Why marketers must engage on cybersecurity By Yves Paquette
lthough marketing professionals are naturally concerned about data confidentiality, data security is generally not very high on their priority lists mainly because they feel that it is the responsibility of other company employees. However, the recent introduction of stricter requirements in personal data protection legislation should make them verify whether the data they use are sufficiently well protected. Since November 1, 2018, all organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) must report to the Privacy Commissioner of Canada “any breach of security safeguards involving personal information…that poses a real risk of significant harm” to individuals. Organizations are therefore now required to keep records of all breaches and notify affected individuals about those breaches. That said, the definition of “significant harm” is relatively broad, including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”. If all the information in your databases was exposed to the light of day, couldn’t one or more of your customers or prospects very well suffer harmful consequences? Companies that do not adequately protect the personal data in their possession are liable to be fined up to $100,000 for each offence, not counting other financial losses resulting from potential litigation. In addition to potential liabilities, these companies also run a major risk of damage to their reputation. This reputational risk is all the more serious given that Canadians are ❱ DMN.ca
particularly wary about how their personal data are used, and in fact are amongst the most mistrustful in the world. According to a recent KPMG study, nearly two thirds of Canadians don’t trust any organization to look at or hold their personal data with nearly one third (31%) unwilling to share their personal data for any reason1. Cyberthreats on the rise Alongside the above, perhaps not coincidentally, cybersecurity is a growing critical issue. It remains the Achilles’ heel for most businesses across the country. According to the 2019 NOVIPRO/ Léger IT Trends Survey2 of 476 decision-makers in Canadian companies with 100 or more employees, 28% acknowledge that they have already fallen victim to a cyber attack. Since most cyber attacks are not detected—including some attacks that successfully gain access to IT systems—the proportion of companies that have been hacked is certainly higher. Cyberthreats to companies are becoming increasingly numerous and varied because of growth on two fronts: ❯❯ First, the number of malware programmes is constantly increasing, with no fewer than three million new instances identified daily; and ❯❯ Second, the attack surface that companies offer hackers is expanding. In practice, the more the number of connected devices (e.g. laptops, phones, tablets, watches) used by a company’s employees, the more vulnerable the company becomes because these devices are endpoints that expand the perimeter of its network and constitute potential targets. At the same time, increasing use of cloud computing services disperses the company’s data into many environments, each with its own vulnerabilities.
If hackers access your databases, they can demand a ransom by making various threats, such as to destroy or publish your information or sell it to a competitor. Spies can also attempt to obtain strategic information about a new product that you’re preparing to launch. If you’re operating in a sector that has generated controversy or public debate (e.g. the energy or food sectors or industries considered to be polluters or corruptionprone), hackers can try to harm you by divulging confidential information. You might think that another manager in your organization is on top of cybersecurity and is fully aware of the obligations you need to meet. I sincerely hope your confidence is well placed! The fact is that companies generally do not seem prepared to meet the new data breach requirements with respect to notification. According to the 2019 NOVIPRO/Léger IT Survey, only around half of the companies polled (49%) would write a note to their clients in the event of a data breach, even though the survey was conducted shortly after November 1, 2018: the date on which the data breach notification obligation came into effect. Other worrisome news: only 40% of Canadian companies performed a security audit last year. Too many managers believe that their company is protected because it has a firewall and uses antivirus software, when, in fact, these solutions are often outdated and inadequate in meeting current cyber threats. A host of solutions and options There are a wide range of effective products to protect and defend organizations against cyber attacks. Here are just two examples: ❯❯ First, tools that give organizations a 360-degree view of their networks in order to
control access, track the activity of each connected device, and detect any deviant or suspect behaviour; and Second, security information and event management (SIEM) systems that can analyze security alerts in real time, facilitate a rapid response and determine how to counter any similar attacks in the future.
What’s more, specialized datasecurity firms can conduct security audits on your organization and help you perform “penetration tests” both externally and internally. These firms can also scan all your apps and other software that have been developed in-house or by contract developers in order to ensure that these programmes do not represent any risk for your company or its clients. You can also entrust the hosting of your critical data to a firm that operates a secure data centre. Even if you prefer to host your data in-house, given the scarcity of data-security personnel, you can ask an external partner to act as a managed security service provider. If necessary, an expert consultant can also play the role of Chief Information Security Officer (CISO) for your organization in order to fill any gap in your management team. Whatever the options are that best meet your company’s needs, you—as a marketing professional—clearly have everything to gain by ensuring that all your organization’s critical data are “cyber secure”. Yves Paquette is co-founder and president,
NOVIPRO (https://novipro.com). Yves uses the knowledge acquired during the last 30 years of his career to assist companies in their transformation. Since NOVIPRO was founded in 1993, the company has continued to grow and adapt to technological changes and market realities. 1 KPMG, “Me, my Canadian life, my wallet”, 2018. 2 NOVIPRO/Léger, “IT portrait of Canadian medium and large sized companies”, February 5, 2019.