According to data protection specialists, for one year now all Canadian companies have been subject to the Personal Information and Electronic Documents Protection Act, which requires them to report on any information security incidents.
This is a fundamental change, since previously the cybersecurity incident report was submitted voluntarily; as of the entry into force of this law, the number of reports filed was triggered.
Data protection specialists report that, as of November 2018, there have been about 680 incidents of data breaches and security breaches, 600% more than reported during the previous year, and is a reflection of the multiple threats of cybersecurity faced by Canadian companies.
Regarding the number of people who have been impacted by these incidents, the figure is estimated to have reached the 28 million Canadians affected by data breaches across multiple companies, including big names such as Desjardins and Capital One.
On the most common incidents, authorities report that 58% of security breaches involve unauthorized access to corporate networks (in other words, hacking attacks). Other variables involved in these incidents are phishing and social engineering campaigns against the employees of some companies; the Canadian authorities’ report states that at least one in four reported data gap incidents were the result of these activities.
Canadian authorities also report a major advance in the techniques used by information-stealing threat actors, whether technological resources, infrastructure or psychological methods to encourage victims to yield to their demands or Intentions.
In addition to disclosing some figures, Canadian authorities issued a number of recommendations for properly handling and reporting a cybersecurity incident:
CONTAIN THE INCIDENT: It is vital to stop any unauthorized activity, secure backups of information, disconnect the compromised system, and reset access credentials to prevent the problem from growing.
DESIGNATE AN INCIDENT MANAGEMENT TEAM: Integrating a team of data protection specialists and other areas will be vital to begin investigating the incident and making the right decisions on time.
NOTIFICATION: Each company must fix those responsible for reporting security incidents to the responsible authorities; this work must be accomplished by specialists, as detailed reports on the scope of the incident are required.
HIGHLIGHT PRESERVATION: We must be careful not to destroy any valuable information that could serve as evidence of the incident, and this data will be of vital importance in starting the proper recovery process.
Specialists from the International Institute of Cyber Security (IICS) also issued a number of recommendations on the control and security of personal information, including the following tips:
- Companies must have a system in place to know what personal information they collect, where it is stored and in which cases it is accessed
- Each organization is responsible for assessing its security vulnerabilities to mitigate as far as possible the potential risks of unauthorized access. In addition, it is vital not to forget the role that users play in the defense of information, because threat actors will always try to enter a system by the weakest point
While the picture seems daunting, data protection experts hope that in the future data breaches will become less and less and users can share personal information without fear of ending up in the hands of hackers.