Federal cybersecurity bill may be 'Band-Aid on a bigger problem,' Waterloo, Ont., expert says
Waterloo cybersecurity expert points to EU, which fines companies that don't protect user data
A new federal bill would make it mandatory for businesses to report cyberattacks.
Eldon Sprickerhoff, the chief innovation officer and founder of eSentire, a Waterloo, Ont.-based provider of cybersecurity, thinks the proposed bill might be a Band-aid on a bigger problem.
"If this proposed bill helps to improve the rigour of end-user data security, I am cautiously in favour of it, though the devil is in the details," Sprickerhoff said.
"I have broad concerns about the reporting process — to whom are you reporting this information, do we have some privacy regarding with whom the data is shared, where this data is stored."
Public Safety Minister Marco Mendicino said the Liberals legislation would take additional steps to protect Canada's telecommunications, finance, energy and transport sectors.
After the government banned Huawei and Z-T-E from Canada's 5-G network last month, it signaled new legislation would be coming to safeguard critical infrastructure.
Attacks on companies, universities, municipalities and even hospitals by cybercriminals who hold data hostage in return for a ransom have become alarmingly common. Some targeted organizations have preferred to pay the fee demanded to try to make the problem go away quietly.
In 2019, after a cyberattack on his city, Stratford, Ont., Mayor Dan Mathieson called for a national strategy..
Federal framework needed
Sprickerhoff thinks Canada should implement a federal framework on reporting incidents regarding data loss similar to the European Union's General Data Protection Regulation (GDPR).
Companies in the EU have to follow "a set of standards and requirements if they collect or process data from users in the European Union," he said.
The regulation is designed to protect the privacy and data security of all EU residents. Companies that don't comply face heavy penalties.
He noted eSentire protects the critical data of 1,200 customers in more than 75 countries.
What do you do when you're hacked?
When Woodstock, Ont., was targeted by ransomware in 2019, they decided not to pay.
David Creery, the chief administrative officer for the city says they spent over $600,000 to rebuild their system and try to find out how the virus entered their computers. OPP's cyber crimes unit were notified but were limited in what they could do.
Since then, the city has made significant investments in both hardware and software and in training staff.
"You need to regularly provide training to your staff and users of your network on cybersecurity issues," Creery said.
"You have to keep cybersecurity in the top of their mind and provide them with ongoing training just so that they know they should maybe look at something a little more closely before they click that link."
The cyberattack in 2019 blocked access to email and most of the files involved in the operation of the municipal government for up to eight weeks.
Since then Creery says the city has not experienced an attack on its network but he thinks Woodstock and a number of municipal networks experience attacks on a daily basis, but they just don't know it.
"It's the reality of the IT world that we live in now that we are all constantly under attack," Creery said.
"I can fairly confidently say to you that they are trying to get into our network with password crackers beating at the firewalls. And that's not unique to us, that's a message that all municipal councillors, all hospital administrators, all boards need to hear that cybersecurity is a very important thing to be taken seriously."