Canadians must avoid desensitization to data breaches and lobby for stronger penalties, cybersecurity experts say

Cybersecurity experts are worried that the increased frequency of data breaches is becoming normalized by the public, reducing the pressure on organizations that handle private data to do better.

“It’s clear that this happens to many major companies, even those who invest heavily in security. I don’t want to say that it’s inevitable, because it’s not, but there is an aspect of frequency to this, that is really startling,” said Ira Goldstein, the chief operating officer at Herjavec Group, in an interview with IT World Canada. “I think there’s kind of a societal and philosophical angle to that where people are becoming quite desensitized to it.”

Mark Nunnikhoven, vice-president of cloud research at Trend Micro, said that such a desensitization is one of his biggest fears and the worst-case result of cybersecurity breaches like the one at Capital One Financial Corp., which exposed the private information of around 100 million people in the U.S., and 6 million Canadians.

Desensitization among the public could also reduce their motivation to lobby for stronger laws and regulations.

“That is what I’m scared of. You can’t go a week without opening one of the major national papers and seeing a breach somewhere. It is very easy to become desensitized to, especially in an area as complex as technology. That is an issue so vast and complex that it’s easier just to say ‘that’s just how it is’,” said Nunnikhoven in an interview with IT World Canada. “There’s a lot of things that organizations can do to strengthen their security to reduce the number of data breaches that there are. But without that demand from the people and that big stick from regulators, it’s unlikely they’re going to undertake that of their own accord.”

While Canada does lag behind regulatory leaders like Europe’s General Data Protection Regulation (GDPR), the federal government did recently implement a new Digital Privacy Act (DPA) that amended the Personal Information Protection and Electronic Documents Act (PIPEDA) to include regulations that dictate how organizations must report such breaches, although many in the channel community said these new regulations were too vague to have a true impact.

But these updated policies, according to Goldstein and Nunnikhoven, don’t include enough financial penalties.

Referencing the maximum penalty under the GDPR of 6 per cent of global revenue, Nunnikhoven said that “money talks” and called for additional penalties to be levied against offending Canadian organizations.

“That really highlights the biggest weakness in Canadian data privacy regulation. In general, we’ve done a decent job about it. Finally, the nuts and bolts are put in place,” said Nunnikhoven. “The challenge there is that the fines aren’t nearly big enough. We need financial incentives to align security interests of citizens with those of the business. And I think that’s the glaring part.”

And with a much lower maximum threshold for fines in Canada than in Europe, Goldstein worries that organizations, especially those who rely on the collection and leveraging of people’s data, will not take them seriously.

“With fines up to $100,000, it can be seen as a cost of doing business as opposed to a real penalty that drives behavior.”

In its statement, Capital One described the security gap that led to the breach as a “configuration vulnerability”. The charge sheet suggests the alleged hacker used a “firewall misconfiguration” to access the data held by an unnamed cloud computing company. Judging from the email sent to Capital One by a white hat hacker, who refers to an S3, it would suggest this was on Amazon AWS. 

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Buckley Smith
Buckley Smith
Staff writer for IT World Canada. Covering the world of technology as it applies to business. Buckley is an avid sports fan who loves travel, food, and music. Can be contacted at [email protected] or 416-290-2000.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs