Rely on government cybersecurity and you’ll get breached, too

December 18, 20174 Minute Read

Did you know McDonald’s is more secure than Uncle Sam? If you don’t believe it, check out this report courtesy of cybersecurity consulting firm Security Scorecard. It analyzed 18 industries and found the feds coming in at a sad sixteenth place. That’s right—the company that flips your burgers is more secure than the federal government south of the border.

If you want to get a bad rep for government cybersecurity, losing the private personal credentials of an entire sub-section of the workforce is a pretty good place to start. The US government did just that in 2014 and 2015 when its Office of Personnel Management (OPM) suffered a series of rage-inducing hacks due to poor government cybersecurity, affecting 21.2 million people. What was stolen? Oh, just names, addresses, and social security numbers.

When you look at just how bad government cybersecurity can get, combined with the fact that McDonald’s has more secure cybersecurity strategies in place than one of the biggest government institutions this side of the free world, it’s clearly time we took another look at government cybersecurity guidelines.

Rethinking government cybersecurity strategy

Canada’s cybersecurity strategy is seven years old, and the feds have promised CAD$77 million more in cybersecurity funding between 2017 and 2021. The government has already seen some serious cyber attacks, and a few months after it released its first cybersecurity strategy, hackers attacked the Treasury Board. And in 2014, the government blamed China for hacking the National Research Council. The upside to all this activity? At least Ottawa knows it has some catching up to do when it comes to protecting its systems. Senior officials held cybersecurity meetings last year with Israel’s top cybersecurity brass to seek some much-needed advice.

Despite the past attacks and promises of more funding, cybersecurity funding in the government’s March 2017 budget received a measly CAD$1.37 million. A small amount was allotted to help secure critical infrastructure and continue the Regional Resilience Assessment Program, which conducts threat assessments on systems that are tied into the country’s economy, public health, and security—like airports, utilities, and financial institutions, as explained by IT World Canada. But Scott Jones, assistant deputy minister at the Communications Security Establishment intelligence agency, closely compared the level of malicious cyber activity in Canada to that of the United States, expressing worry over potential attacks on critical Canadian infrastructure.

For Canada, it’s time to look forward. Industry group ITAC suggested that a Chief Information Security Officer (CISO) could help bridge the gap between the government and business on cybersecurity issues. But until that happens, cyber attacks by menacing nation-states and commercial crooks are getting more aggressive, and experts are increasingly convinced that an attack on Canada’s financial markets “could cause a prolonged disruption to the provision of financial services in Canada,” according to a Bank of Canada report.

So, where does this leave IT in private sector businesses?

Good cybersecurity means strength in numbers

While the government figures out its next steps, IT can still rely on a mixture of public and private information sources. Canada has its Cyber Incident Response Centre (CCIRC), which advises Canadian organizations on critical cybersecurity threats. Companies can take advantage of private threat intelligence services to bolster their knowledge.

But what’s one of the most powerful things a private business can do? That’s easy: Find strength in numbers. Information-sharing between private sector organizations can be a powerful weapon in the fight against cyber attacks, and some efforts are already springing up.

You may have seen the Information Sharing and Analysis Organizations in the United States, which are sector-specific groups of companies that share information with each other about ongoing cyber threats and best practices in a safe space. But north of the border, the Canadian Cyber Threat Exchange operates a knowledge base of cyber threats that companies can contribute to and draw on. Its information is focused on Canadian businesses, and it operates on a cross-sector basis.

If your company is looking for even more ways to up its protection, try following standard guidelines and creating cybersecurity strategies of your own. You can frame this around a go-to resource for smaller companies, known as the NIST guidance on small business information security.

Protect yourself before you wreck yourself

As Canada works to develop its cybersecurity regime with new funding during the next five years, things are going from bad to worse in the United States. Already, a quarter of President Trump’s National Infrastructure Advisory Council has resigned, citing “insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend.” That doesn’t sound too good, does it? And all this was shortly after a report on critical infrastructure security was released, warning that the United States was at high risk of a cyber-9/11.

The message for businesses is clear: When government cybersecurity is uncertain, don’t rely on the government to secure you. Invest in your own protection, take advantage of Canada’s preexisting cybersecurity strategies, and keep an eye out for the government’s next steps. And while you’re at it, maybe buy an electricity generator or two. Better safe than sorry, eh?

Gary Hilson October 31, 2018 4 Minute Read

5 ways to prepare for PIPEDA’s updates

PIPEDA's getting an update, and it looks a whole lot like GDPR. Here are five best practices that will help you stay compliant.

Stephanie Vozza October 29, 2018 4 Minute Read

Brush up on these 4 fundamentals for Cybersecurity Awareness Month

From employee training to shoring up endpoints and passwords, get primed for Cybersecurity Awareness Month with these four security and privacy tips.

Graham Templeton September 26, 2018 4 Minute Read

Prepare for PIPEDA with better device security and data privacy

Complying with PIPEDA's new privacy amendments requires diligence in everything from internal processes to device security.