LifeLabs signage is seen outside of one of the lab's Toronto locations, Tuesday, Dec. 17, 2019. The LifeLabs breach included a database containing health-card numbers, passwords and more, while as many as 85,000 Ontarians’ medical-test results were obtained.Cole Burston/The Canadian Press
When LifeLabs Medical Laboratory Services revealed in December that the personal information of as many as 15 million Canadians had been stolen in a cyberattack, it had the distinction of capping off a historical year for Canadian data breaches.
Even before the LifeLabs incident, most Canadians – more than 28 million – were affected by 680 breaches between Nov. 1, 2018, and October, 2019, according to the federal privacy commissioner.
There were four million people who had data stolen from the Desjardins Group credit union. A Capital One Financial Corp. breach affected six million Canadians. In mid-December, the LifeLabs breach included a database containing health-card numbers, passwords and more, while as many as 85,000 Ontarians’ medical-test results were obtained.
Innovation has always been an arms race – not just among companies and countries, but between bad actors and everyone else. Advances in cybersecurity are met with advances in threats: data breaches, ransomware and privacy infringements as personal as in-home camera hacking. And cybersecurity experts say Canadian governments, citizens and businesses each need to arm themselves for the coming threats.
Things are going to get worse.
“Breaches are not going away,” says Sylvia Kingsmill, a Toronto-based KPMG partner who leads its national privacy and information-management team. “They’re going to increase in size, scope and magnitude. And they’re going to be happening in parallel with one another.” Senior corporate managers need to recognize that this is going to be the new norm. “Try and take preventative steps to pretend like it’s going to happen every day,” Ms. Kingsmill says.
Ray Boisvert, a former assistant director with the Canadian Security Intelligence Service who is now a security-focused associate partner with IBM Canada, adds: “Threat actors are so profitable they can keep investing in themselves.” Companies don’t just need to increase cybersecurity budgets to prevent problems − they also need a response plan in place. This includes a plan to responsibly communicate what happened in an attack to customers, stakeholders and the media, Mr. Boisvert says.
Governments will need to act.
Canadian law is particularly toothless when it comes to data breaches. “There are no consequences in Canada,” says David Shipley, chief executive of Beauceron Security Inc. in Fredericton. “It doesn’t have to be this way.” While Ottawa unveiled a “digital charter” in 2019 and promised data-protection legislation, federal Privacy Commissioner Daniel Therrien has argued that the government’s promises don’t go far enough.
Mr. Shipley agrees, pointing to the European Union’s General Data Protection Regulation, implemented in 2018, which allows countries to fine organizations for insufficient data-security measures.
How does Canada compare? “Imagine you’re a crime-scene investigator,” he says, “but you can’t charge the perpetrator. … If companies are not held accountable, they will not invest in security.”
New ways in.
Security experts have a range of views on smart home devices such as the Google Home speaker or the (reportedly rather hackable) Amazon Ring cameras. Few of those views are optimistic; some are dire.
“Don’t put internet-connected cameras in your house; don’t put internet-connected microphones in your house,” Mr. Shipley says.
Others take a more moderate approach; Greg Young, the Ottawa-based vice-president of cybersecurity at Trend Micro Inc., says people simply need to be cautious – don’t install cameras indoors, for instance, or at least ensure they’re off when you’re home.
This gets more complicated when intertwined with another trend: remote work. Employees working outside of a company network need to take extra precautions with network security, and keep smart recording devices out of their work space, Mr. Young says. “Even if they work for a secure company, their home environment may not be secure.”
Threats will get more creative.
As artificial-intelligence technology continues to rapidly mature, so, too, will the abilities of bad actors. Manipulated videos or audio recordings using “deepfake” AI tech could be used to manipulate investors, and in turn, stock prices; workers could be duped by fake recordings of managers or executives to work against a company’s best interest.
And while the growing number of sensors and computing capabilities in industrial devices can help companies become more efficient, they can also become security risks without precaution and planning. The further development of more powerful and faster 5G telecom networks and hardware, too, will come to the fore in 2020 −particularly as Canada continues to weigh the risks of letting Huawei Technologies Co. Ltd. deploy its 5G tech here.
The downside of quantum innovation.
As powerful quantum computing becomes more accessible in the coming years, it will come with danger. Researchers at the U.S. National Institute of Standards and Technology believe that quantum computers could crack today’s encryption standards within the next decade. Businesses need to review their encryption systems now and prepare to be agile.
“2020 is really the time to be thinking about how you factor that into design plans,” says Scott Totzke, CEO of Waterloo, Ont., quantum-security firm ISARA Corp.
Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.
Josh O’Kane