CISOs and other corporate officials with cyber security-related responsibilities now have a Canadian text to refer to to help answer questions about buying secure IT products, privacy law and breach response.
Cybersecurity in Canada, a 140-page book by lawyer Imran Ahmad of the Miller Thomson law firm, was published earlier this month aimed at IT procurement managers, risk managers and lawyers.
“If you look for any kind of reference book in Canada for law firms or in-house counsel or risk managers there’s no good Canadian resource,” says Ahmad, who in addition to leading his firm’s cybersecurity law practice also sites on the cyber council of the Canadian Advances Technologies Alliance. (CATA). “There’s tons of frameworks in the U.S. that people can use. There just seemed to be a gap on that front [here]. And most of the things were very technical or very high level. So we wanted to have something – and in fairness this was something [our] clients were asking about – something at their fingertips, something short and sweet. You’ll see each chapter is no more that 10 pages at the most. So it’s really a handbook, not a dissertation.”
In addition to listing best practices organizations can implement before and after a data breach or cyber attack, contributors also author chapters on cloud computing, supply chain procurement, cyber insurance, obligations of the board and management, dealing with law enforcement and handling customers and the media after an incident.
The book comes at time when a number of experts believe Canadian organizations and governments are not as ready as they should be to face cyber attacks. Ahmad is one of them, who argues leaders here are still in denial despite news reports in ITWorldCanada.com, the CBC and local press about attacks as well as federal government attempts to raise awareness.
“I think there’s a sense of complacency that we may not be targets, or we don’t hold information that is relevant to cyber criminals,” he said. But, he added, “when we look at the fact that we’re right beside the U.S. and we’re a good proxy for a cyber attackers to either get access to U.S. information by hitting our networks and getting a sens of how they work because they’re similar, or by stealing information to make a quick buck off of it because we do have valuable information, its something we’re going to be dealing with for a while.”
And cyber incidents here are under-reported, particularly compared to the U.S., Ahmad added. He hopes that will change when the federal government announces proposed regulations for complying with the new Digital Privacy Act. The law specifies that organizations covered under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) must disclose data breaches to affected individuals as well as the federal privacy commissioner. That may help spread word of breaches as well as, through the privacy commissioner, become an authoritative source of data on breaches.
Draft regulations are expected to be released before the end of the year. However, it might be at least another year after that before they are finalized and made official.
Not all of the text refers to Canadian sources. The book leans on security frameworks set by the U.S. National Institute of Standards and Technology (NIST) for its standard, for example. Ahmad says most experts would see it as an international standard. But sections on privacy law and procurement understandably rely on Canadian rules and regulations.
The book is not an introductory text to IT or law, assuming network admins and counsel have some knowledge of respective areas.
The first six chapters deal with risk mitigation strategies that experienced CISOs should know about (identify valuable assets, protect them, detect attacks, respond to them and them recover). However, IT managers of small and mid-sized organizations may find in these chapters a useful one-stop guide to doing things more rigorously than they do now.
There are handy chapters on selection and management of vendors, suppliers, service providers and contractors, which advises that procurement documents should not only ask for references, background information and plans in a bid, but also how long the firm has been in business of supplying cyber services.
Contracts should also set each party’s obligations and expectations in handling sensitive data. These could include a right to regularly audit and test the security controls of suppliers, requiring suppliers to adhere to security monitoring protocols, requiring periodic reports demonstrating security service level attainment and requiring suppliers to provide timely notification of any security breaches or incidents that may impact the business. There’s detailed advice on how these can be negotiated, understanding that there may be trade-offs between security through risk profiles and costs.
Lawyers who don’t practice cyber or privacy law will appreciate the chapter on possible litigation exposure from a breach (and CEOs and boards may find it educational and sobering).
The section on communications has this reminder: “A communications plan for a cyberincident should never be developed in a silo. Cyber incidents are not legal, IT or communications problems. They are business problems that require a holistic solution from a multi-disciplinary team.”
As for incident management, the book has lots of advice for counsel and the incident response team, including reporting requirements under current provincial and federal laws.
But consider what Ahmad said in the interview are the biggest mistakes made by incident managers: “Either having a very prescriptive and detailed plan that doesn’t allow them to be flexible, or having a disaster recovery plan or incident plan and assume it applies to a cyber security incident.”
In all this is a worthwhile book to have on hand.
Cybersecurity in Canada, A guide to best practices, planning and management, is published by LexisNexis Canada and costs $90.