Investing in the basics of cybersecurity is the best way Canadian organizations can lower the risk of data breaches, a parliamentary committee looking into the recent huge data theft at Desjardins Group of credit unions.
“Ultimately, there is no silver bullet when it comes to cybersecurity,” Andre Boucher, deputy minister and director of operations at the Canadian Centre for Cyber Security told members of the House of Commons public safety committee on Monday. “We cannot be complacent.”
“This incident underscores the human element of cyber security.” he said, “Fundamentally, the security of our systems depends on humans — users, administrators, security teams. Adopting a holistic approach to security is critical. This means starting with a culture of security and putting in place the right policies, procedures and cyber security practices. This ensures that when something goes wrong, as it almost inevitably will, there is a plan in place to address it.
“Then we need to invest in and empowering our people. Training and awareness of our people are very important. Only with awareness can we continuously develop and instill good security practices, a fundamental step in securing Canada’s cyber systems. And we always need to identify and protect Canada’s critical assets: Know where your key data lives, protect it, monitor the protection, be ready to respond.”
The centre is a federal department which advises the government, the private sector and the public on privacy and security.
The committee was holding a special hearing into last month’s revelation that an employee was behind the theft of information on more than 2.7 million personal and 173,000 business.
Witnesses, including the RCMP and senior Desjardins officials, carefully stayed away from discussing any details of the incident because of an ongoing investigation by Quebec police.
Desjardins chief executive officer Guy Cormier blamed the incident on a single “malicious employee.”
Desjardins chief operating officer Denis Berthiaume added that the company had safety measures but the employee “found a way to break the rules.”
He also said that earlier in the day Desjardins announced it is now offering free lifetime data and identity theft protection for consumer and business depositors. Customers will be fully reimbursed for non- authorized transactions. Victims of identity theft through Desjardins will get corporate help in restoring their identity, plus up to $50,000 if they suffer loss from ID theft (for example, from lost wages).
Desjardins spends $70 million a year on cybersecurity and privacy, said Berthiaume.
One MP complained the verbal response of the RCMP, which is not responsible for the criminal investigation, was weak. Another said its important to manage public expectations about what police can do after a breach has been discovered. A third wondered if the financial sector has uniform cybersecurity standards that ensure the money of Canadians is safe.
Boucher said the Canadian financial sector is one of the most mature in the country.
Asked what he advises organizations for combating human risks, he replied, “the best approach is get back to basics and have a holistic approach to security.
“Security for staff begins with a good training program so they understand what needs to be protected.” Awareness needs to be ongoing, he added and periodically refreshed, supported by business processes.
“Every large enterprise has to measure the value of its own key assets and make a risk-based decision on how much it’s going to invest to protect those assets. Starting with a position of zero trust is the reality of today’s complex environment we live in. Don’t assume your systems are going to work on their own. It takes a holistic investment in a security program in the right people, right processes and the right technology.”
(This story has been updated from the original to include testimony from Desjardins officials)