Today, I wanted to discuss key trends in Canada’s cybersecurity efforts. As a neighbor to the U.S., Canadian enterprises have observed the exponential growth of data threats occurring within U.S. borders. This begs the question: are Canadian organizations keeping pace?
According to our recent Insider Threat Report, 54 percent of global organizations host sensitive data in the cloud. The need and importance to protect data is echoed globally, however the manner in which data is protected differs from country to country. When examining the cybersecurity initiatives in Canada, it’s clear that Canadian enterprises are lagging behind the U.S. significantly.
Here are some of my key findings and observations:
- Differing Tech Investments: Currently, the biggest demand is for Data Loss Preventions (DLP) solutions. Although the recent data breaches including Anthem and Ashley Madison seem to be pointing to a lack of data-at-rest security, many companies are investing in Data Loss Prevention, really a data-in-transit security control, the focus still being perimeter security. Given the cost and time of investment, the mindset of most Canadian companies is that DLP keeps your database safe.
Canadian enterprises tend to protect data from a siloed approach, rather than a layered one. However data-at-rest is so deep within the organization, a siloed approach isn’t always the most effective. Think about layers of an onion. Data-at-rest is at the center of the onion, so imagine if companies are only protecting the perimeter. Once a hacker infiltrates through the first layer of the onion, this leaves your data completely vulnerable. While it makes sense to protect the perimeter, organizations need to secure all of the layers of the onion, including the center (your data).
- Data Access Varies: When it comes to examining industry verticals, many customers in Canada have been focused on intrusion detection systems and intrusion prevention systems (IDS and IPS). These are the biggest technologies being used in financial services, for example.
Financial services and retail companies place heavy focus on IDS and IPS technologies, and have less of a need to protect payment card information as fewer of them actually store payment card information at all. As a result, organizations are ignoring the need to protect data-at-rest.
In the future however, we’ll see more companies with online services as a priority target in Canada. Since Anthem’s data breach in 2014, more insurance companies will leverage data protection services and the adoption of technologies like encryption and tokenization is increasing.
- Legislation is Catching Up: In looking at cybersecurity legislation, the Canadian government has placed a lighter emphasis on breach notification laws and standards. Breach notification laws were implemented only recently, and enforcement policies are just starting to take effect. Presently, class action lawsuits – rather than corporate penalties – are a common reaction to data breaches.While there are several notable distinctions between cybersecurity in the U.S and Canada, in the future we should expect to find more similarities, rather than differences.