Information professional professionals across the country have been considering the ramifications of new requirements in Canada’s Digital Privacy Act legislation slated to come into force in the fall of 2017. But the question remains: are they are doing enough to prepare their businesses?
Introduced in 2015, The Digital Privacy Act amended Canada’s Personal Information and Protection of Electronic Documents Act (PIPEDA), to include provisions on reporting, notification, and record keeping around security breaches. However, this piece of the amendment was not brought into force, pending the development of related regulations outlining specific requirements, such as penalties for non-compliance. The portion expected to come into play this fall – the mandatory reporting of security breaches and notification to the Privacy Commissioner and all affected individuals – is the one everyone is keeping an eye on, said Jamie Manuel, information protection manager at Symantec.
While many sectors such as healthcare already abide by sector specific reporting requirements, up until now reporting has not been mandatory. Whether mandated or not, managing and reporting breaches are things an IT manager should already be concerned about and constantly working on, he said.
Manuel pointed to three things every organization should have in place to prepare for what’s coming – if they haven’t done so already. The first is to identify critical data. “Look at all your data and classify it based on its importance or sensitivity. If you know where your data is, and it’s properly identified and classified, you can put in appropriate measures to protect it.
The second is having an incident response team ready to respond before a breach happens. That could involve paying a retainer to an incident response organization that is ready to go at a moment’s notice. “You don’t want to be caught looking for how to deal with an incident after it happens.”
The third step builds on the first: deploying technology that gives you deep visibility into network activity, ranging from logins to email to downloading, will help the organization provide the protection needed for critical data. “With the right tools you can discover where a breach has happened, how and by whom. You already know where because you classified your data in step one.” And you can take actions to prevent breach: “for example, you can set your system up to send alerts if an employee is trying to send a document that contains sensitive data and prevent it from leaving the network.”
Protection and monitoring can be achieved with tools that work with existing network infrastructures, Manuel said. “For example you can run a shadow data report that looks at all the different sites your employees are connecting to on your network, like Dropbox or Google Drive. As an IT person, you may not be aware they are sending files there, but a shadow data report gives you that visibility and allows you to apply sanctions where needed.”
‘Shadow IT’ can offer protection by acting as a cloud access security broker. Instead of a user connecting directly to a site, data goes through the broker where it can be managed and policies applied. This is especially critical given that there is a vast difference between the number of sites an IT person thinks are being used and the reality behind employee usage.
According to a Symantec H2 2016 Shadow Data Report, while the average CIO thinks their organization is using between 30 and 40 cloud apps and services, Symantec found that they typically have 928 apps on their extended networks, most of which were adopted without IT approval or oversight. That represents a 10% increase in usage over the first half of 2016.
To bolster the effectiveness of these kinds of network security tactics, a new wave of machine learning technologies are gaining ground today, whose purpose is to monitor and track internal network activity, as well as isolate and combat potential breaches without the need for human intervention. Darktrace’s Enterprise Immune System, for example, augments existing network protection technologies. “We like to think of it as an immune system for your network using digital antibodies,” said Darktrace Canada country manager David Masson.
For the most part, predictive network security solutions are based on pre-determined/pre-programmed rules and signatures. “Machine learning on the other hand, can make unsupervised judgments on behalf of human beings, much like your body’s immune system responds to threats,” Masson explained. “It has an innate understanding of knowing what’s right and what isn’t on the network.”
Once installed, without the need for data sets or training, Darktrace software builds very accurate 3D mathematical models of everything on the network from subnets and mobile devices to PCs and departmental servers. “If an iPad is communicating with malware, it will show you where it is; and because it understands patterns it can take action against that malware with ‘antigens’.”
Utility distributor Energy+ Inc. deployed Enterprise Immune System to improve its propspects in battling the threat landscape, said the company’s VP of Information Security Paul Martinello. “Too many businesses focus on the desktop/server model of security and rely too heavily on perimeter protection. Defending your borders is certainly a necessity, but in an era where you can no longer predefine ‘bad’, it’s not enough. You have to be proactive and install security within the core of your network. We needed a product that would fit into our security architecture, and add another layer to the security ‘onion’.”
Since Darktrace software’s 3D graphical interface helps IT quickly recognize issues, they are able to identify threats as they are happening, he added. “It spots things that our legacy tools either consistently missed or just are not tuned to capture – especially zero day threats. If significantly abnormal behavior occurs, security professionals will be alerted immediately, enabling us to be pro-active while requiring minimal maintenance, tuning or rule changing.”
Among other obvious benefits, any additional level of visibility can play a key role in helping organizations stay on top of the upcoming Digital Privacy Act legislation, Masson said. “You can’t avoid this legislation. When it comes into play, you have to report breaches quickly and accurately. It will go that much more smoothly if you have tools that can help you gain full knowledge of what is going on and reduce the risk of harm being done.”
Come fall, preparedness will be critical, Manuel said. “If you do have to report a breach, you better ensure you have your ducks in row to show you did everything you could to prevent it or you could be facing substantial penalties.”