Information Technology Services (ITS)

Security as a Moving Target

Published on: June 10, 2014

TechKnowFile 2014 Keynote: The TELUS-Rotman Study Highlights Security as a Moving Target

By: Alain Latour

Security Moving Target

What’s the easiest way for an attacker to get someone in your organization to open a corrupt file?

They send someone in HR a file labeled “résumé.”

This was but one of many tidbits and findings that Danny Pehar, Director of Business Development, TELUS Security Solutions Group, shared on May 8 at U of Ts TechKnowFile 2014.

Most of the keynote presentation revolved around the TELUS-Rotman Security Study. Performed yearly by TELUS in partnership with The Rotman Management School U of T, the study tracks industry trends and documents the state of IT security in Canada.

“I’m very passionate about this study. It offers original Canadian research, unlike most other studies out there, which are based on American data. It’s truly the only one of its kind in Canada, and you guys should be proud of U of T’s involvement,” said Pehar, who has over 13 years’ experience in the security industry.

In conducting the study, TELUS-Rotman researchers asked companies whether their top priority was innovation or security. Companies that said they focused on the former were labeled “yes organizations”; those that focused on security were dubbed “no organizations.”

Surprisingly, the “no organizations” were found to have a false sense of security. Why? Because their staff ended up doing what the company did not want them doing, said Pehar.

For example, many employees use their personal devices at work regardless of whether their organization supports a Bring Your Own Device (BYOD) policy.

“So if you’ve told them they can’t do that, and they do it anyway, they’re coming through an unsupervised channel,” said Pehar.

On the other hand, “yes organizations” tend to develop policies that not help them embrace innovation, but also have the added benefit of making them more secure.

With great openness comes great responsibility

This doesn’t mean organizations open to innovation should rest on their laurels. Instead, they owe it to themselves to be responsible, that is, they must understand that every opportunity presents a danger.

Luckily, implementing policies and educating staff goes a long way in reducing the likelihood of this danger doing any damages. In fact, organizations which reported they were happy in regards to security listed education and constant training as the reasons why they were happy. (Organizations which were unhappy listed a lack of education as the reason why they were unhappy.)

What’s more, educated employees are better prepared against attacks of all kinds, including those which specifically target key people within organizations or involve low-tech scenarios.

For example, some attacks start with a person tricking a secretary into giving him or her a list of executives over the phone. Once the attacker has those names, he can match email addresses and work on piggybacking on their identity.

“We’re talking social engineering now. That’s why your security should go beyond technology. It’s about education and communication (…) which is simple and cheap and extremely important,” said Pehar.

Challenges ahead

Time and again through the presentation, Pehar said that evolving threats, human error, and a constantly changing landscape have turned security into a moving target of. Add the fact that security does not generate revenue, and it becomes obvious that it faces many challenges. Yet many companies aren’t just clear on the need for education and having the proper policies—they also spend only 6% of their IT budget on security.

Security leaders can find the detailed breakdown and analysis of the data and recommendations here

About The Rotman School of Management

The Rotman School of Management at the University of Toronto is redesigning business education for the 21st century with a curriculum based on Integrative Thinking. Located in the world’s most diverse city, the Rotman School fosters a new way to think that enables the design of creative business solutions. For more information, visit

About TELUS Security Solutions

TELUS Security Solutions offers customers the most comprehensive security portfolio including consulting and managed services, technology solutions, plus partnerships with 16 of the top 20 global security vendors. In addition, TELUS Security Labs – with a staff of 30 researchers and a $3 million budget – is a leading provider of security research to more than 50 of the world’s top security product vendors. Whether your priority is handling targeted threats with real-time context, securing your mobile enterprise or removing your security management challenge, TELUS Security Solutions can help you gain visibility, understanding and control.