Canadian Digital Privacy Act (Part Two)

The Digital Privacy act, originally passed in 2015, has updated elements of its legislation that will require Canadian businesses to adhere to strict guidelines and policies in order to protect confidential information and disclose security breaches. While each organization will have to prioritize its defenses, there will be certain criteria every one will have to follow. While official standards will be released later this year, there are steps you can and should implement immediately to improve you company’s security posture.

Educating your employees to act in a security-conscious manner is your organization’s primary line of defense. In the past malicious attacks targeted individual programs or workstations, but they have now become much more advanced. Obstructing the regular use of a company’s website, shared drive, database, as well as server infrastructure have now become hacker’s main objective in securing their financial goals.

Digital Privacy Act Requirements

Should a data breach occur, the Digital Privacy Act would require three basic steps to be taken:

  • Report Data Breach. Report any data breaches to the Office of Privacy Commissioner (OPC). The OPC may decide to share information regarding data breaches publicly to reduce the chances that other parties encounter similar attacks. Transparency should help drive adoption of security technologies throughout industries.
  • Alert All Parties Affected by Breach.  Affected individuals must be notified as soon as feasible that there is a potential compromise of confidential information.
  • Keep Records of Data Breach. Investigate and remediate to determine that the breach has been contained. Your organization must keep record of all breaches, and provide a copy to OPC upon request. Records should include lessons learned and actions implemented to prevent future occurrences.

Best Practices

Cyber criminals employ a wide range of attack methods and have time on their side to uncover new vulnerabilities to be used to achieve their goals. To successfully obtain access to your company’s network, a hacker only has to be right once. Know prior to an intrusion your company’s security policies:

  • Know your vulnerabilities. Risk and vulnerability assessments identify weaknesses in your network setup and in users’ behaviour. Take inventory of what assets need protection including physical devices, software applications and communication channels that are used internally and externally. Having a comprehensive overview of your business environment should help in containing any attacks that may occur.
  • Know your industry. Attackers go for easy targets that will return a high reward. They also re-use successful tactics across several targets. Be aware of current trends.
  • Plan and Detect. Ensure an inventory kept up to date of devices that have access to your network or that is the responsibility of your organization. This will help with employee turnover, as well as in the event that a device is lost of stolen.
    Determine the techniques that should be in place that could restore critical business data should there be a data breach. Know the safeguards that are available to protect valuable assets. Establish your company’s risk tolerance and refer to a security road-map that can align your current position towards increasing your security posture.
  • Train employees. Train employees to recognize attack methods that they may meet while using the internet. Security awareness sessions like those offered by Compulite, provide on-site training of current trends in cyber security and strategies end users can put into place to further protect their company’s network. Security sessions should be reoccurring on a yearly basis as part of your staff’s professional development in order to stay up to date with the latest developments.
    When new employees enter your business, ensure training of security measures and internal policies are reviewed as part of a thorough on boarding process.
  • Respond and Recover. Review techniques that can contain the impact of incidents. Address human vulnerabilities as well as software patches, and document a road map that addresses critical upgrades.  A comprehensive disaster recovery plan should dictate techniques that can restore capabilities and limit the impact of downtime. The disaster recovery plan should also document lessons learned to prevent future breaches.

Things to Consider

Security policies should be reviewed multiple times throughout the year. Cyber criminals are able to bypass security measures the industry currently has available, making the measures you may have in place seem outdated. Conducting annual audits can minimize your company’s risk and outline where improvements are still required.

Remember to identify and include in any third party vendors, non-profit or association members, and part-time employees into your security reviews.   If they have even limited access to your network environment, they could still act as potential IT security vulnerabilities.