Another day, another breach, is the tune we’re trolling to these days. This week, Freedom Mobile announced its database had been breached, affecting 15,000 users. Whether or not this data has been misused is still being investigated, but the information was unencrypted. And while this public data was compromised, tech giants like Google are now giving users more control over how long their data lives online. Control and transparency over one’s data is a win, but what happens when that data gets into dangerous hands?
The global management firm Accenture reported on the cost of cyber crime, surveying 25 Canadian companies, and found they recorded an average of 75 cyber attacks in 2018. This translates to nearly 1.5 attacks per week.
Malware and people-based cyberattacks cost Canadians an average of US$9.25 million. And let’s not forget about ransomware, a.k.a. malware which holds data hostage until a random is paid. Cyber crime is costly.
“Ransomware is an issue and hackers usually demand to be paid in bitcoin,” Carole Piovesan, co-founder and partner of INQ Data Law, which specializes in cyber security, tells Yahoo Finance Canada. “Where there’s a ransomware attack, law enforcement may need to be involved.”
Piovesan says if she were a business today, the first step she’d take is “document my existing cybersecurity policies and processes to make sure I have a record of what I already do.” Next, she would engage an expert and ensure the most robust policies are in place so that “the more sensitive the data, the more technical security and comprehensive my cyber preparedness plan is,” she says. Piovesan also recommends a “cyber fire drill” that lays out the plan for what to do when there’s a breach.
But, what is Canada doing to help?
“I’m confident that the Government of Canada and the agencies of the Government of Canada understand that this may be the greatest threat facing the country today,” Honourable Senator Douglas Black tells Yahoo Finance Canada.
As the chairman of the Standing Senate Committee on Banking, Trade and Commerce, Black oversaw the 2018 report, which addresses Canada’s cyber security strategy. In the report, the committee recommends the appointment of a cybersecurity minister as well as issuing security tax incentives for businesses.
Unfortunately, not all companies care about cyber security enough: a 2017 survey by the Canadian Chamber of Commerce found that 64 per cent of businesses surveyed had no intention of investing in cyber security measures at the time.
Now it’s 2019 and we are in a whole new league of misfortunes. Still, from 2016 to 2018 only 46 per cent of companies worldwide had conducted specific risk assessments into cyber attack vulnerability, according to the report.
Since releasing the report in October, Black says the government has created and implemented a national cyber strategy, invested in new budgetary measures to establish a Canadian Centre for Cyber Security and a National Cybercrime Coordination Unit, and has “expanded powers” for the Chief Information Officer of the Government of Canada.
10 million Canadians have fallen prey to cyber attacks in the last year alone, says Black. And the Office of the Privacy Commissioner of Canada “doesn’t have the power to make companies comply with legislation designed to protect Canadian consumers, or to impose fines when companies breach that legislation,” which is a problem, he says.
Black suggests the need to establish a pool of trained and trusted specialists available to “strengthen our systems” and “catch vulnerabilities before they can be exploited.” Black also says the government should encourage Canadians to pursue education in this field with the goal of doubling the number of graduates with cyber security expertise in the next four years.
“Cyber security needs to be a priority on its own, it cannot fall under the umbrella of another ministry,” asserts Black. “A lack of focused attention on the issue has brought us to the precarious position we now occupy. Creating a new ministry will allow Canadians to hold the federal government to account for its efforts to keep Canadians safe.”
And when a national cyber literacy program is created (another recommendation), Black states it should be led by the Canadian Centre for Cyber Security.
Canada’s breach law came into effect last year, but Piovesan says more needs to be done.
“Companies need to invest in proper policies for breach preparedness, which includes having retainers in place with legal and forensic experts to be able to react quickly and appropriately. They also need to know how to track their investments in preparedness,” she says.