You bet. When the Nielsen study called Information Security for Small and Medium Enterprises was recently commissioned by Chartered Professional Accountants of Canada (CPA), concerns over basic security practices by businesses ranged from an inability to prevent common attacks to a fundamental apathy about data protection across the country.
Despite having adopted the Digital Privacy Act to amend the federal Personal Information Protection and Electronic Documents Act (PIPEDA) in June of this year, the prospect of much needed reform to data breach disclosure was – and is – still a few months away. Concerns over the effectiveness of those amendments still persists, due in part to the way mandatory breach notification is worded. In effect, businesses will still be required to notify neither victims nor privacy commissioners unless they deem a suspected breach to create “a real risk of significant harm” to individuals.
In other words, organizations that have presumably experienced a data breach due to lack of sufficient security controls to prevent such an event should nevertheless have reliable security controls to detect and investigate those same breaches. Further, if organizations have a way to contain breaches or correct the damage, they can unilaterally deem the “real risk” to not be significant enough for disclosure. If they do choose to come forward with such potentially damaging news, they must be ready to supply records of breaches for inspection by the privacy commissioner’s office.
So it is anything but obvious that businesses in Canada are, or will be, able to detect data breaches when their motivation for doing so carries the potential penalty of severe reputation damage. However, the very real penalty of up to $100,000 for failure to comply with the PIPEDA amendments make it a criminal offence for an organization to ignore these timely requirements.
Although we are presented with a daily parade of impactful hacking attacks and data breaches, the vast majority – if not all – of these unfortunate events victimize U.S. organizations and citizens of other countries. This is primarily due to the fact that data breach notification legislation comes at least a decade too late, but also because the current climate neither favours nor rewards businesses that come forward with the non-trivial accomplishment of having detected a privacy-invasive data breach on their own.
To put things into perspective, there are three main types of data security safeguards: preventative controls, breach monitoring and corrective measures. If an organization fails to implement preventative controls, the chance of timely detection is slim. Slimmer still are the hopes of effectively taking corrective steps in the aftermath. In fact, the average number of days surreptitiously spent by cyber-criminals and their malware on victim systems is a whopping 229 with up to 45 more painful nights consumed by corrective activities [FireEye/Mtrends figures]. And those are just U.S. statistics, where businesses and the public have ostensibly benefited from greater investment into systematic monitoring as a result of more than a decade’s commitment to legislated breach notification.
Over the same decade, Canada has been struggling with multiple iterations of proposed (and subsequently squelched or indefinitely delayed) PIPEDA amendments seeking to correct the glaring omission in the original law.
In the absence of such legislation then, what could possibly motivate Canadian businesses to do the right thing? CPA Canada took the commendable initiative of asking their membership for answers, and these resulted in two recent papers published by the association. In the interest of full disclosure, I assisted the CPA in articulating the study results, but only upon gaining assurance that the process unfolded with integrity and accountability – something to be expected, after all, from a nationwide group of accountants.
The results are more than a little surprising. As it turns out, Canadian small and mid-size businesses are doing more than going through the motions. They are genuinely concerned about information owners and their valuable, intangible assets. They know they are merely information custodians and take steps to protect data using – at the very least – such fundamental practices as data backups and strong passwords.
Most interesting to me is the focus on specific preventative and detective methods to deal with breaches. In fact, almost half of respondents actually indicated awareness of breaches not just in general, but when they happened to them! This, in the absence of a legal push for accountability, is a big deal because it shows that Canadian SMEs – and to be fair, most of them are members of the accounting profession – actually care about the information they have been entrusted with.
On that point, most respondents (72 per cent) drive this awareness from concerns over hacking and emerging threats while two-thirds worry about accidental breaches and related data compromises. With the looming threats over domain name hijackings and ransomware targeting websites, the 61 per cent that indicated concerns over the safety and availability of their Internet presence seem justified.
Perhaps the most important – and surprising – finding is that a surprisingly high 43 per cent of these professionals and their companies voluntarily reported significant data breaches (albeit not necessarily to the privacy commissioner), at least those requiring moderate-and-higher mobilization of resources to correct.
The study was distilled and made freely available as two reports respectively focused on businesses and accounting firms. They include more insights into how Canadian firms manage security risks and how they can anticipate and prevent threats from significantly impacting their operations. In recognition of the fact that the relevance of the answers we can expect is only as good as the quality of our questions, the documents also incorporate a series of smart questions to ask of IT support and security vendors.
Although largely positive, the findings by no means show significant risk maturity nor particular adherence to specific industry standards. From my personal perspective however, the revelation that Canadian business owners demonstrate respect for information that has been entrusted to them was the most important finding, and certainly came as a welcome surprise.
Claudiu Popa is a risk advisor to Canadian organizations and government agencies.