☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Risk Management

Only 4 in 10 Businesses Have Data Breach Policies in Place

Posted on by

Last year, the Office of the Privacy Commissioner of Canada (OPC) ordered a telephone survey—2017 survey with Canadian businesses on privacy-related issuesof around 1,014 Canadian businesses. The goal of this survey was to learn how knowledgeable organizations are on privacy issues and requirements, understand the types of privacy policies and practices they have in place, and determine their privacy information needs.

The following were some key findings from the survey:

  • Only 4 in 10 companies surveyed have policies or procedures in place in the event of a breach.
  • When asked to rate their level of concern regarding a future data breach, the results were split. Overall, nearly half (48 per cent) expressed at least a moderate level of concern while 50 per cent expressed low or no concern at all. The OPC said that this data indicates concern over data breaches has decreased among Canadian businesses over previous years.
  • Around 68 per cent of respondents placed an emphasis on protecting their customers’ personal data. In addition, according to data from previous OPC reports, consumer concern about privacy breaches remains high. In fact, 85 per cent of Canadians indicated that news reports about privacy breaches affected their willingness to share personal information.

Among other things, the OPC survey illustrates a disconnect between organizational beliefs regarding data protection and the existence of real privacy policies. Despite continued, high-profile cyber breaches and increasing customer concern, many companies surveyed remain complacent with their level of security.

The OPC will use these survey results to enhance its outreach efforts and more effectively guide organizations on their privacy responsibilities.

© Zywave, Inc. All rights reserved

Federal Budget Details $600 Million Investment in Cyber Security

Posted on by

The federal government recently released its 2018-19 budget. Among other important allocations, the government announced an investment of more than $600 million in data privacy. Specifically, the budget calls for $507.7 million over the next five years and $108.8 million each year thereafter for a new national cyber security strategy to help protect Canadians and their sensitive personal information.

A portion of the funds—$155.2 million during the next five years and $44.5 million per year thereafter—will go toward establishing a new Canadian Centre for Cybersecurity. This centre will allow the government to consolidate its cyber expertise under one roof as well as establish a single source of advice, guidance, services and support on cyber security-related matters.

In addition to funding the creation of the Canadian Centre for Cybersecurity, the government will provide $236.5 million over the next five years and $41.2 million per year thereafter to support the national cyber security strategy. This strategy is designed to do the following:

  • Enhance the government’s ability to investigate, prepare for and respond to cyber crime.
  • Create a voluntary cyber-certification program to help students and businesses improve their cyber security.
  • Improve cyber security on a national level by working alongside provincial, territorial, private-sector and international partners.

To learn more about these and other investments, review the government’s website on the 2018-19 federal budget.

© Zywave, Inc. All rights reserved

Avoid Costly Phishing Scams

Posted on by

Phishing, a type of cyber attack in which hackers disguise themselves as a trusted source online in order to acquire sensitive information, is a common scam that can put your employees and business at risk. The Canadian Internet Registry Authority recently published a survey of businesses who use the .ca domain and found that 32 per cent of firms had unwittingly divulged sensitive information after falling for phishing tactics.

Falling for a spear phishing attack can give a hacker access to personal and financial information across an entire network. What’s more, successful spear phishing attacks oftentimes go unnoticed, which increases the risk of large and continued losses.

Though it is difficult to completely avoid the risks of spear phishing attacks, there are ways to prevent further damage to your business. Make sure that your employees are aware of these simple techniques:

  • Never send financial or personal information electronically, even if you know the recipient well.
  • Be cautious when you are asked to divulge personal or sensitive business information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
  • Only share personal information on secure websites or over the phone.
  • Never click on links or open attachments from unknown sources. In addition, encourage employees to think twice about what they post online.
  • Ensure that your company’s security software is up to date. Firewalls and antivirus software can help protect against spear phishing attacks.

It’s important to encourage employees to be overly cautious when it comes to preventing phishing scams. Together, these strategies can go a long way toward keeping your business safe.

© Zywave, Inc. All rights reserved

6 Cyber Security Topics to Watch

Posted on by

Business and government leaders need to be on constant alert for cyber attacks of all types. With the evolution of cyber threats each year, there are specific threats to focus on for this year. Here are six cyber security trends to watch right now:

  1. Cryptocurrency—This is a digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank. With many people interested in ways to capitalize on cryptocurrency, it is important to realize that the market is very volatile and highly susceptible to fraud and cyber attacks. Some experts feel the cryptocurrency market needs better security and a way to guarantee losses from theft.
  2. Artificial intelligence (AI)—Cyber security professionals use AI software to identify and predict cyber threats. However, AI can also be used by cyber criminals against the same organizations that use it for protection.
  3. More multifactor authentication—Even though many companies fear that implementing multifactor authentication would negatively affect user experience, the growing concern about stolen passwords might convince them to implement it.
  4. Increased regulation—Businesses could face increased regulation as governments try to compete with the growing risk of data breaches and attacks on infrastructure. One example of such government efforts is the General Data Protection Regulation in Europe.
  5. Rise in state-sponsored attacks—Such attacks tend to be politically motivated. Instead of focusing on financial gain, the intent of these attacks is to acquire intelligence that can be used to obstruct the objectives of a political entity. Appropriate efforts to deter and respond to these attacks will be a key topic for policy-makers and businesses over the next decade.
  6. Increasing demand for a chief information security officer (CISO)—Due to the shortage of skilled cyber security professionals, many companies hire external cyber security services and virtual CISOs. This outsourcing is expected to continue until employers find ways to fill the skills gap.

© Zywave, Inc. All rights reserved

What the GDPR Means for Canadian Businesses

Posted on by

With the severity of cyber attacks increasing on what seems like a daily basis, governments are now stepping in to provide guidance and keep the general public both safe and informed.

In Canada, the Digital Privacy Act (DPA), which amends the Personal Information Protection and Electronic Documents Act (PIPEDA), is the federal law that dictates how organizations respond to and report data breaches. However, these are not the only cyber-related laws Canadian businesses have to contend with, as Europe’s data breach regulations can have a sweeping impact on international businesses of all kinds.

In fact, any organization that operates or sells in the European Union (EU) or manages EU-based information could face major fines if they fail to comply with the General Data Protection Regulation (GDPR). As such, it’s crucial for organizations to have a general understanding of the GDPR and how to remain compliant.

What is the GDPR?

The GDPR, which comes into force May 25, 2018, is unique in that it is not simply limited to organizations that have a physical presence in the EU. Regardless of the location of a business, the GDPR applies to businesses that process personal data of EU-based individuals and:

  • Offer goods or services to an individual in the EU (even if those goods and services are offered at no charge)
  • Monitor the online behaviour of individuals from the EU

Based on these provisions, the GDPR can have a broad effect on organizations, regardless of their size, location or nature of operations. Effectively, those that trade in the EU or hold data of EU-based individuals must comply with the GDPR.

Fines and Compliance Requirements

Understanding the GDPR is important, especially when you consider that failing to comply can result in major fines and penalties—up to €20 million or 4 per cent of a company’s global annual turnover.

With the severity of these fines, just one GDPR violation can financially devastate an organization. That’s why it’s critical that companies understand what’s expected of them when it comes to GDPR compliance.

The following are five key features of the GDPR that businesses should be aware of:

1. Obligations for controllers and processors—The GDPR defines two distinct types of operations in its regulations—controllers and processors. The following are general definitions and standards that apply to these entities:

  • Controllers—Under the GDPR, any organization that collects, uses or discloses personal information of EU citizens may be considered a controller. Controllers are expected to protect the data of EU citizens and ensure that the processor who processes personal data on their behalf is also complying with GDPR rules. Controllers are also expected to conduct privacy impact assessments for any processing which is likely to result in a high risk and maintain records of all processing activities.
  • Processors—As mentioned above, processors process data on behalf of controllers. These entities must also implement appropriate safeguards, return or delete data once processing is complete, and notify the controller of any data breaches. Processors cannot subcontract any tasks without a controller’s permission.

2. Consent requirements—Per the GDPR, consent to process data must be given unambiguously by the owner of the data itself. Silence or inactivity does not constitute consent. In instances where an organization processes data for individuals under the age of 16, parental consent is required.

3. Mandatory data breach notifications—Following a data breach, affected individuals must be notified by the controller within 72 hours of the breach’s discovery. However, in instances where the breach could impact the rights and freedoms of affected individuals, the notification must be made without delay. Processors are also obligated to report the breach to the company that collects and/or controls the lost data.

4. Right to erasure—Per the GDPR, controllers are required to erase processed and/or stored personal data in the following situations:

If the data is no longer needed

If an individual objects to processing

If the processing was unlawful

5. Requirement for data protection officers—Under the GDPR, controllers and processors may be required to designate a data protection officer in the following scenarios:

  1. If data processing is carried out by a public authority or body
  2. If core activities involve regular and systematic monitoring of individuals on a large scale
  3. If core activities consist of large-scale processing of certain categories of data (i.e., data related to racial or ethnic origins, criminal convictions or political views)

While the above list outlines a number of the major GDPR considerations, it should not be used as a compliance guide. To review the final version of the regulation, helpful FAQs and summaries of key changes, visit the EU’s official website on the GDPR.

Ensuring Compliance

For organizations new to EU privacy laws, the GDPR can be overwhelming and confusing. Thankfully, Canadian businesses can do the following to ensure they are compliant and avoid potential fines:

  • Conduct a readiness assessment. Review the GDPR and determine if it applies to your business. If your organization determines that it’s subject to the GDPR, it’s important to evaluate how much EU data your business processes. Be sure to also examine the potential impact of the GDPR on your operations.
  • Identify compliance gaps. During your initial assessment, it’s important to identify any potential compliance gaps. In some cases, you may find that you are able to reduce your GDPR compliance burden by changing the way you store or track EU data.
  • Establish oversight. When it comes to GDPR governance, it’s important to take a structured approach. Continually document, model and coordinate potential GDPR issues and remediation strategies.
  • Implement a GDPR compliance program. After you’ve established key processes to identify compliance gaps, create a GDPR program to address potential concerns. This program should account for the following:
    • Governance
    • Policy management
    • Data life cycle management
    • Individual rights processing
    • Information security
    • Data breach management
    • Data processor accountability
    • Training and awareness
  • Remain prepared. Once your GDPR program is in place, conduct ongoing assessments to ensure continued compliance.

While the GDPR may be similar to PIPEDA and other privacy legislation in Canada, organizations should never assume compliance. Even if your business has well-defined data management practices and privacy policies in place, all organizations must review their current system for GDPR compliance issues and fill in any gaps.

Round Out Your Cyber Risk Management Program

In today’s environment, organizations process massive amounts of personal data every day. This data is a popular target for cyber criminals, and just one breach can result in serious financial losses and reputational damages.

If that weren’t enough, businesses that don’t respond to these incidents in accordance with federal and international privacy laws face hefty fines and penalties. To better protect your organization, it’s important to speak with a qualified insurance broker.

Not only can brokers provide general guidance on any applicable data breach laws, they can also help you round out your risk management programs with custom insurance policies.

© Zywave, Inc. All rights reserved

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN