Canadians left in the dark about homegrown data breaches,
Lack of regulation leaves companies no incentive to reveal breaches, expert says
Canadians are clueless about the vast majority of corporate data hacks because companies suffer greater financial losses when they reveal they’ve lost data than when they keep consumers in the dark.
Wednesday’s cyber attack on infidelity site Ashley Madison shone a spotlight on a risk that usually lurks in the shadows because of a lack of regulation, experts say.
“The security at Canadian organizations today is inadequate,” said Claudiu Popa, CEO of cybersecurity firm Informatica Corp.
“We don’t have a law that is prescriptive enough to tell companies that they absolutely need to buy this or that type of technology.”
Sometimes, he said, companies don’t even know they’ve been targeted.
Although the government must report data breaches such as last year’s Heartbleed attack at the Canada Revenue Agency, private companies have no such requirement.
The Ashley Madison data leak might not have come to light if hack- ers hadn’t announced it, Popa said. The 2013 Target Corp. breach, which also affected Canadian customers, was revealed partly because of reporting requirements in the United States, which imposes fines on companies that allow consumers’ files to be exposed.
“It’s in their best interest to play along and to invest in more sophisticated technology for detection and prevention,” Popa said.
“That’s really what’s lacking in Canada today.”
Canada’s Digital Privacy Act, passed by Parliament in June, will require companies to report breaches once regulations are prepared.
But experts say it is essentially toothless because it contains few financial penalties.
The act will introduce fines up to $100,000 for deliberately not reporting a breach.
“There’s the obligation to report, which is, of course, positive,” said Christopher Parsons, managing director of the telecom transparency project at the Munk School of Global Affairs’ Citizen Lab.
“But without any sort of punitive consequences you run into the question of how useful is the notification itself.”
There is little data on how secure corporate Canada truly is partly because of a lack of breach notification laws, Parsons said.
Nearly four in 10 Canadian IT professionals surveyed in a Ponemon Institute report in June 2014 said their company had experienced at least one cyberattack in the past 12 months. And 56 per cent of respondents said they don’t believe their organization is protected from a cyberattack.
Without a financial imperative to beef up security, companies are unlikely to shell out the millions of dollars required to identify and prevent them, Parsons said.
“For most companies, security is a drag,” Parsons said, adding that executives tend to reject investment in cybersecurity, where concerns tend to lead to IT professionals saying “no” to a lot of ideas, while also eating up company time, money and resources.
“All those no’s either inhibit fast fluid business, or they increase the cost and the friction of anything a company wants to do.”
Meanwhile, hackers are getting more sophisticated, but they don’t even need to because the defence systems are so weak, Parsons said.
“If you’re a hacker, you have to succeed once; if you’re a defender, you have to succeed every single time.”
The average cost of a data breach in the U.S. is $5.9 million, according to the Ponemon Institute.
The cost of data breaches for Canadian companies is unknown, partly because of the lack of reporting.
But the current climate in Canada dissuades companies from reporting security breaches, Popa said: reporting would damage their reputation and customers would flee to competitors. “They don’t want to alienate their customer base, they don’t want to damage their good name and they do not want to shake the trust of the regulators in their protective measures.”
The problem is that the longer a cybersecurity flaw remains in place, the more vulnerable the system becomes and the longer customers’ records can be exploited, Popa added.
Canadian consumers also put their information at risk because they are too trusting that it is safe, he said.
“There’s a strange triangle of trust, lack of awareness and apathy on the part of the public when it comes to being prepared for security issues.”
“If you’re a hacker, you have to succeed once; if you’re a defender, you have to succeed every single time." CHRISTOPHER PARSONS MUNK SCHOOL OF GLOBAL AFFAIRS