Your Typical Canadian Employees May Not Care All that Much About Cybersecurity or Privacy at Work, it Seems

The media reported recently disconcerting results from a recent survey of Canadian employees about the protection of personal information and cybersecurity.

The report at issue indicates about 1/3 of Canadian employees do not think data theft is really in an issue they should be concerned with, or that they are likely to be targeted by cybercriminals when at work. Even with everything happening in the past couple of years, including almost daily announcements of computer intrusions and ransomware attacks (including in Canada), your typical employee does not seem all that worried.

In Québec, 3/4 of employees who answered the survey indicated they did not think the protection of personal information had anything to do with them, rather thinking this is an issue that IT is responsible for. Heck, the same proportion of respondents even admitted they had received NO training whatsoever at work about cybersecurity. None. Yikes.

Yeah, it seems, even today, with everything being published and privacy laws being adopted, your typical Canadian business may not be all that concerned about protecting data, whether it be personal or otherwise. Given that even some SME officers and business owners often still basically choose to ignore the issue, it is not all that surprising that a lot of employees do too. The Vietnamese have a good saying that may apply here: A house leaks from the roof on down.

Our job educating businesses and employees about this may not be quite done, it seems.

Businesses within the Province of Quebec Have Homework to Do as to their Employees and their Data

As you may already know, Quebec’s Bill 64 was passed into law a couple of months back, setting in motion a substantial revamp of the province’s main privacy statute. Much like what’s been going on in Europe and, more recently, at Federal level, the province finally decided it was time to update its antiquated statute governing the protection of personal information within Quebec.

The law’s coming into force of an Act to modernize legislative provisions as regards the protection of personal information (the “Act”) will stretch until 2024. In the meantime, the first provisions of the new law came into force last week, including numerous new obligations for Quebec businesses and organizations about their employees.

In practice, until now, little attention was generally paid in Quebec as to rules that may govern and apply to the personal information of employees, an issue that was often swept under the rug. Well, now that the Act is here things have to change -fast.

Indeed, the Act provides for a whole slew of obligations that apply to employers within the province of Quebec. For example, as is the case elsewhere, Quebec organizations should draft and make generally available their data handling policy, including as to how you handle employee information. This is but an example of what the new regime requires.

The first thing quite a few Quebec businesses and organization should do, including relatively small ones, is come to terms with the fact that the world has indeed changed and that Quebec business may no longer look at privacy as this theoretical issue that no SMB really bothers with. With the advent of the Act, all businesses and organization should (quickly) make the transition, from apathy as to privacy, to being highly involved. If you need motivation to do so, the staggering amount of potential penalties provided by the Act should help: 25 MILLION dollars or, and here’s the kicker, 4% of annual revenues. Yup, that’s right, just like Europe did a while back, we’re now realizing that dollar amounts may not be enough, but percentage of revenues, now THAT scares the bejesus out of ANY business.

As to employees, without going into details, to start, you should probably simply understand that personal information is now treated as such, whether it relates to a customer or an employee. Both are individuals, right? So, from now on, the Act basically assumes that organizations should have processes, policies and protocols in place to deal with personal information, wherever it comes in or from -employee-related information including. One should also note as to these, that the Act now requires making these policies generally available, including to employees, so that individuals can know how you are handling their information. Though this may seem a no brainer, in actuality, quite a few Quebec organizations still do not comply with this.

The Act also provides constraints as to how an organization may use automated processing of data to make or reach decisions as to individuals. If your company has AI sorting CVs, for example, individual may have to be made aware of this fact, etc.

One should also make note of the fact that, no only must employees be made aware what information of theirs is collected and used (and how), but employees can now lodge complaints with the Quebec privacy watchdog called the Commission d’accès à l’information (the “CAI”), should they want to question the employer’s data-handling practices, for example, if they suspect their employer’s practices are not in-line with the Act.

As is the case in numerous other jurisdictions, the Act also now provides for a mandatory notification in case of hacking incidents (and similar incidents where personal information may have been compromised), including when it comes to employee information.

Another change mandates that employers (and all organizations in fact) appoint a privacy officer, who will handle personal information-related matters on behalf of the entity, moving forward. This will have to include issues relating to employee information. Such a person may, for example, be a an officer of the company and should, generally, be selected based on his/her ability to deal with eventual issues relating to the types of data that the organization at issue normally handles. In other words, though the Act presumes the president of the company may be the person in charge, he/she may or may not be the best person for the job. All in all, if you are located in the province of Quebec and have employees, you may very well now be subject to the new Act. The time to educate yourself, seek advice and act is… now.

2FA Codes by SMS: the Illusion of Better Security?

Even though two-factor authentication (“2FA“) is great to secure apps and online accounts, it’s not perfect and hacks do remain possible, even when this is available and turned on by a user. That said, by and large, the odds of getting hacked once you turn on 2FA (for an app or a service) drop dramatically. In today’s world, given the ever-increasing number of computer intrusions, anyone not turning on 2FA for all their accounts is playing with fire, even more so for professionals and businesses.

Though users have a role to play, as you generally need to turn this feature on (at least your organization must), a recent article in TechRepulic pointed to the fact that 2FA is often not as strong as users may think, in particular for apps and services for which 2FA allows transmission of 2FA codes by texts (SMS).

By now, most experts agree that allowing users to get their 2FA codes by SMS, as opposed to generating and receiving them by a dedicated utilities such as Google Authenticator, is a bad idea. In fact, it seems allowing this greatly reduces the level of security you get when turning on 2FA. Using 2FA with an authenticator app -great! Using 2FA and getting your codes through SMS -not so much.

The issue here lies in certain businesses (including banks!) electing to still allow 2FA by SMS, presumably to avoid annoying certain customers that may find using an authenticator app bothersome. To appease these users, the feature is allowed to endure to this day, thereby potentially endangering the data of all users.

Basically, we should all turn on 2FA on all apps and online services that allow it (most do in today’s age) AND check whether each app/service allows sending code by SMS. Often, you (or your organization) may be able to deactivate that functionality, thereby requiring codes to be issued by an authenticator app. If an app/service insists on allowing the issuance of 2FA codes by SMS, you may want to look for an alternate product/service. This is especially important if the data accessed through this tool is sensitive or, God forbid, a third parties’, such client-data or personal information of your customers, etc.

Given the ever-increasing legal requirements to adequately protect data hosted by organizations, implementing adequate (I mean really adequate) cybersecurity it becoming everyone’s business. Don’t be content with activating 2FA, make sure it is actually secure and not just “technically” considered 2FA.

Remember: not all 2FA is good enough. If you get your codes by SMS (or can), you may be getting the poor man’s 2FA, thereby putting your data (or that of your clients) at risk.