Before adequate security measures can be put in place, a company needs to assess the value of the data stored, its sensitivity level and how much of a target it is to malicious players. (Jetta Productions Inc.)
When it comes to storing and safeguarding our personal data, Canadian companies have some work to do, experts say.
According to the Office of the Privacy Commissioner of Canada (OPC), within the first year of it becoming mandatory for businesses to report security breaches in Canada, 680 breach reports —a 600 per cent increase in incidents occurred and double the predicted benchmark—were received impacting millions of Canadians.
“The volume that we’ve received, is startling and alarming and it’s pretty clear that companies have some work to do to build and live and reinforce their security safeguards,” says Brent Homan, deputy commissioner, compliance, for the OPC.
“We’ve been able to generate some important metrics that give us a sense of the depth of the concern and the depth of the risks that are out there.”
Last year marked Canada’s worst in history for security breaches, with cyberattacks hitting big players including Desjardins Group, Capital One, TransUnion, and LifeLabs. It’s a wake-up call for businesses, big and small, to reflect on how they collect and store data, and what safeguards are in place to protect it.
Here are three tips to do just that.
1. IDENTIFY YOUR RISK OF BEING A TARGET
Before a business can put the right process in place, it must know the value of the information stored, experts say. What is the sensitivity level of the data? How much is it worth to the company if it’s compromised? How much of a target is the company for malicious actors?
“Everything changes with respect to risk…if you attach a value to [the data] you need to consider,” says Periklis Andritsos, assistant professor, faculty of information at the University of Toronto and CTO of ODAIA.ai, a customer journey analytics company. “You put a cost on these things and then it optimizes the problem.”
Homan illustrates this using an investigation that was carried out after a breach at the Montreal-based World Anti-Doping Association (WADA) in 2016 impacted athletes around the globe. It was revealed that a Russian cyber-espionage group, Fancy Bear, released confidential data on athletes, their medical conditions, and normally prohibited medications—better known as Therapeutic Use Exemptions.
“There could be hacks involving a state-sponsored [group/agency],” he says. “You have to think about your organization, not in terms of just having safeguards, but the degree to which you may present as a high-value target to the outside.”
For small- and medium-enterprises (SMEs), Homan feels there is substantial catching up to do citing a lack of awareness of privacy laws, the risk level for cyberattacks and the value of their data, he adds. This, he warns, often means necessary safeguards are not in place.
“When the majority of our economy is made up of SMEs, [they need] to be mindful of these risks as well,” he says. “You’ll see more and more organizations that may become a high value target for malicious actors.”
2. STAY AHEAD OF POTENTIAL RISKS
It’s not enough to have protections in place for yesterday’s threats, warns Homan. Safeguards must be able to detect potential risks well in advance. Those who want the information you’re storing will target your vulnerabilities and attack accordingly, he adds.
“We are dealing with a continuously morphing and evolving threat landscape,” he says. “It’s really about being at the wheel and watching the dials at any given time.”
Referencing the Equifax attack—a breach in 2017 that impacted 147 million U.S. customers and about 19,000 Canadians—Homan explains how the malicious actors identified a vulnerability in the system, gaining access more than two months before anything was detected.
Avoiding a situation like this, he adds, requires having the right processes, technology and staff in place to cope, evolve and adapt. “So, people in the organization are aware of what’s expected of them…when there is an identified threat or vulnerability, if a patch is carried out…if monitoring is effective,” he says. “It’s all about…living and breathing those processes and the culture of mitigating and being ready for breaches when they do occur.”
Having proper data protection in place demonstrates not only a commitment to the privacy act, but accountability to your staff, partners and customers, says Homan.
“It all starts at the top with respect to demonstrating accountability,” he says. “Guarding against breaches is a dynamic responsibility rather than a static. You can’t just set it and forget it.”
3. MAKE DATA PROTECTION AN ONGOING COMMITMENT
Further to getting those processes in place is revisiting them regularly to identify any gaps, loopholes or errors in your systems, while also remaining up-to-date with policy and regulation.
“Constantly review the policy and what is happening with the data. Do a vital sign check on security policy and systems,” advises Andritsos. “Things evolve and change…once you know the consequences, you can [confidently] input and store your data.”
For example, the security encryption implemented in the WADA system was only effective while data was in transit (moving over the internet or the private corporate network), not when it was at rest, (stored on a hard drive for example), says Homan. This created a vulnerability that hackers were able to detect and tap into.“It’s important not just to have safeguards, but to make sure that they are properly implemented,” he says.
Encryption standards are being developed, and updated, by experts around the world to better protect our data. As a starting point, the University of British Columbia’s encryption requirements provides guidance.
Find out more about how your organization can adequately protect itself from cyberattacks and put the right prevention methods in place with CPA Canada’s Cybersecurity and data protection report, the online course Cybersecurity practices and reporting trends, or the data management certificate.