CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber threats. This year’s survey, which research firm The Strategic Counsel conducted in August, collected over 500 responses from IT professionals across the country. This is the first blog post in a series of five for 2022.
A successful cyberattack can wreak havoc on Canadian organizations of any size, in any sector. When the critical systems they need to conduct their operations and serve their customers are taken out of commission, even for short periods of time, the consequences can be significant. Recovery efforts are often costly and time-consuming, resulting in lost productivity and lost revenue, and the cost of ransomware payments continues to rise. According to CIRA’s 2022 Cybersecurity Survey, organizations that paid a ransom in the last year typically paid at least $25,000.
Safeguarding personal data: a major concern for Canadian organizations
But as disruptive and damaging as these types of attacks are, there’s another, arguably bigger, threat Canadian organizations need to contend with today: losing the personal data of people associated with the organization, whether they’re customers, employees, members or donors.
According to CIRA’s survey, two-thirds of Canadian organizations say they store the personal information of customers, employees, suppliers, vendors or partners. In public sector organizations and those in the MUSH sector (municipalities, universities, school boards and hospitals), 74 per cent collect and store personal information, while the share in the private sector is slightly smaller, at 63 per cent.
What’s more, a surprisingly high percentage of Canadian organizations – about a third – say they experienced one or more breaches of customer or employee data in the last year, according to CIRA’s survey.
Data breaches are bad for business
There’s no getting around the fact that data breaches are bad for business. A 2020 study by KPMG found that a large majority of Canadians, 84 per cent, are reluctant to do business with companies that suffer a data breach and would consider taking their business elsewhere. In addition, 90 per cent were reluctant to share their personal or financial information with any organization that has experienced a data breach.
You don’t need to look very far for some high-profile Canadian organizations whose reputation has taken a hit as a result of a data breach.
In 2019, financial services firm Desjardins Group experienced a data breach that compromised the personal data of 4.2 million people with active accounts. As a result of this incident, which involved an employee selling clients’ personal information to a third party, the company has been ordered by the Superior Court of Quebec to pay out $200.9 million as compensation in a class-action lawsuit.
Canada Revenue Agency
The public sector is not immune to these types of incidents, either. In August 2020, the Canada Revenue Agency identified suspicious activity that occurred on over 48,000 user accounts in the preceding weeks. In more than 12,000 accounts, personal information was disclosed and modified, including users’ direct deposit information.
Tim Hortons is another well-known company facing class-action lawsuits as a result of its questionable data handling practices. According to a joint investigation conducted by federal and provincial privacy authorities, the company violated privacy laws by collecting data from customers without their consent while they were using the Tim Hortons app. While the app asked for permission to use geolocation services on customers’ mobile devices, the company led users to believe that the information would only be accessed when the app was in use, which was not the case.
How to protect your organization
Given the potential for loss of client trust and lasting damage to your reputation, taking steps to protect your business from cyber attacks that may result in data breaches is essential.
Familiarize yourself with the regulations governing the protection of personal data in Canada, which are contained in the Personal Information Protection and Electronic Documents Act (PIPEDA). This legislation applies to any business, large or small, that collects and uses its customers’ personal information for commercial purposes. And while non-profit organizations are typically not subject to PIPEDA, those that use the personal data of their constituents, donors or members for commercial purposes, also need to abide by the regulations.
CIRA DNS Firewall adds a cost-effective, low-maintenance layer to your cybersecurity footprint and can help reduce the risk to personal information you collect in your organization. By monitoring and analyzing your DNS traffic, CIRA DNS Firewall can block malicious websites from reaching your employees, prevent malware and phishing attacks, and reduce the chances of a hacker getting access to valuable personal information.
Launching an effective cybersecurity awareness training program is another critical step for ensuring personal data collected by your organization remains secure. To learn more, check out these tips for implementing continuous cybersecurity awareness training.