- Elements of a secure development life-cycle
- Six Successful Strategies For Re-Opening Your Business After Covid19
- Cybersecurity Readiness in a Pandemic Era
- Cybersecurity In 2020 – A Roadmap To Keeping Your Business Safe
- What’s your reputation worth? The cost of not protecting your data.
- Ryuk Ransomware Hits Canadian Businesses
- Why Are Small Businesses A Hackers Playground?
- Phishing attacks targeting Office 365 users
- The new normal in cybersecurity
- Hackers targeting torrent sites
- The implications of PIPEDA for small business
- Cybersecurity Essentials
By Dom Chorafakis, P.Eng, CISSP, November 27, 2018
Information contained in this post is intended as general information only. It is not, nor should be construed as legal advice and should not be relied upon as such. If you need legal advice, please contact an attorney directly.
Personal Information Protection and Electronic Documents Act (PIPEDA)
It has been almost a month since the new PIPEDA rules regarding mandatory breach reporting in Canada came into effect and many clients still have questions around what it means for their business. In this post we’ll explore some of the key highlights of the legislation and provide links back to the relevant sections of the Office of the Privacy Commissioner of Canada (OPC) website you can use to get more information.
Perhaps the most common question that comes up is whether the rules apply to a small business that only has one or two employees. The short answer is yes, they do. The rules do not provide for any exemptions based on number of employees or revenue. There are however certain types of organizations to which the rules may not apply as per the PIPEDA brief available at https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/ :
“Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:
- not-for-profit and charity groups
- political parties and associations” 
So if you own a business that is not a charity, political party or association, then the rules definitely apply to you. Note however that even those organizations may need to comply with the rules if “they are engaging in commercial activities that are not central to their mandate” . For example, if an association sells its member list data for marketing purposes, PIPEDA would apply.
As mentioned in the brief, “PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity. A commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fund-raising lists.” 
The personal information that is protected under PIPEDA includes anything that is recorded about an identifiable individual. According the brief, “This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).” 
The Act defines 10 fair information principles that businesses must follow with regards to personal information:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
There are a number of clauses in the Act (which is available online at http://laws-lois.justice.gc.ca/eng/acts/P-8.6/FullText.html ) that are relevant from a cybersecurity perspective. For example, the Act states that “Organizations shall implement policies and practices to give effect to the principles, including
(a) implementing procedures to protect personal information;
(b) establishing procedures to receive and respond to complaints and inquiries;
(c) training staff and communicating to staff information about the organization’s policies and practices; and
(d) developing information to explain the organization’s policies and procedures.” 
Furthermore, the Act states that “The methods of protection should include
(a) physical measures, for example, locked filing cabinets and restricted access to offices;
(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
(c) technological measures, for example, the use of passwords and encryption.”
Not only does the act require businesses to use appropriate administrative and technological safeguards to protect personal information, it also stipulates that any breaches of these safeguards that expose this personal information must be reported to the OPC. Organizations who fail to report such a breach may be liable for a fine of up to $100,000. According to the Act, “An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.
[…] significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” .
The OPC provides a privacy toolkit for business at https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/guide_org/ to help comply with the Act and its principles.
By Dom Chorafakis, P.Eng, CISSP, June 21, 2017
The cyber threat landscape is constantly changing as criminal hackers look for new and creative ways to profit from online crime. While there is no silver bullet that can guarantee protection against breaches or other forms of attack, keeping up to date with the latest threats and vulnerabilities is an important part of any security strategy.
With the rise in popularity of digital currencies like Bitccoin and Etherium, cybercriminals have found new opportunities in cryptomining as a revenue stream. The unauthorised use of computer resources to mine cryptocurrency known as cryptojacking has now exceeded ransomware as the largest online threat. There are two aspects to this that are important to take into account from a security perspective: website compromises and malvertising.
Hackers attempt to install cryptomining software on victims’ computers by installing malicious code on websites they are able to compromise. Web servers have always been vulnerable to hackers because of their very nature, but the potential for profit from illicit cryptomining makes them more interesting targets than ever before. System administrators need to ensure that servers are adequately protected by making sure the operating system and software is up to date, accounts are secure and use strong passwords, endpoint security mechanisms like anti-virus is installed, servers are protected using Intrusion Prevention technology, and that measures are in place to detect and prevent unauthorised content changes.
In addition to compromising legitimate websites, hackers are creating fraudulent sites that look legitimate, directing users to these sites using fake online ads displayed on popular websites, a practice known as malvertising. This practice is not new, but a significant spike in cryptojacking related malvertising was recently observed by a network of Intrusion Prevention systems as reported here.
People surfing the internet should assume that at some point they will come across either a legitimate site that has been compromised, or a fraudulent site set up specifically to infect vulnerable systems. To protect themselves, users should keep their Operating System and all software they use up to date, make sure good anti-virus is installed and up to date, use safe-browsing plugins from their anti-virus vendor and use an ad-blocker to block online ads.
While there has been a significant increase in these new threats thanks to the potential for quick profit, email continues to be by far the predominant attack vector. From account compromise and phishing attacks to malicious attachments, email based attacks are still the most common method used by hackers to infect vulnerable systems with ransomware, cryptojacking software, or trojans used to carry out financial fraud and other attacks. While technologies like anti-spam and anti-virus can help, user education is one of the most effective tools to help minimise risk in this area. Users need to be aware of the types of threats and attacks, how to identify them, and what steps they must take in the event of a suspected compromise.
The long game
Staying up to date with the latest threats and cyberattacks is important, but is only one element of a good cyber security strategy. Defending against hackers and cyber criminals is not a onetime activity, it needs to be an ongoing process that is actively managed and updated to reflect the changes to your information, its ecosystem and evolving threats. A good strategy includes the following five elements.
1. Identify your assets
It’s impossible to build a solid defence if you don’t know exactly what you are defending. During this stage you need to identify all of the data, applications and hardware that need to be protected.
2. Identify threats and risks
Once you have a list of everything that needs to be protected, it’s time to analyse the risks and threats to each asset. The threats to your company website are different than the threats to your customer list or payroll information, so different countermeasures are needed to protect the confidentiality, integrity and availability of the systems and the information they process.
3. Apply security controls
Once you have identified and prioritized assets and threats, it is time to select and deploy the safeguards needed to protect your organization. This may seem daunting but remember that you don’t need to solve everything at once, you can start by taking steps to address the biggest risks to your most valuable or sensitive assets and work down the list as time and budget permits.
4. Detect and Respond
Despite best efforts breaches and other security incidents can and will occur. The ability to detect and respond to them is as important as the effort to prevent them in the first place. There are a number of steps that can be taken in this area ranging from technical solutions such as managed security services and Intrusion Prevention, to policies and procedures such as having a formal Incident Response Plan.
5. Review and adjust
Lastly, it is important to keep in mind that a cyber security strategy is not static, it needs to be reviewed and adjusted to make sure it is always up to date and your important assets are protected. How often it needs to be reviewed depends on many factors including the threat level, sensitivity of information, as well as legal and regulatory requirements. At a minimum the strategy should be reviewed at least once a year, every time there is a significant IT change and every time there is a security incident.
Where to go from here
There are many free resources that can help individuals and businesses with cyber security. In Canada the government has launched a Get Cyber Safe initiative with the mission “to educate Canadians about Internet security and the simple steps they can take to protect themselves online”. For more information you can visit the Get Cyber Safe website and get started on your own cyber safety strategy.
Ask an expert
If you have a question about one of our blog posts or cybersecurity in general, our experts are happy to help.
- Threat Source newsletter (Feb. 2, 2023): I bid you all adieu
- Talos Takes 126: Year in Review - Threat Landscape Edition
- 2022 Year in Review: Threat Landscape Livestream Replay
- Threat Round up for January 20 to January 27
- What Old is New Again and What's Old is Me?
- Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato
- Quarterly Report: Incident Response Trends in Q4 2022
- Threat Landscape Topic Summary Report: Cisco Talos Year in Review 2022
- State Sponsored Attacks in 2023 and Beyond
- Threat Round up for January 13 to January 20
- 6 Examples of the Evolution of a Scam Site
- Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial-Scale Cyberattacks
- Patch Critical Bug Now: QNAP NAS Devices Ripe for the Slaughter
- AppSec Playbook 2023: Study of 829M Attacks on 1,400 Websites
- Managing the Governance Model for Software Development in a No-Code Ecosystem
- Cybersecurity Leaders Launch First Attack Matrix for Software Supply Chain Security
- ChatGPT May Already Be Used In Nation State Cyberattacks, Say IT Decision Makers in BlackBerry Global Research
- Discrepancies Discovered in Vulnerability Severity Ratings
- Lazarus Group Rises Again, to Gather Intelligence on Energy, Healthcare Firms
- Why CISOs Should Care About Brand Impersonation Scam Sites
- NTT, Palo Alto partner for managed SASE with AIOps
- Foreign states already using ChatGPT maliciously, UK IT leaders believe
- APT groups use ransomware TTPs as cover for intelligence gathering and sabotage
- BrandPost: Nation-State Threats and the Rise of Cyber Mercenaries: Exploring the Microsoft Digital Defense Report
- New “MITRE ATT&CK-like” framework outlines software supply chain attack TTPs
- Misconfiguration and vulnerabilities biggest risks in cloud security: Report
- Why you might not be done with your January Microsoft security patches
- US DOJ applies carrot-and-stick approach to Foreign Corrupt Practices Act policy
- BrandPost: Is Your Organization Security Resilient? Here’s How to Get There
- IoT, connected devices biggest contributors to expanding application attack surface
- Experian Glitch Exposing Credit Files Lasted 47 Days
- Administrator of RSOCKS Proxy Botnet Pleads Guilty
- New T-Mobile Breach Affects 37 Million Accounts
- Thinking of Hiring or Running a Booter Service? Think Again.
- Microsoft Patch Tuesday, January 2023 Edition
- Identity Thieves Bypassed Experian Security to View Credit Reports
- Happy 13th Birthday, KrebsOnSecurity!
- The Equifax Breach Settlement Offer is Real, For Now
- Hacked Ring Cams Used to Record Swatting Victims
- Six Charged in Mass Takedown of DDoS-for-Hire Sites
- New Russian-Backed Gamaredon's Spyware Variants Targeting Ukrainian Authorities
- Cybersecurity Budgets Are Going Up. So Why Aren't Breaches Going Down?
- North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign
- New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers
- Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility
- Experts Warn of 'Ice Breaker' Cyberattacks Targeting Gaming and Gambling Industry
- New SH1MMER Exploit for Chromebook Unenrolls Managed ChromeOS Devices
- Auditing Kubernetes with Open Source SIEM and XDR
- Prilex PoS Malware Evolves to Block Contactless Payments to Steal from NFC Cards
- Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Breach Corporate Email Accounts