Hasan Cavusoglu: What companies and governments need to do now to win the cybersecurity war
Credit to Author: Tracey Tufnail| Date: Mon, 30 Dec 2019 02:00:07 +0000
When news emerged that the health testing company LifeLabs had fallen victim to a major hack, and the private data of more than 15 million clients had potentially been exposed, people were rightfully outraged. How could a business that’s responsible for such sensitive information possibly get it so wrong?
But in reality, that isn’t the question we need to ask. Of course, companies that fall victim to hackers need to examine the cracks in their security, repair them immediately, and implement systems that prevent future attacks; incidents such as these should also spur other businesses to redouble their cybersecurity efforts.
Without fundamental systemic changes, however, these cyberattacks are bound to continue. So the question really is: what changes does our society need to make?
Security and privacy are an intricate cat-and-mouse game. We can install the most advanced, state-of-the-art systems, but it’s only a matter of time before hackers discover vulnerabilities, so our target is constantly moving. As a result, governments should require that businesses not only protect data, but that they keep those protections up to date with key regulations — and looking to Europe is the place to start.
The current legislation in Canada does not go far enough. There are some protections when it comes to what information government organizations can collect, and other privacy legislation about what data non-governmental organizations can gather and how, as well as timelines for reporting when a business has been hacked.
In 2016, however, the European Union set a far higher bar when it instituted the General Data Protection Regulation, or GDPR — a regulation that not only protects the data and privacy of people within the EU, but also addresses the transfer of personal data outside its member countries.
The GDPR essentially says that any kind of data related to a person should be protected, so consumers should have specific knowledge of what data is being collected and they must explicitly consent to that collection. And, unlike in North America, that data collection has to serve a specific purpose, and each purpose must be plainly explained and also consented to unambiguously.
What’s more, any personally identifiable information must be protected, no matter how innocuous it may seem. So, while companies in North America may put heavy protections on social insurance and credit card numbers, in Europe any piece of information that says something about you is treated with equal weight.
High-end encryption is key for all businesses, but the GDPR also requires companies to anonymize information, to decouple that data from the individual. In other words, if a hacker got through the encryption and into a LifeLabs-like company in Europe, they might find birthdates and lab results, but those data points would not be tied to a specific patient.
The GDPR also includes extremely strict timelines for informing customers when a breach occurs, and it demands that companies keep up with changes to digital technologies. Similarly, we need to make our laws and regulations time-invariant so companies can’t simply comply with current security requirements then say, “I’m done” and walk away.
We also need to follow the EU’s lead and make penalties very high for companies that don’t comply. Some may complain about the costs that can come with proper cybersecurity, and even more about the possible fines, but those price tags pale when compared with the potential damage caused by a major data breach — and if the fines are too low, companies will see them as little more than speeding tickets.
Of course, governments aren’t the only ones with a major role to play in securing people’s data. Firms should collaborate and share their knowledge and experiences among peers, and in the process set new security benchmarks. They should also closely examine their own information security practices, from the leaders of the company down to the greenest recruits.
But, more than anything, companies need to start asking themselves, “Why are we collecting this data?” “What are we using it for?” And mostly, “Do we actually need it?”
Organizations are collecting so much information, often with no specific purpose in mind, and they don’t realize what a liability that can be — because of the hacking risk, because of the sheer volume of information they are forced to manage and protect, and because of the potential reputational damage. (You can bet the leaders at LifeLabs are now wishing they housed less information and managed it differently). If you collect less data, you have less to worry about.
We also need to shift our approach when it comes to explicit consent. As it stands, when we download an app, we click “agree” but rarely understand what exactly we are agreeing to. Instead, we should be notified at the time our data is going to be used or sold; so for example, you might receive a notification asking for consent when an app is about to track your location, or sell your data to a third party.
In that instance, marketers could also use customer data to their advantage in a different way — by advertising that they don’t collect or store unnecessary information.
If we don’t introduce strict regulations and change corporations’ behaviours, these cyberattacks are destined to continue. One week it will be LifeLabs, the next it will be somebody else.
Sometimes we have a hard time imagining what exactly could go wrong when there’s a breach. But identity theft is a serious business, and accounts for billions in losses worldwide every year — and what’s certain is that we’re dealing with criminals and they are creative.
If they haven’t yet found a way to monetize data, it’s only a matter of time before they do, especially if we allow them to outwit us in that game of cat and mouse.
• Hasan Cavusoglu is an Associate Professor in the Accounting and Information Systems Division at the UBC Sauder School of Business, and an expert in information system security and management.
CLICK HERE to report a typo.
Is there more to this story? We’d like to hear from you about this or any other stories you think we should know about. Email vantips@postmedia.com