In the global war against crime Canada is one of a number of countries with a national cyber strategy, aimed at strengthening important departments and working with the private sector to shore up critical infrastructure.
But two security experts told a conference Thursday that businesses, not Ottawa, should be leading the charge.
But they also laid the blame for the country’s poor cyber security at the executive floor.
“We (infosec pros) feel it’s difficult to convince upper management something should be done,” Jason Murray, senior manager for cyber security at consulting firm MNP LLP, told the SC Congress conference in Toronto on Canada’s cyber strategy. “They’re not listening to us. They get it, they just don’t need to do anything about it.
“They’re accumulating technical debt. Every year they don’t spend enough on information security they’re adding to the debt and hoping that when the debt comes due they’re not around to take the fall … The market should punish these people, just like they were accumulating financial debt… and they would go out of business.”
However, he admitted, few companies – even those suffering huge breaches like Home Depot – lose customers over the long term.
But he also complained organizations “are not doing the basic hygene stuff… I go in there (to customers) and assess against the PCI (Payment Card Industry security) framework or the critical controls framework … and they’re scoring 40 per cent at best.”
Fellow panellist Peter Sloty, a former Toronto deputy police chief and now an executive director at Deloitte Canada, agreed the responsibility is on the private sector’s shoulders. “If a private entity is having a (digital) hygene factor, that’s leadership from the C-suite, and the shop floor as well. This could cost jobs, it could cost clients, it could cost value and reputation as well.”
But both also credited Ottawa with passing a law requiring organizations coming under federal privacy law to notify customers and partners of breaches where there is risk of significant harm to victims. The federal privacy commissioner will also have to be notified.
The regulations around breach notification are still being ironed out and it is not expected to come into force until 2017.
Breach disclosure “is a great lever” for action, Sloty said. Recently made mandatory in Australia, he noted, it has “put a real burning platform under CEOs” to get security right.
Canada’s cyber security strategy includes a wide range of efforts. The Harper government announced an action plan in 2013 which included working with the provinces, municipalities and the private sector to improve IT security in a number of sectors, a plan the Trudeau government has adopted in its first budget.
The strategy includes the Canadian Cyber Incident Response Centre, a Public Safety Canada web site with many resources and the encouragement of the fledgling Canadian Cyber Threat Exchange (CTTX). The exchange is expected to go live in December.
However, Murray said organizations shouldn’t rush to join the exchange if they don’t have the capability to make use of the near real-time data feeds it will offer. He also called for federal funding to help train more infosec professionals. “We need people, we need processes, we need tech, we need all of that.”
Sloty called for a host of cyber security centres of excellence across the country.
In an interview Murray said there has to be a “carrot and stick” approach to Canada’s cyber security strategy, with mandatory breach notification being one of the sticks.