Business lawyer Jayden Quinn speaks about how to prevent and manage the data security breaches that plague so many businesses. Tune in to the full podcast to learn how to protect yours.
As Forbes states, a business’ second most valuable asset, next to its people, is its data. How are you protecting yours?
If you think you’ll never have to worry about a data security breach, think again. It can happen whether you head up a large firm with an ironclad IT system or a small, local business.
Half of all businesses have already experienced a data security breach and cases continue to rise, yet most business leaders do not have an instant response plan in place. It’s a dangerous risk to take, as a cyber security breach could shut down your operations and have a widespread impact on your employees, customers, board members, and anyone else who’s on record of having interacted with your business.
The very thought might make you uneasy, though that’s not necessarily a bad thing.
1. Inventory your data
Inventories aren’t just for tangible goods. All businesses should inventory their data, too.
“How could you possibly understand the extent of the problem if you don’t know what information you have in the first place?” Andrew asks.
2. Develop an incident response plan
It could be a hacker that shuts down your computers or a disgruntled employee selling information to your competitors (fun fact: 22 per cent of breaches come from within a company), but if it happens—you need to know what to do, and quickly.
“You need to shut off the tap,” says Andrew.
That might mean reaching out to forensic experts or a systemwide reset, but your first job is stopping the flow of any more classified information.
The mitigation phase is where you’ll look at how you can reduce the harm to those who have been affected by the breach. For instance, if the breach involved a leak of financial information, it might mean offering free credit monitoring for a year or two.
In Canada, you’re required to report privacy breaches or data security incidents that cross a certain threshold—what is known in the legal world as real risk of significant harm. IT professionals, lawyers, and privacy regulators (find details at the Office of the Privacy Commissioner of Canada) can help you determine what that threshold is.
Canada’s privacy law (the Personal Information Protection and Electronic Documents Act, or PIPEDA) specifies that a breach report should be made as soon as feasible, as in—as soon as you get a grip on what happened. You can and should update your reporting as more details come in.
Andrew points to the case of Ashley Madison, a Canadian dating site for those who are married or coupled. It faced a significant security breach in 2015, with user data released to the public by hackers causing significant harm to individuals families and reputation. The Office of the Privacy Commissioner of Canada did a thorough investigation and its report, Andrew says, serves as an example of what is expected in terms of protecting privacy and data security.
3. Practice your incident response plan
Your incident response plan should not be a document that sits in a drawer and collects dust. Practice it, update it, and know it well, so you’re ready to put it into action as soon as you need to.
4. Protect the data you’re entrusted with
If you’re a board member, you may be privy to confidential company information. Andrew suggests seeking resources that provide guidance for boards, such as Canadian Securities Administrators (CSA), the Investment Industry Regulatory Organization of Canada (IIROC) and the Office of the Superintendent of Financial Institutions (OSFI).
5. Understand the threats
Ransomware is software that essentially holds your data hostage until you pay a sum to retrieve it. Still, there’s no guarantee paying that sum will get your data back.
The best thing you can do is to have a data backup and a disaster recovery system ready so you can bring your data back immediately. With ransomware attacks expected to increase by 100 per cent in 2022, it’s important to know how to react should one happen.
6. Train staff
Andrew tells of an email he received from a regular client that read, “Here’s the report you asked for.” He hadn’t requested a report, so he responded to see if the email was legit. The client assured him it was. Andrew then forwarded the email to his company’s IT department and confirmed it was spam. Threats are becoming increasingly sophisticated. Andrew recommends training staff on how to identify threats, using different passwords for different applications, and picking up the phone if there’s uncertainty over an email. Two-factor authentication can weed out threats like the one Andrew experienced.