In late January of 2019, Dean Allison, MP for Niagara West filed an order paper question pertaining to the federal government’s effectiveness with respect to safeguarding the information that they have on files for Canadians. The government’s response, released a few weeks later, was eye-opening to say the least. Between January 1, 2018 and December 10, 2019 there were nearly 8,000 data breaches involving various government departments that compromised the personal information of approximately 144,000 Canadians. Moreover, not all the Canadians affected have been told about it.
Leading the pack with more than 3,000 breaches affecting nearly 60,000 people was the Canada Revenue Agency (CRA). CRA blamed incidents on
misdirected mail, security incidents and employee misconduct.. Of the 3 reasons listed, the latter two reasons are probably the most intriguing, especially if you have important management responsibilities for a large organization. For starters, you may want to carefully consider who has access to your customers’ sensitive information and what safeguards (if any) are in place to ensure that this information doesn’t fall into the wrong hands?
Protecting your customers’ sensitive information from both external AND internal threats is an enormous and necessary responsibility, regardless of business size or type. For example, you may feel that you have implemented effective controls for guarding against cyber security threats from outside the organization but what about what goes on within your own walls? Do you have internal policies and procedures in place that prevent or mitigate computer security breaches that originate with your employees – be they the result of simple carelessness, human error, or any other reason? Are your employees adequately trained in terms of what they can do in their everyday job functions to guard against cyber-attacks? If you are at all unsure (or even if you are sure that you have all the bases covered), a security gap analysis can be both an eye-opener as well as a crucial first step on the path to a secure business environment that is safe both from within and without.
Simply put, a security gap analysis will provide you with a 360-degree view of your current security position i.e. determining the state of your business’s present information security vs. what its optimum state should be (which will vary from business to business depending on the industry they are in and its legal and regulatory limits). By having this kind of intelligence regarding your business, you can see more clearly where you might be vulnerable and how these vulnerabilities may be best addressed. A gap analysis can also identify what the organization already does well, thus saving time and money by not tinkering with what is already working well at the expense of that which is not.
Making the decision to undertake a security gap analysis is one thing – the next step is making sure that it is done correctly. An effective security gap analysis should cover best practices for a variety of key areas which can impact security as well as provide benchmarks that you can measure your existing security policies against.
As to what a
typical security gap analysis entails, the areas that are commonly reviewed as part of the process includes organizational and management practices, personnel practices, physical security, data security, personal computer security practices, and incident response, just to name a few.
For a gap analysis to produce the best results it should be conducted by a neutral party so as to ensure the process is unbiased. However regardless of who ends up conducting the analysis, the final result should be a report that highlights findings that include risks, recommendations and compliance requirements to any specified standards that apply to your business. Just about every day there is news about a new cyberattack that has affected either a large well-known business, a city, a state or province or a government organization. As a result, trust and confidence both seem to be ebbing in customers’ minds when it comes to how they view both private and public sector organizations and their data protection. Taking proactive measures to ensure the confidentiality of their customers/clients’ information, and being SEEN to be doing so is a crucial step when it comes to creating and maintaining their confidence.