A new federal bill would compel key industries in Canada to bolster cyber security — or pay a price

img blog A new federal bill would compel key industries Canada bolster r2

As you probably know by now, Brett Gallant – our fearless leader at Adaptive Office solutions – is passionate about cyber security. With the way he talks, writes, and posts about it, you would think he’s a man in love.

Unfortunately, it’s more complicated than that. 

The reason Brett keeps getting the cyber security messages out is that he has to. Some people are hearing the messages, but not listening.  The only reason a person has to repeat themself is because an individual, a group, or a country isn’t listening. 

In the case of cyber security, all three apply.

Individuals, businesses, and the entire country of Canada are ignoring the warnings about cyber threats from cyber security specialists nationwide. And guess what happens when most of the population doesn’t listen to valid threats? The government gets involved. 

According to the CyberEdge Group, 78 percent of Canadian organizations experienced at least one cyberattack in 2020. In 2021, this figure rose to 85.7 of Canadian companies. This highlights the rapidly increasing cybercrime levels that Canadian organizations face and represents a 7.7 percent rise in attacks compared to the year before. This increase is concerning when you consider the worst affected country on the list, Colombia, is only 8.2 percent worse off than Canada.

In short, the Canadian government can’t afford NOT to act. (Yeah… we know that’s a double-negative.) 

In an article by CBC, they wrote, “The federal government has tabled a bill that would allow it to compel companies in the finance, telecommunications, energy and transportation sectors to either shore up their cyber systems against attacks or face expensive penalties.

If passed, the Act Respecting Cyber Security would give the federal government more control over how private companies in critical industries respond to potential attacks.

The legislation reads the governor-in-council may “direct any designated operator or class of operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system.”

But that information is unlikely to trickle down to the public because the bill also says that anyone who receives such direction “is prohibited from disclosing or allowing to be disclosed” that it was issued.

During a news conference, Public Safety Minister Marco Mendicino defended the provision as a way to protect national security and trade secrets.

Operators would have to report cyberattacks

Under the bill, operators in key federally-regulated industries would have to report cyber security incidents to the government’s Cyber Centre. They’d also be expected to establish cyber security programs that can detect serious incidents and protect critical cyber systems.

Officials are still crafting the list of entities that fall under this new bill. They mentioned telecommunications companies like Bell and Rogers and rail companies as likely subjects for the legislation.

The bill would give regulators the power to run audits to ensure the private sector is in compliance. Those that don’t fall in line could face administrative monetary penalties of $1 million for individuals and $15 million for others. They also could face summary convictions or convictions on indictment for non-compliance.

A federal government official speaking on background with reporters ahead of the announcement said cyberattacks in Canada are “grossly” underreported — often because their targets want to protect their reputations or avoid legal and insurance consequences.

“As we incorporate and integrate new technologies into our economy, we also have to be very sober about the national security landscape as it exists dealing with more ransomware attacks, dealing with foreign interference, dealing with the wide array of tactics that are deployed by hostile state actors and their proxies,” said Mendicino.

The legislation follows last month’s announcement that Chinese tech vendors Huawei Technologies and ZTE will be banned from supplying hardware to Canada’s next-generation 5G mobile networks.

The federal policy outlined in May forbids the use of new 5G equipment and managed services from Huawei and ZTE. Existing 5G gear or services must be removed or terminated by June 28, 2024.

Any use of new 4G equipment and managed services from the two companies will also be prohibited, with existing gear to be pulled out by Dec. 31, 2027.

The federal government said at the time it also would move forward with legislation to better protect critical infrastructure.

While federal ministers have mandates to shore up security in the energy, finance and transportation sectors,  the federal government says it does not currently have a “clear and explicit” legal mechanism to compel the telecommunications sector to address cyber security vulnerabilities.

As part of the bill introduced Tuesday, the Telecommunications Act would be amended to give the government new legal authority to require any necessary action to secure Canada’s telecommunications. That would include prohibiting Canadian companies from using products and services from high-risk suppliers.

“If you think of the telecommunication sector, that is probably the most critical infrastructure I can think of in our country,” said Innovation, Science and Industry Minister François-Philippe Champagne.

“If you think of the data economy, the digital economy that is coming, to protect our telecom infrastructure is key and foremost.”

The NDP’s public safety critic Alistair MacGregor said the party will review the proposed bill closely.

“We believe that it is important that companies report cybercrimes to protect people. If the full scope of the threat remains unknown, then there could be further damages to Canada in the future,” he said in a media statement.

In tandem with Tuesday’s bill, the Communications Security Establishment, Canada’s cyber intelligence agency, announced it will expand its Security Review Program — which helps protect telecommunications equipment and services from cyber threats — to apply more broadly to Canada’s telecommunications networks and to “consider risks from all key suppliers,” not just suppliers thought to pose a risk.

The Security Review Program was introduced in 2013. It was designed to exclude risky equipment from sensitive areas of Canadian networks and to ensure mandatory testing of gear before it was used.

CSE said it will be able to expand the program to develop mitigation strategies for equipment if a cyber security gap is identified.”

You may be thinking, My business won’t be affected by these changes. While that may be true for some people reading this article, we have no doubt this is just the first of many new bills mandating cyber security protocols. And do you really want to wait to implement cyber security measures? It’s safer to gamble at a casino than to roll the dice on your business. 

According to excerpts from an article by insurancebusinessmag.com, they wrote, “Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses. 

A recent poll conducted by the association of small business owners across the country has found that 88% of respondents felt their businesses were vulnerable to cyberattacks. Despite this, most of those surveyed admitted they could not afford professional IT services, did not have enough time to focus on cybersecurity, or did not know where to start when it comes to protecting their data.

Practical ways small businesses can protect against cyberattacks

To help small businesses address the growing threat of cyberattacks, the SBA has published a guide outlining several steps firms can take to protect against cybersecurity risks even before the attack happens.

Here are some of those practical measures:

1. Assess the risk facing your business

The first and most crucial step to improving a company’s cybersecurity, according to the SBA, is having a deep understanding of the unique risks they are facing and pinpointing where to make the biggest enhancements.

“A cybersecurity risk assessment can identify where a business is vulnerable, and help you create a plan of action, which should include user training, guidance on securing email platforms, and advice on protecting the business’s information assets,” the association wrote. “Start by learning about common cyber threats, understanding where your business is vulnerable, and taking steps to improve your cybersecurity.”

The SBA noted, however, that although “there’s no substitute for dedicated IT support, whether an employee or external consultant,” small businesses with “more limited means” can still access affordable or even free planning and assessment tools to help enhance their cybersecurity.

2. Invest in employee training

The SBA noted how employees and emails have become “a leading cause of data breaches” because they often provide a direct path into a company’s computer system.

“Training employees on basic internet best practices can go a long way in preventing cyberattacks,” the agency wrote, adding that educating staff does not always have to be a costly endeavor.

The association suggested businesses access the DHS’ Stop.Think.Connect campaign, which offers training and other materials on a range of topics, including:

  • Spotting a phishing email
  • Using good browsing practices
  • Avoiding suspicious downloads
  • Creating strong passwords
  • Protecting sensitive customer and vendor information
  • Maintaining good cyber hygiene

3. Keep antivirus software updated

It is also crucial that companies ensure that their systems are equipped with the latest antivirus software and antispyware and that these are regularly updated.

“Such software is readily available online from a variety of vendors,” the SBA explained. “All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.”

4. Make sure networks are secure

The SBA advised businesses to safeguard their internet connection by using a firewall and encrypting all their data. Wi-Fi networks should also be secure and hidden. 

“To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID),” the agency instructed. “Password-protect access to the router.”

5. Use strong passwords

This is one of the simplest ways to improve cybersecurity. Strong passwords should have the following elements:

  • 10 characters or more
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character

6. Activate multi-factor authentication

Another effective practice to protect data is the use of multi-factor authentication (MFA). This verification process requires users to provide two or more proofs of their identities to access their accounts, adding another layer of security. One example is a system where a password and a code sent to a separate device are required before a user is granted access to an online account.

7. Conduct regular data back-ups

Backing up data is among the most cost-effective ways of making sure information is recovered in an event of a cyber incident or computer issues.

“Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable and payable files,” the SBA wrote. “Back up data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.”

8. Ensure payment processing is secure

The agency advised small businesses to work with their banks to make sure that “the most trusted and validated” tools and anti-fraud services are being used. It also recommended that companies isolate payment systems from less secure programs and use separate computers when processing payments and surfing the internet.

9. Control physical access

Businesses should prevent unauthorized individuals from getting access to or using their computers. Companies should also give administrative privileges only to trusted IT staff and key personnel. 

“Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended,” the SBA added. “Make sure a separate user account is created for each employee and require strong passwords.”

10. Consider cyber insurance

Although not on the SBA’s list, a cyber insurance policy can help cover the financial losses resulting from a cyberattack and, in an increasingly digital business environment, it pays for companies to have one. Coverage can also include claims made by individuals or groups that may have been harmed because of a business’s action or inaction.”

We, at Adaptive, would like to add a caveat to that last suggestion. First of all, the article is written by an insurance company. So they may be slightly (a LOT) biased. And secondly, they fail to mention that it can be a difficult and time-consuming process, trying to qualify for cyber insurance. 

What once was a one-page form, is now a dozen or more. And the coverage is filled with loopholes. Take special care in reading things carefully. Also, be prepared to adopt a series of cyber protection layers before you can even apply. 

While we don’t discourage SMBs from having cyber insurance, we do encourage them to read the fine print. Insurance companies are designed to make money, so it’s in their best interest to charge as much as they can, and deny as many claims as possible. You also may have to pay legal fees if they decide to deny your claim. 

 At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. 

To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca