Trustworthy Brands put Security First – Preparation and Compliance in the Wake of PIPEDA Amendments
It’s not if you will get hacked, but when. Data breaches and the mishandling of personal information have unfortunately become the new norm in the digital age. Within the last year alone, we’ve witnessed several companies of magnitude face the damaging after-effects of not adhering to personal information privacy laws.
Yet even when faced with a steady stream of high-profile breaches, a study conducted by Ovum for the analytics software company, FICO, found 84% of Canadian executives surveyed felt their organization was “better than average” or a “top performer” in regards to its ability to protect sensitive information from data breaches. According to a survey commissioned by the Office of the Privacy Commissioner of Canada, concern over data breaches has actually decreased among Canadian businesses, with the proportion of executives not concerned rising to 50% in 2017 from 44% in 2015, whereas consumer concern about privacy breaches is very high.
Despite this sense of false confidence, the bottom line remains that Canadian businesses – both large and small – should view security as a top priority rather than an afterthought. This is especially timely in light of the updated Personal Information Protection and Electronics Documents Act – also referred to as PIPEDA – is in effect as of November 1, 2018.
The biggest change is that existing voluntary data breach reporting will evolve to become mandatory. Private-sector organizations will be required to report leaks of personal information that pose a real risk of significant harm to customers, affected third parties and the federal privacy commissioner. PIPEDA will ultimately set the ground rules for how businesses handle personal information over the course of its commercial activity.
Now the tough question remains, how do companies prevent the mishandling of personal information and security breaches? Below, are three steps to improving device security Canadian businesses should consider ahead of PIPEDA’s new reporting requirements.
The battle to fight cybersecurity in the digital era, where 50 billion connected devices are expected to be online by 2022, can at times feel insurmountable. While many businesses have traditional countermeasures set in place for computer systems such as firewalls, intrusion detection and antivirus software, they often forget one of the most obvious vulnerabilities: endpoint devices.
Endpoint devices like printers are often overlooked as a point of entry that poses a serious security risk. According to a survey conducted by Spiceworks, a printer is 68 percent more likely to be the source of an external threat or breach then it was in 2016. Unfortunately, it is not yet common knowledge that printers function similarly to computers in terms of acting as a gateway for attackers. As a result, businesses unknowingly expose themselves to malware attacks and malicious behaviour.
Not only do unsecure printers hinder PIPEDA compliance but according to the BSA’s 2018 Global Software Survey, each malware attack can cost a company more than $10,000 per infected device or an average of $2.4 million per attack proving that organizations need to take endpoint security seriously.
While data breaches are bad for business, they can be even worse for consumers. In 2017, 147.9 million consumers were affected by the Equifax Breach. Cyber-attacks are a constant threat but what is most surprising is that many companies still have unprotected data and poor cybersecurity practices. The unlicensed software rate worldwide was at 37% only just last year. This needs to change.
That’s why this summer, HP launched the industry’s first print security Bug Bounty program to build on our commitment to cybersecurity and continue to deliver the world’s most secure printers. With awards up to $10,000 to support vulnerability identification, the program is an investment in offering customers protection from attacks that are targeting both businesses and employees. While this type of program is unique, proactive measures enable any business to mitigate the risk of a data breach and adhere to PIPEDA amendments.
Educate about security threats
Not all hacks and breaches are the result of forced entries. Instead, many cyberattacks can be attributed to simple and preventable human errors. That’s why organizations should ensure employees at every level understand how a data breach unfolds. Bringing in a cybersecurity specialist to speak about security hygiene is one method of educating employees. Additionally, establishing company training programs that educate staff about PIPEDA amendments, preventative measures and data security policies can help mitigate a cyberattack from taking place.
PIPEDA’s amended reporting requirements hold Canadian companies accountable for the safekeeping of the data their employees, partners and customers entrust them with. As gatekeepers of personal and sensitive information, it is the responsibility of the business community to protect it. These steps to improving security will not only enforce PIPEDA compliance, but they also impact customer perceptions of brands that can be trusted, and those that can’t.
Mary Ann Yule is President & CEO, HP Canada Co.