When a business closes down, is there any way to be certain its data does not fall into the wrong hands?
Apparently not, based on the recent case of NCIX, a Canadian computer hardware retailer. After it went bankrupt last year, a security researcher discovered the company’s servers for sale on Craigslist, which turned out to still contain data pertaining to its employees and customers.
But the danger of data breaches isn’t just an issue when a company closes shop or is sold. It’s estimated that 60 per cent of small businesses that get hacked go bankrupt in the following six months. The situation has become more critical since November 1, when new provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect.
From now on, all businesses that have, use or host the personal information of individuals must inform them if the security of their personal information may have been compromised. This federal requirement will force all businesses to be more stringent about safeguarding their data and avoid violations that can range from $10,000 to $100,000 per offence.
To keep your company secure, here are five ways to improve data protection:
1. Physically destroy the hard drive if you are getting rid of old equipment, which is the safest option, according to the BDC. It’s possible to recycle the used machines, too.
Also remember, “not all data wiping programs are created equal,” warns Simon Fontaine, president and founder of ARS Solutions, a Quebec firm specializing in cybersecurity. “Some programs wipe data at a standard level, or so-called ‘government’ level, but there are tools that can reverse that. The safest level is ‘military-grade’ wiping, which is irreversible.”
2. Use local data management, with dedicated servers. “With the cloud, you’re always at the mercy of the contract you signed, and there’s nothing to guarantee that the data has been completely erased,” explains Fontaine. Worse still is using a free Dropbox-type solution.
“The price you pay for getting the service for free is losing control over your data,” says Fontaine. “With local storage, you maintain control. But you should still encrypt important data and back it up, so you can react in case of a ransomware attack. But be careful: the vast majority (95 per cent) of the backups we check at ARS are of no use. Typically, no one bothered to do regular updates or ensure the equipment was still working properly.”
3. Do not keep unnecessary information, such as details on an employee who left two years ago or a former client’s credit card data.
“The question isn’t whether you will be hacked, but when. So try to limit the damage,” Fontaine explains. “For example, network administrators’ access often remains active even after they’ve left the firm, and with that information, anyone can access all your company’s data.”
4. Ask cybersecurity experts to go on the dark web and scan your domain name and all related usernames, ideally over several weeks or months, suggests Fontaine. “You have no idea what you can discover for just a few dollars.”
ARS offered to do this a few months ago, as a promotion. Of the 60 companies that took advantage of the offer, nearly all discovered stolen passwords. “People don’t realize they’ve been hacked or are in the process of being hacked,” says Fontaine. “And those who get caught won’t admit it. But there are tools, like password generators, that offer simple ways to eliminate the threat, at least in part.”
5. Adopt a Security Information and Event Management (SIEM) solution. In practical terms, it will tell you who has accessed your data, when and how. “Is there something fishy about a production employee accessing information from the accounting department at 11 p.m.? Probably,” says Fontaine.
If your employees are allowed to use their personal equipment, make sure to install software—such as Microsoft’s Intune—that lets the company determine what information employees have the right to access, and lets you withdraw that right if required.
Cybersecurity is a complex issue. Get an overview of the topic with the Introduction to cybersecurity for CPAs course, which is part of CPA Canada’s upcoming Cybersecurity Certificate.
Also, read CPA Canada’s latest report on why Canada needs to take the lead in a digital and data-driven economy. And raise awareness about cybersecurity risks with help from our resources.