IT Security and Productivity
by Joe Greene

Canada has a productivity gap with the United States that, depending on who you ask, is as high as 20 per cent. Economists estimate that a 21/2-percentage-point increase in productivity over a 10-year period has the potential to double the standard of living for Canadians. Numerous studies conducted in recent years have suggested that a lack of investment by organizations and businesses in information and communication technologies can be blamed for much of the gap.

Security at Home: tips & downloads  Security webcasts, tools and tips  Corporate Compliance Resources  Microsoft-based technologies & govt compliance  TechNet Security Blog  Microsoft Security Newsletter  TechNet Canada IT Pro community & blogs

For Canada to maintain and improve its standard of living in the 21st century, it will be crucial for Canadian organizations to improve their productivity through the intelligent use of ICT. And in today's climate of viruses, intrusions, identity theft and rigorous compliance regulations, such as personal information protection laws, improvements to productivity are inextricably tied to IT security. Organizations must see IT security and compliance initiatives as increasing value and productivity, rather than just adding cost.

Economists may argue methodology, but most point to developments in ICT as a major factor in productivity improvements in the United States in the second half of the 1990s. Canada has also improved its productivity by adopting ICT, but to a lesser extent than in the United States.

In 2000, the Conference Board of Canada concluded, "The recent surge in information technology investment in Canada has made a significant contribution to both labour productivity and output growth in the last decade." A study of four economic clusters by Industry Canada in 2004 concluded: "The importance of ICT as an enabler of broad economic development has surpassed that of ICT as an economic sector in its own right. … In this regard, it is important to facilitate ICT technology and lever ICT skills capacity at the interface between the ICT sector and other sectors of the economy."

However, Statistics Canada published a study in December that attributed roughly two-thirds of labour productivity growth in Canadian manufacturing from 1980 to 1999 to foreign-controlled plants. "Foreign-controlled plants are more productive than domestic-controlled plants in general. This is because foreign-controlled plants and firms are also more innovative, more technologically advanced, and more likely to perform research and development." In percentage terms, GDP in Canada is about 9 per cent of the United States. Yet, Canada spends only 6.8 per cent of what the United States does on ICT. Here are two examples: Currently, Canada's penetration of the market for wireless subscribers is 71 per cent of the U.S. rate of subscribers per 100 people; when it comes to PCs, Canada's penetration rate is 84 per cent of the U.S. rate.

Yet productivity is high on the agenda for Canadian businesses. IDC Canada surveys the FP800 each November, and for the past four years productivity has been the number one business or organizational priority for the coming year. Still, Canada lags the United States in the adoption of ICT.

However, Investments in IT must be balanced against increasing security threats and the need to be compliant with a growing list of regulations: Canadian organizations continue to face a barrage of security threats. According to CanCERT, the Canadian Computer Emergency Response Team, the number of successful attacks increased 7 per cent in 2004, and reports of attempted attacks increased by more than 60 per cent when compared with 2003. In a survey of medium and large organizations in Canada conducted in May of 2005, 10% admitted a security incident. Most attacks, however, still go unreported.

There is a direct link between security attacks and losses in productivity. In 2004, IDC conducted an enterprise security survey of 602 North American organizations and found that 75 per cent of respondents that knew about attacks reported at least one successful breach of their networks. Typically, organizations react to intrusions by shutting down their networks. Such a reaction to breaches can be very expensive in terms of the time and resources the IT department takes to fix the problem, productivity lost due to the shutdown of networks and the business potentially lost due to these outages. There is also the threat to an organization's reputation if a breach or theft of information were to become public.

There was an indication last year that increased awareness of security threats coupled with improved IT security led to a decrease in losses. Among the 639 respondents to the Computer Crime and Security Survey conducted by the FBI and Computer Security Institute, the estimated loss was an average of about $200,000 per organization, down from 2004 when the average loss was about $526,000.

Over the past several years, the increase in legislated regulatory requirements has changed for the better the ways organizations implement and use technology to manage and distribute information. Ongoing media coverage of IT security incidents and more comprehensive corporate reporting requirements contained in a variety of government regulations are placing greater demands on IT security resources and budgets.

Although much of the hype surrounding legislative requirements has been driven by media coverage of U.S. laws such as Sarbanes-Oxley, which affects corporate governance and the accounting procedures of publicly traded companies, and HIPAA, which aims to protect the health information of American citizens, there are Canadian regulations that affect organizations. Besides PIPEDA (the Personal Information Protection and Electronic Documents Act) and the privacy legislation of B.C., Alberta and Quebec, there is Bill 198, the Canadian equivalent to Sarbanes-Oxley, and the Canada Safety Act, to name a few.

In addition, IDC Canada anticipates that, over time, new regulations will be implemented or existing legislation changed. (PIPEDA, for instance, is up for review this year.) Therefore it is imperative that users and vendors of IT security products and services stay abreast of developments.

In a 2004 report called Regulatory Compliance: What Role will Technology Play?, IDC senior analysts Kathleen Wilhide and Richard Villars wrote: "A successful compliance initiative within any organization will consider not only the impact of applicable regulations but also how to apply technology to meet the challenges of regulatory compliance." One of the major conclusions of this report was that if the technology is viewed as an enhancer of productivity or enabler of an organization's ability to deliver new and innovative products, spending on products and services that help with compliance issues will increase more rapidly.

The inevitable conclusion regarding productivity and information security for Canadian organizations is this: They can put off spending on IT and IT security or continue to limit it, but buyer beware because the adage "pay me now or pay me later" will become "pay me a little now and you will pay big time later."