Last week, changes to the Personal Information Protection & Electronic Documents Act (PIPEDA) went into effect. Our CTO, Adam Mansour, wrote about the changes, and how our MDR service could help overcome new disclosure, reporting, and data retention requirements. Today we turn our attention to twelve tips for containing and reducing the risks of a privacy breach, issued by the Office of the Privacy Commissioner of Canada (OPC). We review their recommendations, discuss the implications for your existing prevention technology, and explain how our MDR service enables you to act on each of the tips they issued, below.
There are four overarching directives for the OPC’s tips: Understand the Threats You’re Facing; Think Beyond the Hacker; Don’t forget About Hackers Either; and Breach Containment and Preliminary Assessment. For the list of tips in their entirety, visit the OPC’s website. See below for the first two directives and the tips under them. The last two are included in the second part of this post.
Understand the Threats You’re Facing
For small to medium-sized enterprises, it can be difficult to access the expertise and technology required to truly know what you are up against. The tips the OPC offers are solid, but without having your own experienced CISO you may not be able to action them. Similarly, even if you have invested in a vulnerability scanner you may find thousands of vulnerabilities across your organization; without the resources to remediate them all, how can you prioritize to solve the problem? See how ActZero can help below:
Tip 1: Know what personal information you have, where it is, and what you are doing with it
A deep understanding of the personal data you’re storing and the controls you have in place to determine who can access it, sounds like a job for your CISO. Whether you have one or not, ActZero Networks offers a Virtual CISO service for consultative advice, policy determination, and technology road-mapping – we discuss it more here.
Tip 2: Know your vulnerabilities
Our clients receive a report each month, detailing prescriptive action to take to remediate the most important vulnerabilities. We prioritize each one based on the potential impact on your organization. Note that the information presented in this report is completely unique to ActZero because it is processed by our proprietary technology stack. Over time, our clients can leverage this report to demonstrate the evolution of their prevention posture, to prove that it has improved.
Tip 3: Know your industry
While the tip says “know your industry,” the OPC really means “understand the threats your industry is facing.” ActZero has access to public, private, and our own proprietary databases of attacks that occur. These data-sets actually improve our platform as we identify new threats. So, not only do we know the attacks in your industry, but countless others as well; ensuring that you’re protected from threats no matter which industry they originated in.
Think beyond the hacker
Traditional prevention technologies like Anti-Virus and Firewall simply aren’t designed to stop behaviours; they recognize the signature of files that could be malware. That’s why the OPC has suggested you think about other risks of breaches of personal information, such as endpoints, physical media, insider threats, and poor disposal of data. Some of these issues can’t be dealt with by technology alone, which is why our service includes the people and processes you need, as well as our proprietary platform.
Tip 4: Encrypt laptops, USB keys and other portable media
Our hygiene analyzer evaluates whether (and how many of) your endpoints have encryption enabled. This provides you with the visibility you need to assess and remediate the risk of data being accessed when a device is stolen through encryption.
Additionally, once that device connects to the internet, we have its geographic location and the ability to lock it down or wipe it with our Endpoint Detection and Response (EDR) sensor. We have this capability for mobile devices as well.
As for USB drives, using EDR you can decide to disable USB, or allow certain USB functionality (like Encrypted Only).
Tip 5: Limit the personal information you collect, as well as what you retain
OPC advocates limiting what you collect, which our Virtual CISO will be happy to advise you on based on your unique business needs or regulations specific to your industry. They help with technology and policy decisions necessary to protect the data you do collect, or limit/prevent its use or retention period.
Additionally, they recommend ‘securely disposing’ of the information, which brings us to their next tip.
Tip 6: Don’t neglect personal information’s end-of-life
“Clearly Define policies and procedures about the secure destruction of personal information…” this sounds like another job for our virtual CISO! Our experts can advise you on best practices for retaining personal information from a regulatory/compliance perspective, and enable you to understand which of these attributes are attractive to hackers, and how to destroy that information safely when it has reached its end-of-life.
Tip 7: Train your employees
Conducting employee (or end-user) awareness training is only half the battle; you need to assess whether your staff retain and adhere to the practices that are designed to reduce your risk.
Our service enables you to act on this tip is by giving time back to your IT team. No longer burdened with investigating incidents, your team can focus on projects that deliver business outcomes, including liaising with OD and HR to train your end users and evaluate their understanding.
Tip 8: Limit, and monitor, access to personal information
We can monitor which users are accessing personal information, and our threat hunters can assess whether a given user should be able to do so and respond appropriately. That’s how we are able to protect you from fileless attacks, and malicious insiders – our threat hunters look at the outcomes and context of behaviours. Our vCISO can advise you on which roles within your organization typically need access to personal information, and in what scenarios.
As you can see, through our proprietary reporting and expert consultative services we enable you to understand the threats you are facing. Coupled with our proactive threat hunters, proprietary platform and datasets, we can help your organization prevent, detect, and respond to threats that traditional security technologies can’t identify, such as well-meaning insiders, malicious insiders, and improperly-discarded data. To understand how ActZero can also help with threats posed by hackers and the other tips offered by the OPC, read part two of our post here.
If you are ready to see our service in action, request a demo here. One of our expert advisors can walk you through how our platform enables threat hunters to protect your environment.
Related Content: Check out our other Regulatory Compliance posts!