Ten Things You Can Do To Protect Your Enterprise
Keep your assets up to date and fully patched
Put your disaster response plan to the test and correct any parts that do not go as planned
Examine your data and consider eliminating or archiving things you no longer need
This means maintaining an inventory of your IT assets and keeping them up to date; disabling unused ports and services; and implementing antivirus/anti-malware/anti-phishing technologies to prevent, detect, and mitigate malware, including ransomware.
Examine your data and consider eliminating or archiving things you no longer need
Put your disaster response plan to the test and correct any parts that do not go as planned
Examine your data and consider eliminating or archiving things you no longer need
During a cyberattack, the mean time to inventory, detect, and respond are three important metrics that can impact the breach costs for your organization.
Put your disaster response plan to the test and correct any parts that do not go as planned
Put your disaster response plan to the test and correct any parts that do not go as planned
Continuously build in employee cybersecurity awareness through alerts, training and other activities
Everyone on a team should understand their roles and responsibilities for responding to a cyberattack.
Continuously build in employee cybersecurity awareness through alerts, training and other activities
Continuously build in employee cybersecurity awareness through alerts, training and other activities
Continuously build in employee cybersecurity awareness through alerts, training and other activities
This will demonstrate to employees that vulnerabilities arise and pose a threat to the entire organization.
Report social engineering incidences to your organization’s security team
Continuously build in employee cybersecurity awareness through alerts, training and other activities
Report social engineering incidences to your organization’s security team
The best example of this is a phishing email—fraudulent messages containing spam links or attachments.
Implement multi-factor authentication
Continuously build in employee cybersecurity awareness through alerts, training and other activities
Report social engineering incidences to your organization’s security team
MFA adds an additional layer of security around sites containing sensitive information and makes it more difficult for unauthorized people to log in as the account holder.
Safeguard protected data
Be aware who is accessing your accounts
Be aware who is accessing your accounts
Keep high-level protected data (e.g., credit card and health information) off your workstation, laptop, or mobile devices, and securely remove sensitive data files from your system when they are no longer needed. In addition, always use encryption when storing or transmitting sensitive data.
Be aware who is accessing your accounts
Be aware who is accessing your accounts
Be aware who is accessing your accounts
Regularly review what accounts are active on your operating systems and devices. If you don’t recognize the account, or if they have not logged in for a long time, disable or remove them.
Never leave devices unattended
Be aware who is accessing your accounts
Never leave devices unattended
Keep your devices locked so no one else can use them. If you keep protected data on a flash drive or external hard drive, make sure these devices are encrypted and locked up as well.
Back up your data
Back up your data
Never leave devices unattended
If you are a victim of a security incident, the only guaranteed way to repair your computer is to erase and reinstall the system.
The Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law in Canada that governs the collection, use, and disclosure of personal information by organizations in the course of commercial activities.
Proposed Online Harms Act (C-63)
The Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA)
Bill C-63 will create stronger protections for kids online and better safeguard everyone in Canada from online hate. The bill sets out a new vision for safer and more inclusive participation online.
Canada's anti-spam legislation (CASL)
Canada's anti-spam legislation (CASL)
Canada's anti-spam legislation (CASL)
CASL protects consumers and businesses from the misuse of digital technology, including spam and other electronic threats. It also aims to help businesses stay competitive in a global, digital marketplace. Learn about the legislation as well as how to protect yourself from spam and how to report it when necessary.
Artificial Intelligence and Data Act
Canada's anti-spam legislation (CASL)
Canada's anti-spam legislation (CASL)
Bill C-27 enacts the Artificial Intelligence and Data Act (AIDA). AIDA seeks to mitigate risks of harm and ‘biased output’ related to ‘high-impact’ artificial intelligence systems. It allows for regulations prohibiting the development and use of an AI system that causes serious harm to individuals, and prohibits the use of illegally obtained personal information for designing, developing and using AI.
Criminal Code
Overview
Within the Criminal Code, there are many provisions that apply to cybersecurity and cyber-crimes. The associated provisions are contained within sections 83.2, 184, 342.1, 342.2, 380, 402.2, 403, and 430 and are explained below. Punishments can range from fines to imprisonment (in some cases for life; however, no one as of the time of writing has been imprisoned for life for a cybercrime in Canada).
Section 83.2 states
Every one who commits an indictable offence under this or any other Act of Parliament for the benefit of, at the direction of or in association with a terrorist group is guilty of an indictable offence and liable to imprisonment for life
Section 184 states:
Every one who commits an indictable offence under this or any other Act of Parliament for the benefit of, at the direction of or in association with a terrorist group is guilty of an indictable offence and liable to imprisonment for life.
Section 342.1 states:
Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right,
- (a) obtains, directly or indirectly, any computer service;
- (b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
- (c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to computer data or a computer system; or
- (d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c).
Section 342.2 states:
Every person who, without lawful excuse, makes, possesses, sells, offers for sale, imports, obtains for use, distributes or makes available a device that is designed or adapted primarily to commit an offence under section 342.1 or 430, knowing that the device has been used or is intended to be used to commit such an offence, is … .
Section 380(1) states:
Every one who, by deceit, falsehood or other fraudulent means, whether or not it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money or valuable security or any service.
Section 402.2 states:
Identify Theft:
- (1) Every person commits an offence who obtains or possesses another person’s identity informa-tion with intent to use it to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.
Trafficking in identity information
- (2) Everyone commits an offence who transmits, makes available, distributes, sells or offers for sale another person’s identity information, or has it in their possession for any of those purposes, knowing that or being reckless as to whether the information will be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.
Section 403 states:
(1) Everyone commits an offence who fraudulently personates another person, living or dead,
- (a) with intent to gain advantage for themselves or another person;
- (b) with intent to obtain any property or an interest in any property;
- (c) with intent to cause disadvantage to the person being personated or another person; or
- (d) with intent to avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice
Section 430 states:
Mischief
(1) Every one commits mischief who wilfully
- (a) destroys or damages property
- (b) renders property dangerous, useless, inoperative or ineffective
- (c) obstructs, interrupts or interferes with the lawful use, enjoyment or operation of property; or
- (d) obstructs, interrupts or interferes with any person in the lawful use, enjoyment or operation of property.
Mischief in relation to computer data
(1.1) Everyone commits mischief who wilfully
- (a) destroys or alters computer data;
- (b) renders computer data meaningless, useless or ineffective;
- (c) obstructs, interrupts or interferes with the lawful use of computer data; or
- (d) obstructs, interrupts or interferes with a person in the lawful use of computer data or denies access to computer data to a person who is entitled to access it.
Copyright Act
Overview
The Copyright Act contains one provision that relates to the removal of technological protections that are placed on a “copyrighted” work. Often, cybercriminals are looking for these types of assets during their attack and will often distribute them once the asset has been acquired and the protections removed.
Section 41.1(1) states:
(1) No person shall
- (a) circumvent a technological protection measure within the meaning of paragraph (a) of the definition technological protection measure in section 41;
- (b) offer services to the public or provide services if
- (i) the services are offered or provided primarily for the purposes of circumventing a techno-logical protection measure,
- (ii) the uses or purposes of those services are not commercially significant other than when they are offered or provided for the purposes of circumventing a technological protection measure, or
- (iii) the person markets those services as being for the purposes of circumventing a techno-logical protection measure or acts in concert with another person in order to market those services as being for those purposes; or
- (c) manufacture, import, distribute, offer for sale or rental or provide—including by selling or renting—any technology, device or component if
- (i) the technology, device or component is designed or produced primarily for the purposes of circumventing a technological protection measure,
- (ii) the uses or purposes of the technology, device or component are not commercially sig-nificant other than when it is used for the purposes of circumventing a technological protec-tion measure, or
- (iii) the person markets the technology, device or component as being for the purposes of circumventing a technological protection measure or acts in concert with another person in order to market the technology, device or component as being for those purposes.