According to data protection specialists, for one year now all Canadian companies have been subject to the Personal Information and Electronic Documents Protection Act, which requires them to report on any information security incidents.
This is a fundamental change, since previously
the cybersecurity incident report was submitted voluntarily; as of the entry
into force of this law, the number of reports filed was triggered.
Data protection specialists report that, as of November 2018, there have been about 680 incidents of data breaches and security breaches, 600% more than reported during the previous year, and is a reflection of the multiple threats of cybersecurity faced by Canadian companies.
Regarding the number of people who have been
impacted by these incidents, the figure is estimated to have reached the 28 million
Canadians affected by data breaches across multiple companies, including big
names such as Desjardins and Capital One.
On the most common incidents, authorities
report that 58% of security breaches involve unauthorized access to corporate
networks (in other words, hacking attacks). Other variables involved in these
incidents are phishing
and social engineering campaigns against the employees of some companies; the
Canadian authorities’ report states that at least one in four reported data gap
incidents were the result of these activities.
Canadian authorities also report a major
advance in the techniques used by information-stealing threat actors, whether
technological resources, infrastructure or psychological methods to encourage
victims to yield to their demands or Intentions.
In addition to disclosing some figures,
Canadian authorities issued a number of recommendations for properly handling
and reporting a cybersecurity incident:
CONTAIN THE INCIDENT: It is vital to stop any
unauthorized activity, secure backups of information, disconnect the
compromised system, and reset access credentials to prevent the problem from
growing.
DESIGNATE AN INCIDENT MANAGEMENT TEAM:
Integrating a team of data protection specialists and other areas will be vital
to begin investigating the incident and making the right decisions on time.
NOTIFICATION: Each company must fix those
responsible for reporting security incidents to the responsible authorities;
this work must be accomplished by specialists, as detailed reports on the scope
of the incident are required.
HIGHLIGHT PRESERVATION: We must be careful not
to destroy any valuable information that could serve as evidence of the
incident, and this data will be of vital importance in starting the proper
recovery process.
Specialists from the International Institute of
Cyber Security (IICS) also issued a number of recommendations on the control
and security of personal information, including the following tips:
- Companies
must have a system in place to know what personal information they collect,
where it is stored and in which cases it is accessed - Each
organization is responsible for assessing its security vulnerabilities to
mitigate as far as possible the potential risks of unauthorized access. In
addition, it is vital not to forget the role that users play in the defense of
information, because threat actors will always try to enter a system by the
weakest point
While the picture seems daunting, data
protection experts hope that in the future data breaches will become less and
less and users can share personal information without fear of ending up in the
hands of hackers.
