time” and “access to everything,” according to 19-year Nortel veteran Brian Shields, who was behind a six-month investigation into the security breach that is believed to have started in 2000, but was only made public in 2012.

Corporate hacking can be motivated by international espionage to “hackivist” groups like Anonymous who are working for a specific and often very public cause.

Hejazi said that organizations that operate with a “Yes” mentality, or are open to discussions with their staff about how to use technology responsibly, are more secure than companies with rigid security controls. Employees who become frustrated with exceptionally tight security will find ways around it, he said.

But he noted that hacking dangers can lie in many unsuspected places. Even an attachment file can directly lead to a security breach, or using free public computers at a conference in another country that has keylogging spyware installed.

“You just open the door to your organizations when you use those kinds of assets,” he said.