(Meanwhile the Associated Press and Blomberg News reported that the malware used to breach the Home Depot POS system was significantly different from the one used to get at Target’s system.)

A complete IT security strategy also includes having an information risk management and business continuity plan in case of a data breach, he said.

Unlike the United States, most credit card issuers here have recently given users smart cards with chips that be reproduced. That means that if a hacker gets a credit card number a phoney card can’t be produced.

But, Fowler noted, retailers have databases full of other valuable information that isn’t chip and PIN protected: Usernames, passwords, social insurance numbers and the like. Many retailers don’t think this information is valuable, he said, but to criminals it is — because they can use analytics to marry personal information to credit card numbers.

Knowing a person’s social media account or address gives a criminal another place to send malware-infected email, he pointed out. In fact the more personal data a criminal has on an individual the more valuable it is on the black market.

All of this won’t prevent a network breach, he acknowledged. But it will lower the odds, lower the potential damage and increase the chances of spotting an attack.

Lest you think that Canadian firms aren’t targeted, Fowler also revealed that after helping close SQL injections vulnerabilities in an Toronto firm’s external Web site his team used data forensics to discover 16 hackers from all over the world had exploited the vulnerability over the previous two years. Of those five attackers gained unauthorized access to the network, although no sensitive data was lost so the breach wasn’t made public.

An unnamed Canadian telco this year  discovered it had suffered a security breach, he added, because they found the Internet on the Internet by external monitoring.

In an interview Fowler also said that retailers shouldn’t think they are safe because they follow the Payment Card Industry (PCI) best practices. One security researcher found that a Canadian company’s point of sale system was still vulnerable to an attack even though it had a stellar security profile.

“Compliance is not security,” he said. “PCI compliance gives you a bare minimum standard you have to process data. If you look at Target, they were PCI-certified.  Organizations need to focus on having maturity, not just check off the list when it comes to compliance, make sure the controls are effective.”

Overall, Canadian organizations take IT seriously, he said, partly because of the high profile breaches in the U.S. Still, he said some firms here lack the awareness of American companies. Having involvement at the CEO and board level is important because cybersecurity is no longer a manager issue, he said.

(Where is your organization? In the 70 per cent willing to roll the dice? Let us know in the comments section below)