Skip to main content
The Globe and Mail
Support Quality Journalism
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to
Just $1.99 per week for the first 24 weeks
Just $1.99 per week for the first 24 weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(}function setPanelState(o){dom.root.classList[o?"add":"remove"](,dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); }

With more sophisticated data criminals, and more employees using their own devices or working remotely, protecting corporate data has become a key business issue.


On April 11, the Investment Industry Regulatory Organization of Canada (IIROC) announced the loss of a mobile device – reportedly a laptop – containing the personal financial information of about 52,000 brokerage firm clients.

"It just blew me away," Ontario Information and Privacy Commissioner Ann Cavoukian says in an online post. "I just couldn't believe that an investment regulatory body would be so irresponsible."

IIROC is facing multiple investigations, both internal and by third parties, and intense media scrutiny.

Story continues below advertisement

The breach is a reminder that, as organizations gather more and more data in the digital age, information is getting harder to track and manage. More employees are also storing company information on personal devices, such as smartphones, many of which are highly susceptible to loss or theft, and lacking in security basics such as passwords.

The threat is further magnified by modern data thieves, who are far more organized, sophisticated and resourceful than they were in the past. The dark side of the Internet has spawned a global black market where these individuals can seek criminal advice, purchase hacking tools and buy and sell information at the click of a mouse. "They are well aware that they can trade information like any other commodity," says Fazila Nurani, a legal expert with privacy consulting firm PrivaTech Consulting.

Data thieves generally use a series of low-cost, low-risk tactics for stealing information, some of which are remarkably simple. Social engineering, for example, involves duping unwary employees into giving up sensitive information, such as log-in credentials or client data. Criminals may pose as a member of an organization's information technology department, for instance, and ask employees via phone or e-mail to give up their password for security purposes. According to a recent study by communications giant Verizon, 29 per cent of data breaches leveraged social tactics, making it one of the most common ploys of data thieves.

It's also one of the most preventable. "Human error is the biggest risk, and that's where we see the most data security breaches," Ms. Nurani says. "A password's been given out, or a security patch hasn't been installed." Weak passwords based on birth dates, or simple number combinations like 1234 are also common.

The role of human error, which can come from anywhere in the company, means that management can no longer afford to delegate data security to IT. According to a joint survey by accountants association CPA Canada and the American Institute of Certified Public Accountants, managing and retaining data is the top technology-related priority of Canadian accountants.

Organizations now have a fiduciary and, in many cases, legal obligation to keep clients' and employees' private information safe, and need comprehensive, top-down policies to ensure this.

"Given enough information, all breaches are preventable," says Nicholas Cheung, a chartered accountant and a director at CPA Canada. "The costs of reacting to breaches almost always exceeds the cost of preventing them."

Story continues below advertisement

Claudiu Popa, president and chief security officer at Informatica Corp., says data classification should be the foundation of any data security strategy. Highly sensitive information, such as credit card numbers, for example, are far more valuable to criminals than public relations contacts, and must be treated as such. "It's critical," says Mr. Popa, "because you can't protect all data to the highest degree."

Effective methods, such as data encryption, are expensive and cumbersome to implement, and most organizations can't afford to completely lock the door on their data. Still, it's essential for most to at least have data encryption capabilities, particularly on mobile devices, which are easily lost. "Everybody needs to know when they have to encrypt data, and how to do it properly," says Julie Thorpe, assistant professor at the University of Ontario Institute of Technology.

Employee education and training is another must. Many data thieves are experts at social manipulation, and employees should never give out sensitive information without proper verification.

Effective data security strategy is something of a cat and mouse game, as data thieves are constantly thinking up novel ways to undermine systems, and exploit the trust of others. Organizations must continually update their strategy if they want to keep up.

Fortunately, even projecting an image of security is a powerful deterrent. "Criminals, provided they are not ideologically driven, are fundamentally lazy, and they will go for an easier target," says Ian McPherson, a partner and national justice and security sector leader at KPMG. "They carry out their own risk assessments, just like organizations do."

A solid data security policy comes down to educational awareness, effective technological protection, and assertive governance.

Story continues below advertisement


Four points to keep in mind when formulating a data security strategy:

Provide leadership

Many organizations are guilty of throwing data security over the wall to IT, or thinking the latest and greatest security software provides complete protection. Data security is a business issue, not just an IT one, and managers need to treat it as such.

Educate employees

Most data breaches are the result of human error: lax passwords, lost mobile devices or unwitting disclosure to a data thief. Even the best technology is no match for a well-educated work force.

Story continues below advertisement

Encrypt critical data

This is especially important on mobile devices, which are easily lost or stolen. Passwords can be broken, but decryption is a vastly more cumbersome process for data thieves.

Have a retention and destruction policy

Too often, organizations sit on large databases of outdated information, digital or otherwise. This has little to no value to the company, but is a treasure trove for data thieves.

Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies