A new federal bill would require companies to report cyberattacks.
Eldon Spickerhoff, chief innovation officer and founder of eSentire, a cybersecurity provider based in Waterloo, Ont., thinks the proposed bill could be a band-aid to a bigger problem.
“If this bill helps improve the rigor of end-user data security, I cautiously support it, although the devil is in the details,” Spickerhoff said.
“I have great concerns about the reporting process – who do you report this information to, do we have any privacy about who the data is shared with, where this data is stored.”
Public Safety Minister Marco Mendicino said the Liberal legislation would take additional steps to protect Canada’s telecommunications, financial, energy and transportation sectors.
After the government banned Huawei and ZTE from Canada’s 5-G network last month, it announced new legislation would be forthcoming to protect critical infrastructure.
Attacks on corporations, universities, municipalities, and even hospitals by cybercriminals who hold data hostage in exchange for ransom have become extremely common. Some targeted organizations have preferred to pay the costs claimed to try to quietly eliminate the problem.
In 2019, after a cyberattack on his home town of Stratford, Ontario, Mayor Dan Mathieson called for a national strategy.
Federal framework needed
Sprickerhoff thinks Canada should implement a federal data loss incident reporting framework similar to the European Union’s General Data Protection Regulation (GDPR).
EU companies must follow “a set of standards and requirements if they collect or process user data in the European Union”, he said.
The regulation is designed to protect the privacy and data security of all EU residents. Companies that do not comply may face heavy penalties.
He noted that eSentire protects the critical data of 1,200 customers in over 75 countries.
What do you do when you are hacked?
When Woodstock, Ontario was targeted by ransomware in 2019, they decided not to pay.
David Creery, the city’s administrative manager, says they’ve spent more than $600,000 rebuilding their system and trying to figure out how the virus got into their computers. The OPP Cybercrime Unit was notified, but was limited in what they could do.
Since then, the city has made significant investments in hardware and software as well as staff training.
“You should regularly train your staff and network users on cybersecurity issues,” Creery said.
“You need to keep cybersecurity front and center and provide them with ongoing education just so they know that maybe they should look at something a little closer before clicking that link.”
The 2019 cyberattack blocked access to emails and most files involved in the operation of city government for up to eight weeks.
Since then, Creery says the city hasn’t seen an attack on its network, but he thinks Woodstock and a number of city networks are experiencing attacks on a daily basis, but they just don’t know it.
“It’s the reality of the IT world we live in now that we’re all under constant attack,” Creery said.
“I can tell you with confidence that they are trying to break into our network with password crackers beating firewalls. And that’s not unique to us, it’s a message that all advisors councils, all hospital administrators, all councils need to hear that cybersecurity is a very important thing to take seriously.”
The Morning Edition – KW7:50 amDoes the federal government’s cybersecurity bill go far enough?