L’importance de la sécurité des données et de la confidentialité des données

How can businesses protect shared data in a remote workforce? What is the difference between data privacy and data security? How can individuals minimize the risks associated with data sharing? In the latest Episode of our six-part podcast series, Get IT: Cybersecurity insights for the foreseeable future, we explore how the COVID-19 pandemic is helping shape the future of data in Canada.

In Episode five, Julius Azarcon, national leader of cybersecurity services at CDW Canada,and Dave Lewis, global advisory chief information security officer at Cisco, discussdata privacy and security best practices for Canadian businesses in today's newnormal. Here are some key takeaways.

Shifting business priorities

Over the last few months, we've seen a massive shift to aremote workforce for many Canadian businesses. While protecting both companyand personal data has always been a priority, the pivot to remote and the erosionof organizational perimeters has forced many organizations to question theimportance of data protection when compared to other operational necessities.

Canadian businesses have historically taken the protectionof personally identifiable information (PII) seriously, implementing soundsecurity measures to ensure PII such as name, age and blood type remainedprivate. However, COVID-19 has introduced a new set of privacy and securitychallenges that not all businesses consider to be a priority. For many, theharsh reality of the pandemic means that the primary focus is simply keepingthe lights on. Unfortunately, data privacy and security have often beenafterthoughts, opening the door to error and network vulnerability.

The submarine effect

While prioritizing operations remains critical for Canadianbusinesses, it's equally important not to miss a step when it comes to dataprivacy as it often goes hand-in-hand with business continuity. If overlookedin the short-term, insufficient data privacy protocols can result in increasedvulnerability and risk down the road. This is often referred to as the submarineeffect when a problem that has been pushed to the wayside eventuallyresurfaces in the future on a much larger scale. Encrypting data at rest and inflight, controlling access to data and ensuring secure MFA or VPN access arekey to preventing inadvertent exposure.

Increased online presence requires education

The remote workforce combined with limited in-person socialinteractions has, naturally, increased our online presence. Between connectingwith friends and family through video, virtual conferencing for work, browsingsocial media for entertainment and relying on online platforms for education,almost everything we do today involves our digital avatar or online persona.This also means we are more connected to BYOD and IoT devices than ever before.

The average Canadian generates 1,7 MB of data per second anumber which has only increased in today's remote landscape. Smartphones have awide range of tracking mechanisms from data analysis to GPS location, and theinformation being shared isn't always transparent to users. Introducing moreBYOD devices to an organization's perimeter means it's never been more criticalfor businesses to educate employees on company policies and safe data handlingpractices when working remotely. It's also imperative to ensure governancearound how to discover what data is on each device, in addition to thepacification and reconciliation of this data when required.

Canadian businesses need to ask themselves tough questionson what controls are being used to limit device or cloud data access, howthey're encrypting data at rest and in transit and whether employees are usingcorporate data appropriately. In order to prevent any aforementionedsubmarines, businesses need to have answers to these questions and continuouslyeducate their workforce.

Data privacy and data security are symbiotic

Data privacy can only be achieved if the data is secure, meaningprivacy and security are not mutually exclusive. While this concept is an ITprofessional's bread and butter, it's not always apparent to the average user. Theprimary source of this disconnect stems from user experience while they tendto understand the need for data privacy, an appreciation for data securityoften only develops as a reactive measure to a cyber incident. This is humannature and is true in many aspects of our lives, including our homes. While wehave locks, we may not always lock the door. Following a break-in, however, wemake every effort to lock down our threat landscape (doors, screens, windows),perhaps even installing a home alarm system.

Canadian businesses need to re-emphasize the symbioticrelationship between data privacy and security, ensuring that both are top ofmind for employees of all levels.

Minimizing the risk of PII oversharing

Interactions with online tools are on the rise, and it'scritical that businesses and individuals examine the value being received inexchange for PII. This can be emphasized in three steps:

1. Be aware of how online tools use the data beingcollected. This information should be in privacy policies or terms andconditions. If this information is not available or easily accessible, this couldbe an indicator of an untrustworthy source.
2. Conduct your own risk assessment. Whenbeing prompted to provide personal information, trust your instincts on if theinformation seems relevant. If you feel the required information is intrusiveor unnecessary, it probably is.
3. Leverage privacy plugins. There arebrowser plugins available to help identify the data being collected from anywebsite. Some websites have more than 30 built-in trackers, and privacy pluginscan help determine where and how data is being collected and/or shared.

Improving Canada's legislative framework

CDW Canada's 2020 Security Study revealed that many Canadian organizations are more familiar with Europe's General Data Protection Regulation (GDPR) than with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and subsequent Digital Privacy Act. This is largely because GDPR has a strong focus on enforcement and potentially massive fines in the event of a breach, thus garnering more media attention and staying fresh in people's minds. PIPEDA and the Digital Privacy Act don't have the same impact because they're perceived to have less teeth. This is partially a marketing problem, as both advocate for proper stewardship of data and offers valuable information. This demonstrates that there is more work to be done around how legislative framework can be improved in Canada to compel businesses to take data privacy and security measures seriously.

Holding organizations and governments accountable

Organizations and governments are going to rely more andmore on technology as the pandemic continues. In addition, as majororganizations such as Shopify and Twitter signify that the new remote normalmay be here to stay, businesses must implement more resilient data privacy andsecurity protocols.

As a result, there will be a need to balance the digitalrights and freedoms of individuals with the security of public health.Pandemic-related or otherwise, data privacy and security need to be part of theongoing conversations around new or existing solutions.

We must continue to hold organizations and governmentsaccountable for providing transparency on when they collect user data, how thatdata is used, if and when it is shared and with whom. Consider the Canadiangovernment's contact tracing response to COVID-19. While an essential tool forlimiting the spread of the virus, what will happen with the collected datamoving forward? Will it be destroyed or leveraged for another purpose?

Asking these questions at the onset both at government andcorporate levels is the best way to ensure transparency and much-needededucation while keeping privacy and security top of mind for all Canadians.

For more insights on how Canadian businesses are managing data privacy and security, listen to Episode five now.