From healthcare to income data, every day Canadians entrust millions of pieces of personal information to various levels of government. We assume those agencies have the necessary security infrastructure in place to keep that and other sensitive information safe and in the right hands. But new revelations only underscore how we may be clinging collectively to a false sense of security.
Information disclosed during a recent Parliamentary hearing highlighted more than 5,000 instances across 38 federal agencies last year where sensitive information was mishandled and employees failed to meet government security standards. The number is likely far higher because not every agency was able to provide complete information detailing potential data-handling shortcomings across their respective department.
This begs the question: if even Ottawa can’t be trusted to build and maintain robust security protocols, how can small to medium-sized organizations—with far more limited security budgets—be expected to lock down and protect the data and other sensitive information of its clients and key stakeholders?
The simple answer: it starts by developing and implementing a customized security strategy that accounts for potential security vulnerabilities across your organization in an integrated way. In other words, analyze and assess every potential risk, determine threat levels and assign solutions to address each one, taking into account all available technology tools and people-focused strategies (in particular, training). Then invest in stress-testing.
Organizations from governments to SMEs will often design security strategies that are comprehensive, but sit on a proverbial shelf and are never implemented, or become outdated because they aren’t updated on a regular basis. That’s why it’s crucial to constantly put your strategy to the test. On the cybersecurity front, for example, most reputable IT security companies will have the capacity to regularly stage a mock hack of your systems to search for vulnerabilities, then suggest patches to reduce the risk of successful attacks by real cyber-malfeasants.
If yours is a retail organization, your security provider should put guards undercover (assuming you aren’t already using plainclothes personnel as part of a theft-deterrence protocol) to case your stores and highlight vulnerabilities. If it’s easy to walk in and walk out with bags full of merchandise, you know you have a major security problem.
Even if your business is based in an office environment, remember that one of the most common forms of crime are physical thefts of sensitive information contained on laptops, USB sticks or even documents left on employees’ desks. Thieves posing as couriers, employees or maintenance workers often walk into offices and walk out with multiple portable devices. How they got into the building in the first place is another major issue. Tightening access at key entry points is a relatively simple, but important, tactic to reduce risk.
Building stress tests into your protocol is the only way to ensure your organization’s security infrastructure is robust enough to prevent breaches, both in cyberspace and in the real world. Invest the necessary resources to stress-test your security systems at least annually, but ideally semi-annually, and then be ready to address any cracks that become evident.
Winston Stewart is the President and CEO of Wincon Security, a Scarborough, Ont.-based security firm that has delivered property monitoring and protective services to retail, commercial, industrial and condominium clients across the Greater Toronto Area for more than 25 years. For more information, visit www.wincon-security.com