#CyberFLASH: Ten tips to keep your workplace data secure

smallbizadv-secure00sr1Small businesses spend a lot of time working on growth, but Bianca Lopes says it’s just as important to know how to avoid shrinkage because of lax security.

“Businesses really need to have a basic knowledge of where their data is held,” says Ms. Lopes, director of strategy for BioConnect, a Toronto-based company that develops identification software for banks and other corporate clients.

For any business, security can mean more than simply protecting data. It can be everything from making sure people don’t shoplift chocolate bars and gum from the counters to being sure that employees and suppliers aren’t secretly putting the cash flow into online poker.

Today, though, cybersecurity is the biggest imperative. A 2014 global survey by the U.S.-based Ponemon Institute, which conducts independent research on privacy, data protection and information security, found that 55 per cent of small businesses and professionals said they had suffered at least one data breach in the previous year and 53 per cent reported multiple breaches.

Ponemon’s 2016 research in Canada looked at 24 companies and found that the average per capita cost of a data breach is $278, up from $250 the previous year, and the average total cost to businesses (large as well as small) was more than $6 million, up 13 per cent from 2015.

While Ms. Lopes’ company is busy in Canada and overseas outfitting companies with biometric ID software, she says all businesses can start with basic security steps. Here are a few from her and others:

Read more here

#CyberFLASH: Is Digital Privacy Becoming a More Participatory Process?

10712553There has always been tension surrounding privacy online. Most users want an experience something between total anonymity and total openness, and largely the onus has been on them to learn about their rights and options. However, the dynamic may now be changing as companies become more transparent about their practices, and users begin questioning the data companies collect.

In an environment of changing data protection laws, and increased user participation in the process, users are increasingly confronted with the reality that their data is being constantly mined. Last week the European Parliament, industry groups, and companies, reached an agreement on a packet of laws that aim to increase consumer privacy protections through better communication with users. The legislation also aims to outline the boundaries for law enforcement and businesses with regard to their access to user data.

Google responded after the agreement by asking users, once again, to agree the collection of their data. Aside from being a legally necessary move, this is indicative of trends in the industry that have resulted from greater user participation. Users also more aware of the value of everything they upload, and are seeking out services that value their content, and are willing to compensate them for it.

However, companies like Facebook, that offer no direct value to the user, have increasingly come under scrutiny for their practices. Facebook has been reluctant to roll facial recognition technology out to Europe and Canada, perhaps because of tighter data regulations. Facebook is already facing lawsuits over facial recognition in the U.S., relating to the storing data deemed too sensitive or identifying.

Read more here

#CyberFLASH: Technology in the workplace – Top 9 issues for employers


Technology enters the workplace in many ways and there are a number of risks and issues that employers need to consider.

  1. Cybersecurity and Data Protection
    A number of data breaches have been making headline news. These threats do not only come from criminal hackers or other external sources. Much of the risk around data security comes from the way employees manage company data. Instituting policies, practices and training around acceptable use, storage and retention of employer data, systems and property is key.
  2. Employee Misuse of Social Media
    Where there is a nexus between an employer and inappropriate content posted online by an employee, such conduct may provide a basis for employee discipline up to and including termination of employment. A number of recent cases demonstrate that terminating with just cause is possible, particularly when the post is harmful or potentially harmful to the employer.
  3. When Not to Discipline For Misuse of Social Media
    While disciplining employees for misuse of social media is quite appropriate in many circumstances, on the other hand, we may find that Canada follows the U.S. trend in which some employees argue that social media posts are protected or that discipline is an unlawful reprisal under employment standards and other legislation.
  4. Privacy on Workplace Computers
    Employees will likely have some expectation of privacy on workplace computers where personal use is permitted. This expectation of privacy can be limited by way of computer use policies that provide for employer monitoring of workplace computers, where the employer has a legitimate need to conduct monitoring and where such monitoring is reasonable in scope. Such policies should be clearly communicated to employees.

Read more here 

#CyberFLASH: IIROC publishes resources to help dealers increase cybersecurity preparedness

B97375091Z.120141001155319000GS36SSNI.11TORONTO – The Investment Industry Regulatory Organization of Canada (IIROC) today published two resources to help IIROC-regulated firms protect themselves and their clients against cyber threats and attacks.

The Cybersecurity Best Practices Guide provides an enterprise-wide risk-based framework of industry standards and best practices that IIROC-regulated firms can apply to heighten awareness and manage cyber risks in an evolving environment. The Cyber Incident Management Planning Guide is a complementary tool for firms to prepare effective response plans for cyber threats and attacks. These resources were produced by a leading security consulting firm, engaged by IIROC, which has worked with other Canadian financial services regulators on cybersecurity matters.

“Active management of cyber risk is critical to the stability of IIROC-regulated firms, the integrity of Canadian capital markets and the protection of investors,” said Andrew Kriegler, IIROC President and CEO. “That is why we consulted with the industry, engaged security experts and developed concrete resources to help firms better manage their cyber risks.”

This initiative follows from previous work IIROC conducted including a survey of its membership, a table-top exercise, as well as input from industry representatives. IIROC also reviewed approaches used by other domestic and global financial services regulators.

In addition, IIROC is developing a cybersecurity program to work with dealers to increase their cybersecurity preparedness.

IIROC is the national self-regulatory organization which oversees all investment dealers and their trading activity in Canada’s debt and equity markets. IIROC sets high quality regulatory and investment industry standards, protects investors and strengthens market integrity while maintaining efficient and competitive capital markets. IIROC carries out its regulatory responsibilities through setting and enforcing rules regarding the proficiency, business and financial conduct of dealer firms and their registered employees and through setting and enforcing market integrity rules regarding trading activity on Canadian equity marketplaces.

Read more here

#CyberFLASH: Canadian companies have ‘false sense of security’ when it comes to cyber threats


Many Canadian businesses have “wrapped themselves in a false sense of security” when it comes to resisting cyber attacks, according to a new survey by Deloitte.

A false feeling of preparedness, often because there has been no attack to date, leaves the door open “even wider for the would-be attackers,” according to Thursday’s report, which was based on responses from more than 100 major organizations across all major sectors.

On Wednesday, Target Corp., the U.S. retailer at the heart of a massive headline-grabbing cyber data breach in 2013, agreed to pay nearly US$40 million to resolve claims by banks and other financial institutions.

Deloitte found that 60 per cent of 103 Canadian organizations surveyed across a range of sectors reported they had not experienced a cyber attack in the past 24 months, and 90 per cent said they felt protected.

Yet, of those surveyed, only nine achieved the highest core on three key measurements: how secure they were, how vigilant they were in monitoring potential threats, and how resilient they were in terms of effective preparation for and recovery from attacks.

Deloitte concluded that Canadian organizations are “lagging when it comes to proactive threat management,” and noted that only half the organizations surveyed even have a defined cyber recovery process.

Read more here

#CyberFLASH: New report gives Canada a 77% grade for cybersecurity readiness

1297236821813_ORIGINALCanada has received an overall ranking of 77% – “C+” – for its cybersecurity readiness, according to a new report from Tenable Network Security, a continuous network monitoring company based in Columbia, Md.

For its 2016 Global Cybersecurity Assurance Report Card, released earlier this week, Tenable surveyed 504 global IT security professionals employed by organizations with 1,000+ employees in August. Canada’s ranking – at an overall score of 77% – was just slightly higher than the overall global score of 76% or “C”.

The report tallied responses from six countries – Canada, United States, United Kingdom, Singapore, Germany and Australia – and seven industry verticals, and also calculated a global score reflecting “the overall confidence levels of security practitioners that the world’s cyber defences are meeting expectations,” Tenable said in a press release.

Canada’s overall score was 77%, with a 70% grade for risk assessment and a grade of 84% for security assurance. Canada’s standing was in second place, compared to the U.S. in first place with an overall score of 80% (B-) and Australia in last place at 69% (D+). Of the seven industries studied – education, financial services, government, healthcare, manufacturing, retail and telecom/technology – financial services and telecom/technology received the highest marks of 81% each, while education received the lowest mark at 64%. [click image below to enlarge]

Read more here

#CyberFLASH: 10 compliance steps to protect personal information and data

cra-data-security-2The adoption by businesses of well-intended and organization-wide social media strategies, cloud-based storage and associated outsourcing solutions can present data protection and privacy challenges.

Notably, with the rapid emergence and wide use by employees of mobile devices such as smartphones and tablets, the challenges become somewhat intensified – particularly in relation to the preservation of an organization’s sensitive and proprietary information, as well as the personal privacy of its employees and customers.

Adoption by organizations as part of an organization-supported bring your own device (BYOD) or similar program, while an enabler for employees, nevertheless can prove detrimental to an organization if not well considered and properly implemented. Embraced by both the organization and its employees, while well intentioned, the program can have dire consequences to each, or both of them, if organizational confidential and personal information are not safeguarded.

It is hoped this checklist will provide some assistance, recognizing that it is strictly a springboard and must be tailored to the particular organization’s data protection and statutory retention obligations.

1. Adoption of a comprehensive personal information and data protection compliance strategy

The organization must proactively ensure that its compliance approach applies throughout the entire organization. This would include all data processing activities that embrace or utilize technologies. In particular, all employee mobile devices that provide remote access to the organization’s standalone, cloud, and third-party managed servers.

2. “Personal information” inventory

Inventory, by way of an audit, the various categories of PI together with their respective database, server, workstation, mobile device, cloud and third-party location(s). Such audit should extend to both hardcopy (specifying physical location) as well as digital format.

Read more here

#CyberFLASH: What your business has to know about the new privacy landscape


Chantal Bernier is former interim privacy commissioner of Canada, counsel in the global privacy and cyber-security group at Dentons LLP Canada and a senior fellow in the Graduate School of Public and International Affairs at the University of Ottawa.

Canadian businesses suddenly find themselves contending with an unusually high number of significant privacy law developments.

In April, the Office of the Privacy Commissioner of Canada delineated the rules around online behavioural advertising. In June, Parliament adopted the Digital Privacy Act, amending the Personal Information Protection and Electronic Documents Act (PIPEDA) to create mandatory breach notification and mandatory breach recording, broaden organizations’ right to share personal information between them and allow disclosure of personal information in instances of suspected financial abuse. Also, Canadian businesses operating in Europe are seeing stricter privacy obligations looming with the adoption by the Council of Ministers of a position on the Draft European Regulation on Data protection.

Here is an overview of the legal implications of these developments and the necessary adjustments for business.

Online behavioural advertising

OBA involves tracking consumers’ activities across sites and over time in order to deliver advertising based on their inferred interests. For example, we see ads for cellphones after researching phone upgrades on the Internet.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.