Stay up-to-date with the latest insurance and investing news, tips, and information.

Of Every 10 Businesses in Canada, Only 4 Have Data Breach Policies in Place

March 14, 2019

Recently, the Office of the Privacy Commissioner of Canada (OPC) ordered a telephone survey - 2017 survey with Canadian businesses on privacy-related issues - of around 1,014 Canadian businesses. The goal of this survey was to learn how knowledgeable organizations are on privacy issues and requirements, understand the types of privacy policies and practices they have in place, and determine their privacy information needs.

The following were some key findings from the survey:

  • Only 4 in 10 companies surveyed have policies or procedures in place in the event of a breach.
  • When asked to rate their level of concern regarding a future data breach, the results were split. Overall, nearly half expressed at least a moderate level of concern while 50 per cent expressed low or no concern at all. The OPC said that this data indicated concern over data breaches has decreased among Canadian businesses over previous years.
  • Around 68 per cent of respondents placed an emphasis on protecting their customers' personal data. In addition, according to data from previous OPC reports, consumer concern about privacy breaches remains high. In fact, 85 per cent of Canadian indicated that news reports about privacy breaches affected their willingness to share personal information.

Among other things, the OPC survey illustrates a disconnect between organizational beliefs regarding data protection and the existence of real privacy policies. Despite continued, high-profile cyber breaches and increasing customer concern, many companies surveyed remain complacent with their level of security.

The OPC will use these survey results to enhance its outreach efforts and more effectively guide organizations on their privacy responsibilities.

Choosing the Right Type of Cyber Testing for Your Business

Taking the initiative to invest in cyber security and improve employee security awareness is vital for defending a business from cyber attacks. However, it may be necessary for businesses to re-evaluate their efforts on occasion to make sure their security measures are effective. Vulnerability scans, penetration testing, and red team exercises are three types of tests that businesses can use to assess their cyber security.

Vulnerability Scans

Vulnerability scans and assessments use automated tools to identify cyber weaknesses. They've typically used to find known or common vulnerabilities, such as those used in past breaches and those that provide paths of least resistance for attackers trying to enter the network. Vulnerability scans are most useful for small and mid-sized organizations with limited cyber security resources.

Penetration Tests

Penetration tests are simulated attacks that use information acquired from vulnerability scans in an effort to access or penetrate the enterprise network. When a penetration test occurs, enterprises and security professionals may or may not know of the test in advance. Penetration tests can be performed by internal staff or external vendors. They're most beneficial for organizations of medium maturity looking to uncover gaps in security.

Red Team Exercises

When using a red team to assess security, employees assume the exercise is a real-life situation and do not know about it in advance. Red team exercises help organizations gauge realistic responses to attempted attacks by mimicking attackers. Mature organizations with specialized cyber security skills would benefit the most from red team exercises, which can uncover security gaps both inside and outside the network. Red team exercises can be conducted by internal staff or external vendors.

Once an organization identifies which type of testing is appropriate, it should also assess the frequency of the testing. Ultimately, every new or updated technology should be subjected to thorough testing to detect and address new vulnerabilities before outside attackers find them.

Even with careful attention to training your staff and testing your networks, new cyber threats continue to enter the world daily. This means it will be very difficult to prevent any and all future attacks against your company but with proper Cyber Liability Insurance, your company will have a robust risk-management program in place.