What can be learned from the government’s cybersecurity bungling

Would you sleep at night knowing your business is only protected from cybercriminals during regular banker’s hours?

Apparently the bureaucrats in Ottawa thought that plan was just a-okay(or is that ‘eh-okay’?) for this country’s entire IT security strategy.As detailed in our source story from the Globe and Mail, therecentauditor-general’s report really stuck it to the feds’ cybersecuritystrategy, pointing out that the Canadian Cyber Incident Response Centre(CIRC) only monitors suspicious stuff from 8 a.m. to 4 p.m.

Coincidentally, Ottawa announced shortly before the A-G’s report cameout that CIRC’s hours will be extended to 15 hours per day. So ifyou’re a hacker, now you only have a daily nine-hour window when noone’s really minding the store.

In fact, Liberal safety critic Francis Scarpaleggia even wondered aloudwhy CIRC isn’t held to the same operating standards as, well … a store:“If 7-Eleven and Couche-Tard can stay open all night, why can’t theIncident Response Centre?”

We dialed up security expert Tony Busseri for his take on the report.His main takeaway? After spending over a decade (and hundreds ofmillions of tax dollars) to develop a cybersecurity strategy, Ottawahas done far worse than most businesses in moving to keep its data andnetworks safe.

It’s 11 o’clock Canada. Do youknow where your government data is? (Photo: Shutterstock

“The Canadian federal government’s (cybersecurity) response and programis an example of what businesses shouldn’t do,” said Busseri, CEO ofToronto-based IT security firm Route1.

Example: after two key federal departments (rumoured to be Treasury andFinance) were hacked in January 2011, an investigation discovered somepublic servants weren’t storing sensitive information properly orsecurely.

Security tips
Busseri offered us some tips, based on the mistakes made by Ottawa,that Canadian businesses of any size can use to protect their ITassets.

Use two-factorauthentication: This usually entails a device (like asecurity smartcard that goes into a USB port) plus a passcode enteredby the user. “It’s something you have (the device) and something youknow (the code).”

Honour thy firewalls:“Use a solution where the data’s never going beyond the firewall of thenetwork, not a VPN or a browser-based solution that pulls data fromyour network to a remote access point.”

Look beyond just thebiggest, oldest names: Ottawa repeatedly procures from thebiggest tried and true security vendors, Busseri said, but that’s notalways the best option out there. “They buy big and they buy what’sbeen done historically.”

The priciest securityisn’t always the best: “I think (Ottawa’s) spending enoughmoney. More money doesn’t mean better security.”

Be open to newersolutions on the market: “It’s not that the bad guys aretoo smart. It’s that (the feds) are being really dumb around theadoptionof new technologies.”

Source | Globeand Mail

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Christine Wong
Christine Wonghttp://www.itbusiness.ca
Christine Wong has been an on-air reporter for a national daily show on Rogers TV and at High Tech TV, a weekly news magazine on CTV's Ottawa affiliate. She was also an associate producer at Report On Business Television (now called BNN) and CBC's The Hour With George Stroumboulopoulos. As an associate producer at Slice TV, she helped launch two national daily talk shows, The Mom Show and Three Takes. Recently, she was a Staff Writer at ITBusiness.ca and is now a freelance contributor.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.