To: Public Safety Minister Ralph Goodale
re: Cyber Security Awareness Month
In four days it will October, the beginning of the annual Cyber Security Awareness Month in many countries, including Canada. This will be your first as Public Safety minister. I’m writing to urge you to to lead a loud, visible campaign with other political and business leaders this month on all 31 days in as many parts of the country as possible.
CSAM is a joint effort by the public and private sectors to make sure companies, provincial territorial and local governments as well as ordinary citizens understand their responsibilities to do everything they can to be secure online.
Organizations must inventory and then regularly patch their hardware and software, categorize all data and then secure sensitive information, restrict access to sensitive data through policies and measures through identity and access management, train employees on safe practices and install and test data backup and recovery systems.
Individuals have to understand how to secure their own online devices, what safe online practices are and that safe practices not only apply at work but at home as well.
Unfortunately, despite work done by some public and private groups, the message isn’t getting through. Too many organizations are losing data through lack of governance or employee carelessness. The most recent was the loss this month of an unencrypted hard drive with information on approximately 900 current and former University of Ottawa students who used the institution’s special access services.
In the biggest reported breach this year, VeritcalScope, a division of the Toronto Star’s parent company which owns hundreds of vehicle-related Web forums for enthusiasts, said some 45 million subscriber records were hacked including user names, user IDs, email addresses, IP addresses and encrypted passwords.
Exact numbers are hard to get hold of because online crime isn’t reported well. But at the beginning of the year as part of a global study PricewaterhouseCooper said Canadian organizations reported that 28 per cent of the fraud they suffered in 2015 came through online sources, up four per cent from 2014.
According to the latest figures from the RCMP, 2013 the force received over 4,400 reported incidents of cybercrime, an increase of more than 40 per cent from 2011.
In previous years a number of organizations, including yours have run online programs during Cyber Security Awareness Month. For example, the Communications Security Establishment (otherwise known as Canada’s electronic spy agency) had this site a few years ago and Queen’s University had this one for university staff and students. The IT industry’s lobby group, the Information Technology Association of Canada (ITAC) has regular security awareness programs throughout the year. This year Public Safety Canada has five weeks of themed topics.
Far too often, however, these are online campaigns that aren’t reaching decision makers. There’s also cheerleading – Put up an awareness poster! Slap on awareness stickers! – but that’s not good enough. Public Safety could devote more resources. This site for small and medium business barely scratches the surface compared to this site offered by the U.K.
Interestingly, earlier this month ITAC policy director David Messer told me he was at a meeting with cyber professionals where no one could remember when cyber awareness month takes place. “If it hasn’t made an impact with that group,” he concluded, “it needs much greater focus and attention from government.”
By now Mr. Goodale I’m sure your agenda for October is already full. But here’s what I’d like to see the government do, even if Parliament is sitting:
–Have all Cabinet ministers include a few minutes of comment about the importance of cyber awareness in every speech they give every day when they are off the Hill. Better yet, ask every one of your Liberal MP colleagues do it. And if it is possible to make this non-partisan, ask the opposition parties to beat the drum as well. And the premiers, members of legislatures and mayors.
–Get business leaders to join the campaign, including John Manley, CEO of the Business Council of Canada; Perrin Beatty, CEO of the Canadian Chamber of Commerce; Tom Jenkins, chair of OpenText; John Chen of BlackBerry; and Cisco Systems Canada president Bernadette Wightman; Shirley McKey, executive director of the Serene-Risc cybersecurity education network; Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada; Bonnie Butlin chair of the national council at the Canadian Cybersecurity Alliance; Robert Gordon of the Canadian Cyber Threat Exchange; and Dan Kelly, president of the Canadian Federation of Independent Business and others.
Teams of cybersecurity experts should schedule meetings with small businesses in October to pass out information to C-level executives on how to start a cybersecurity plan if the organization doesn’t already have one. Have a list of Canadian cyber security success stories to present — ideally the CISO of the organization should be there.
I’m urging a loud, noisy, personal, in your face campaign that goes beyond the provincial capitals. A drumbeat. Would people get tired? Not if it was spread across the country.
Mr. Goodale, make Canada a leader in cyber security awareness. Then it will become a leader in cyber security.