Tag Archives: cybersecurity

Your Typical Canadian Employees May Not Care All that Much About Cybersecurity or Privacy at Work, it Seems

Posted on by

The media reported recently disconcerting results from a recent survey of Canadian employees about the protection of personal information and cybersecurity.

The report at issue indicates about 1/3 of Canadian employees do not think data theft is really in an issue they should be concerned with, or that they are likely to be targeted by cybercriminals when at work. Even with everything happening in the past couple of years, including almost daily announcements of computer intrusions and ransomware attacks (including in Canada), your typical employee does not seem all that worried.

In Québec, 3/4 of employees who answered the survey indicated they did not think the protection of personal information had anything to do with them, rather thinking this is an issue that IT is responsible for. Heck, the same proportion of respondents even admitted they had received NO training whatsoever at work about cybersecurity. None. Yikes.

Yeah, it seems, even today, with everything being published and privacy laws being adopted, your typical Canadian business may not be all that concerned about protecting data, whether it be personal or otherwise. Given that even some SME officers and business owners often still basically choose to ignore the issue, it is not all that surprising that a lot of employees do too. The Vietnamese have a good saying that may apply here: A house leaks from the roof on down.

Our job educating businesses and employees about this may not be quite done, it seems.

2FA Codes by SMS: the Illusion of Better Security?

Posted on by

Even though two-factor authentication (“2FA“) is great to secure apps and online accounts, it’s not perfect and hacks do remain possible, even when this is available and turned on by a user. That said, by and large, the odds of getting hacked once you turn on 2FA (for an app or a service) drop dramatically. In today’s world, given the ever-increasing number of computer intrusions, anyone not turning on 2FA for all their accounts is playing with fire, even more so for professionals and businesses.

Though users have a role to play, as you generally need to turn this feature on (at least your organization must), a recent article in TechRepulic pointed to the fact that 2FA is often not as strong as users may think, in particular for apps and services for which 2FA allows transmission of 2FA codes by texts (SMS).

By now, most experts agree that allowing users to get their 2FA codes by SMS, as opposed to generating and receiving them by a dedicated utilities such as Google Authenticator, is a bad idea. In fact, it seems allowing this greatly reduces the level of security you get when turning on 2FA. Using 2FA with an authenticator app -great! Using 2FA and getting your codes through SMS -not so much.

The issue here lies in certain businesses (including banks!) electing to still allow 2FA by SMS, presumably to avoid annoying certain customers that may find using an authenticator app bothersome. To appease these users, the feature is allowed to endure to this day, thereby potentially endangering the data of all users.

Basically, we should all turn on 2FA on all apps and online services that allow it (most do in today’s age) AND check whether each app/service allows sending code by SMS. Often, you (or your organization) may be able to deactivate that functionality, thereby requiring codes to be issued by an authenticator app. If an app/service insists on allowing the issuance of 2FA codes by SMS, you may want to look for an alternate product/service. This is especially important if the data accessed through this tool is sensitive or, God forbid, a third parties’, such client-data or personal information of your customers, etc.

Given the ever-increasing legal requirements to adequately protect data hosted by organizations, implementing adequate (I mean really adequate) cybersecurity it becoming everyone’s business. Don’t be content with activating 2FA, make sure it is actually secure and not just “technically” considered 2FA.

Remember: not all 2FA is good enough. If you get your codes by SMS (or can), you may be getting the poor man’s 2FA, thereby putting your data (or that of your clients) at risk.

Canada Aiming at Improving Cybersecurity of Federally Regulated Industries Through Bill C-26

Posted on by

Canada recently started looking at a new piece of legislation that seeks to strengthen cybersecurity of businesses and organizations the activities of which fall within ambit of activities that the Federal government can directly regulate.

Interestingly, contrary to most Canadian legislation so far and that touch upon cybersecurity, the focus this time is not on whether an organization collects, uses or discloses personal information. Rather, the bill at issue would seek to cover whole swats of certain industries, whether the organizations operating therein do or do not deal with personal information. This is a new approach in Canada which may signify that the government is finally realizing we collectively need to take cybersecurity more seriously, and that it is more than an issue of personal information.

Bill C-26 proposes to impose on telecommunication providers a new regime that would force them to adopt better cybersecurity practices, with a view to better protecting Canadians who rely on their services for things like cell phone and Internet services.

More generally, the bill would also empower the Canadian government to force federally regulated businesses to clean-up their act (so to speak), cybersecurity-wise, especially when it may jeopardize national security or public safety. As you may know, in Canada, federally regulated businesses include, for example, those who deal with:

  • radio, television and telecommunications, such as Internet providers;
  • air transportation, including airlines, airports, ports, shipping, boats, as well as railways and road transportation services that cross borders;
  • banks;
  • certain energies and their transport, like pipelines, etc.

Bill C-26 would allow the Federal government to require organizations operating in those areas to take cybersecurity more seriously, in particular when public safety may be involved. For example, this may allow the government to dictate that operators of pipelines better protect and monitor their computer systems, with a view to avoiding major catastrophes that may eventually result from cyber-attacks.

In addition to eventually requiring organizations in those industries to adopt and apply cybersecurity programs and to better protect their systems, C-26 would also require the organizations at issue to report eventual cybersecurity breaches, something they currently are not generally required to do.

Bill C-26 is currently at the First Reading stage.