Media Releases

2013 TELUS-Rotman IT Security Study: Canadian enterprises operating with false sense of security

March 7, 2013

TORONTO, ON — TELUS and the Rot­man School of Man­age­ment at the Uni­ver­si­ty of Toron­to today released the fifth annu­al study on Cana­di­an IT Secu­ri­ty. Tak­ing a qual­i­ta­tive approach for the first time, the research team inter­viewed secu­ri­ty lead­ers from across the coun­try in a vari­ety of indus­tries to cap­ture per­son­al­ized insight about the secu­ri­ty issues that keep them up at night.

“This year, we felt it was crit­i­cal to val­i­date our quan­ti­ta­tive find­ings from pre­vi­ous years with qual­i­ta­tive insights,” said Walid Hejazi, pro­fes­sor of Busi­ness Eco­nom­ics, Rot­man School of Man­age­ment. “We want­ed to pro­vide Cana­di­an secu­ri­ty lead­ers with access to real life expe­ri­ences, best prac­tices and strate­gies used by their peers.”

Four key secu­ri­ty-relat­ed con­cerns were revealed dur­ing the round­table dis­cus­sions and inter­views:

• Has my orga­ni­za­tion been breached, and I don’t know about it?

• How will a breach affect my brand?

• What are my employ­ees doing with cor­po­rate data?

• How do I retain my secu­ri­ty resources?

In explor­ing these four con­cerns, sev­er­al insights emerged:

• A per­va­sive sense of vul­ner­a­bil­i­ty: Most Cana­di­an secu­ri­ty lead­ers believe that a secu­ri­ty breach is inevitable and lack con­fi­dence in their orga­ni­za­tions’ abil­i­ty to detect the breach and mit­i­gate pos­si­ble dam­age.

• Peo­ple are the weak­est link: Whether a result of igno­rance or mali­cious intent, peo­ple pose the great­est risk to Cana­di­an enter­prise secu­ri­ty, ele­vat­ing the impor­tance of aware­ness and edu­ca­tion.

• “Yes” orga­ni­za­tions are more secure than “no” orga­ni­za­tions: Orga­ni­za­tions that work with employ­ees to adopt inno­va­tion or new tech­nol­o­gy respon­si­bly (“yes” orga­ni­za­tions) are more secure than orga­ni­za­tions that lim­it inno­va­tion adop­tion with rigid IT secu­ri­ty con­trols (“no” orga­ni­za­tions).  “No” orga­ni­za­tions tend to oper­ate with a false sense of secu­ri­ty because employ­ees often cir­cum­vent con­trols to access tech­nolo­gies they deem crit­i­cal to pro­duc­tiv­i­ty leav­ing the orga­ni­za­tion unaware and at risk.

“It is crit­i­cal that orga­ni­za­tions remain open to new tech­nolo­gies so employ­ees are empow­ered with the tools to increase pro­duc­tiv­i­ty,” said Her­nan Bar­ros, direc­tor, TELUS Secu­ri­ty Solu­tions. “Equal­ly impor­tant how­ev­er, is that orga­ni­za­tions ensure employ­ees under­stand how to use new tools respon­si­bly, and that adher­ence to secu­ri­ty pol­i­cy is made con­ve­nient and sim­ple. Ongo­ing secu­ri­ty aware­ness train­ing can help ensure com­pli­ance.”

In response to the qual­i­ta­tive find­ings, and in an effort to help Cana­di­an orga­ni­za­tions achieve a bal­anced lev­el of secu­ri­ty, Rot­man and TELUS’ team of secu­ri­ty experts offer five rec­om­men­da­tions:

• Don’t assume you haven’t been breached.  Sim­ply because your orga­ni­za­tion has not detect­ed a secu­ri­ty breach, does not mean you have not been breached at any point in time or that the breach is no longer being per­pe­trat­ed.

• Secu­ri­ty dili­gence must be ongo­ing. Secu­ri­ty is not a one­time effort. Giv­en the sig­nif­i­cant pace of tech­no­log­i­cal inno­va­tion that affects the secu­ri­ty of infor­ma­tion sys­tems, IT secu­ri­ty man­agers have to keep up with how these inno­va­tions impact the risk pro­file of the orga­ni­za­tion and respond appro­pri­ate­ly. In essence, secu­ri­ty must be built in to every aspect of IT, busi­ness practices/processes and employ­ee aware­ness.

• Com­pli­ance is not the same as secu­ri­ty. Meet­ing min­i­mum required stan­dards should be viewed as exact­ly that, the min­i­mum required. Secu­ri­ty should be a con­sid­er­a­tion through­out the life­cy­cle of every project from busi­ness dri­vers to the tech­nol­o­gy imple­men­ta­tion and man­age­ment.

• Orga­ni­za­tions should work to be “yes” orga­ni­za­tions. “Yes” orga­ni­za­tions are open to new tech­nolo­gies and are con­stant­ly cre­at­ing dis­course with employ­ees about bal­anc­ing secu­ri­ty respon­si­bly with the busi­ness val­ue inno­va­tion can bring. These orga­ni­za­tions rec­og­nize the crit­i­cal­i­ty of secu­ri­ty when embrac­ing any new tech­nol­o­gy and are inte­grat­ing strat­e­gy, pol­i­cy, aware­ness, edu­ca­tion and buy-in into their process­es.

• Aware­ness train­ing is key. Secu­ri­ty is only as good as its weak­est link, which often comes down to peo­ple. As a result, aware­ness train­ing must be con­sis­tent and rel­e­vant to new inno­va­tions and threats, and IT secu­ri­ty man­agers need to fig­ure out how to reach employ­ees most effec­tive­ly.

Secu­ri­ty lead­ers can find the detailed break­down and analy­sis of the key insights and rec­om­men­da­tions at:

About TELUS Secu­ri­ty Solu­tions

TELUS Secu­ri­ty Solu­tions offers cus­tomers the most com­pre­hen­sive secu­ri­ty port­fo­lio includ­ing con­sult­ing and man­aged ser­vices, tech­nol­o­gy solu­tions, plus part­ner­ships with 16 of the top 20 glob­al secu­ri­ty ven­dors. In addi­tion, TELUS Secu­ri­ty Labs is a lead­ing provider of secu­ri­ty research to more than 50 of the world’s top secu­ri­ty prod­uct ven­dors. Whether your pri­or­i­ty is han­dling tar­get­ed threats with real-time con­text, secur­ing your mobile enter­prise or remov­ing your secu­ri­ty man­age­ment chal­lenge, TELUS Secu­ri­ty Solu­tions can help you gain vis­i­bil­i­ty, under­stand­ing and con­trol.


TELUS (TSX: T, NYSE: TU) is a lead­ing nation­al telecom­mu­ni­ca­tions com­pa­ny in Cana­da, with $10.9 bil­lion of annu­al rev­enue and more than 13.1 mil­lion cus­tomer con­nec­tions, includ­ing 7.7 mil­lion wire­less sub­scribers, 3.4 mil­lion wire­line net­work access lines, 1.4 mil­lion Inter­net sub­scribers and 678,000 TELUS TV cus­tomers. Led since 2000 by Pres­i­dent and CEO, Dar­ren Entwistle, TELUS pro­vides a wide range of com­mu­ni­ca­tions prod­ucts and ser­vices, includ­ing wire­less, data, Inter­net pro­to­col (IP), voice, tele­vi­sion, enter­tain­ment and video.

In sup­port of our phi­los­o­phy to give where we live, TELUS, our team mem­bers and retirees have con­tributed more than $300 mil­lion to char­i­ta­ble and not-for-prof­it orga­ni­za­tions and vol­un­teered 4.8 mil­lion hours of ser­vice to local com­mu­ni­ties since 2000. Four­teen TELUS Com­mu­ni­ty Boards lead TELUS’ local phil­an­thropic ini­tia­tives. TELUS was hon­oured to be named the most out­stand­ing phil­an­thropic cor­po­ra­tion glob­al­ly for 2010 by the Asso­ci­a­tion of Fundrais­ing Pro­fes­sion­als, becom­ing the first Cana­di­an com­pa­ny to receive this pres­ti­gious inter­na­tion­al recog­ni­tion.

The Rot­man School of Man­age­ment at the Uni­ver­si­ty of Toron­to is redesign­ing busi­ness edu­ca­tion for the 21st cen­tu­ry with a cur­ricu­lum based on Inte­gra­tive Think­ing. Locat­ed in the world’s most diverse city, the Rot­man School fos­ters a new way to think that enables the design of cre­ative busi­ness solu­tions.  The School is cur­rent­ly rais­ing $200 mil­lion to ensure Cana­da has the world-class busi­ness school it deserves. For more infor­ma­tion, vis­it


For more infor­ma­tion:

Ken McGuf­fin
Man­ag­er, Media Rela­tions
Rot­man School of Man­age­ment
Uni­ver­si­ty of Toron­to
Fol­low Rot­man on Twit­ter @rotmanschool
Watch Rot­man on You Tube