Over 275,000 data records were breached across Canada during
2014, according to a report published by digital security vendor
Gemalto. Often from customer databases, these records typically
contain confidential, personal and financial information.
For businesses that allow breaches the ultimate cost far exceeds
the price of simply plugging the leaks: trust between the customer
and the business has been broken and clean up and reparation costs
may not be enough to rebuild it.
Hackers can use stolen information to commit identity fraud and
extend credit lines or secure mortgages from existing bank
accounts. "But it's not always financial gain that hackers
are seeking," says David Florio, partner, operational
advisory, Grant Thornton LLP. "Data can also be used for
competitive advantage or personal gain, such as the student who
hacks into the system of a post-secondary institution to change
Just because a company is breached today, it doesn't mean
information will be used immediately in a fraud activity. It may
sit in a sleeper zone and be used over time. "This brings a
high level of discomfort, with affected parties wanting to know how
the company will protect them going forward," says David
Malamed, partner, financial advisory services, Grant Thornton.
requirement for long and complex passwords are increasingly the
norm to help protect data, many companies are missing the mark in
their follow-through. "IT departments may not have configured
the password process to require the level of complexity necessary,
such as upper and lower case and numeric characters. Even if this
has been done, users are still using basic elements or combinations
such as anniversaries, pet names and birth dates, which can easily
be cracked," notes Florio.
Challenges may also arise when an IT department is understaffed
or underfunded: Lax revocation of security access with employee
turnover, improper security measures and lack of training all
weaken the security environment, making it more accessible.
"It's the same as opening your wallet on the street and
showing a stranger your information. You just wouldn't do
that," says Malamed.
Then there's the IT department itself, he says. They have
access to all information and areas of the business. IT may be
watching everyone else, but who's watching IT?
There are also forgotten areas where sensitive data can be at
risk such as new vehicles that now come with onboard computers
where personal and work-related information may be stored.
A security strategy tied to the business strategy must be in
place, supported by formally documented policies that are
communicated to all users across the company, so they are aware of
their responsibility for protecting data, says Florio.
Businesses must also establish a process to identify system
vulnerabilities so controls can be applied before a breach occurs.
"Because areas for exploitation are continually arising, this
type of assessment should be done at least annually and anytime a
new system is implemented or changed," he says.
For companies that use the cloud, a priority should be to ensure
their provider is securing data to the same level as if it were
managed in-house, he says. "Contracts with your outsourced
providers should include a clause that allows you to request an
audit of their controls, or request a service organization controls
(SOC) report over controls and processes relevant to you," he
says. "Companies outsource processes and controls, not the
responsibility for data security, therefore you should be asking
for, and receiving evidence that your data is being
In the event of an attack, an effective response protocol begins
with determining the root cause (internal or external), shutting
the leak down fast, and establishing procedures and controls to
prevent it happening again.
Going forward, governance is crucial. It's about conducting
independent periodic assessments, documenting results with plans
for remediation, a formal communication process, and a report to
management and the board.
But ultimately the key is to protect data before it's lost.
"For every dollar spent in prevention, we see up to about $20
saved in investigation," says Malamed. "It's
difficult to get companies to invest in prevention, but we're
seeing even the big companies fail, so smaller businesses should be
concerned because even the gold standard is clearly not hitting the
This story was produced by Postmedia Works on behalf of
Grant Thornton for commercial purposes. Reprinted from Financial
Post, in the "strategy" section, sponsored by Grant
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
You're warmly invited to attend our annual, complimentary seminar for charities on Thursday, November 3rd, 2016. Enjoy breakfast with your peers, then glean valuable insights about operating and growing successful charities from industry specialists who will be sharing their expertise and knowledge. Afterwards the presenters will be happy to answer questions, and there'll be plenty of time to connect with other attendees. Be sure to register soon—seats fill quickly!
You're warmly invited to attend our annual, complimentary seminar for not-for-profits on Thursday, November 10, 2016. Enjoy breakfast with your peers, then glean valuable insights about operating and growing successful not-for-profits from industry specialists who will be sharing their expertise and knowledge. Afterwards the presenters will be happy to answer questions, and there'll be plenty of time to connect with other attendees. Be sure to register soon—seats fill quickly!
You're warmly invited to attend our annual, complimentary seminar for not-for-profits on Thursday, November 17, 2016. Enjoy breakfast with your peers, then glean valuable insights about operating and growing successful not-for-profits from industry specialists who will be sharing their expertise and knowledge. Afterwards the presenters will be happy to answer questions, and there'll be plenty of time to connect with other attendees. Be sure to register soon—seats fill quickly!
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).