Cybercrime is still on an alarming increase, after years and years of detection. While the highest profile breaches have been in the U.S., Canadian organizations haven’t been immune. According to the Ponemon Institute, one of the world’s leading Internet research firms, 36 per cent of Canadian organizations know they have had a data breach in the last year. Add in the number of organizations that simply aren’t aware their systems have been breached, and we can see a pandemic of security issues.
The impact of breaches on organizations is huge
* The cost to remediate a single breached record is estimated at $250.
* The total cost of a wholescale breach is estimated to be $5 million.
Cost includes lost customer business, forensics, auditing, consulting, and perhaps most alarmingly, the impact of identity theft.
The latter is the primary impetus behind the Digital Privacy Act (DPA), passed by the federal government in June 2015 but only scheduled to come into effect later this year. The DPA, essentially an amendment to existing privacy legislation, places more reporting demands on Canadian organizations with respect to security breaches.
* Report any security breach of privacy information that results in identity theft or can cause reputation damage, financial loss or negative impact on customers’ credit rating. The report must be made to the federal Privacy Commission in a timely fashion.
* Inform affected individuals that their information has been compromised and indicate there is a significant chance of harm. This must be done as soon as possible.
* Maintain records of any security breaches for forensic purposes.
The bill gives courts the power to “assess penalties for deliberately failing to report a data breach to the Privacy Commissioner, deliberately failing to notify an individual of a data breach and deliberately failing to maintain or deliberately destroying data breach records.”
Many organizations are evaluating their technical process capabilities to avoid penalties for non-compliance with the act. But the key is preventing breaches before they happen.
How do breaches occur?
There are three primary vectors for cyber attacks: vulnerabilities in people, processes and IT systems.
Employees are often unintentionally the source of data breaches. For example, the information on one’s social media profile is often enough to infer passwords. Without proper training and adequate security policies, employees can put the organization at risk. A policy of complex passwords changed at regular intervals—for example, every 30 to 45 days—can bolster defence against this particular attack vector. Along with that, training in the many varieties of malicious behavior, such as social engineering and phishing attacks, can create another line of defence.
IT systems themselves are another issue. As the saying goes, the price of freedom is vigilance. Unpatched software is a major vector for intrusion; cyber attackers often can assess software vulnerabilities before companies know they exist. Again, weak security policies are as much a problem on the system side as on the process side. And with the explosion of the mobile market, lost or stolen devices can become yet another vulnerability.
Organizations must put in place processes that enable them to identify vulnerable assets, protect sensitive information, quickly identify a data breach, and respond and recover using lessons learned from previous experience.
How best practices protect
Ninety per cent of last year’s data breaches could have been prevented by following security best practices, according to OTAliance. As cyberthreats have evolved, the IT community has gathered a considerable amount of intelligence regarding the sources and vectors of cyber attacks.
Much of that information is anthologies in the United States’ National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Building on that framework, Symantec Inc. has worked with the Canadian federal government to create the GetCyberSafe initiative to provide organizations with access to best practices in the field. To learn more, click here