Skip to main content

Erin Kelly is a consultant in the cybersecurity industry.

One of the first things I learned when getting into the field of information security was that there is simply no such thing as a secure system. So, when I recently received a letter from my provincial government informing me that I had been selected to take part in a privacy-assured health survey, I approached it with a bit of suspicion.

As instructed, I went online and was presented with an extremely personal set of questions. How many sexual partners have I had in the past six months? Had I consumed any illegal drugs? Which ones? And did I have any sexually transmitted diseases?

These are all questions that might be awkward in the privacy of a physician's office, but that were downright creepy in the context of an online government survey.

Naturally, since I work in cybersecurity, I wanted to see how secure and private the survey really was. I phoned a number on the letter and was greeted by a very polite call-centre employee who offered to answer any questions I had about the survey's security.

So I asked her which security protocols were in place. For instance, were they using COBIT, the security standard for information technology that is used around the world in government and business? She had no idea what COBIT was, assuring me only that what they had was "100-per-cent secure." But as Purdue University professor and leading IT security expert Gene Spafford has noted: "The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts."

Organizations that take security seriously will say they are "PCI compliant" or "ISO certified," which means they have followed a known and published standard or protocol to protect customer or employee data and ensure security and privacy. Companies that care about information security and privacy will proudly boast when they are compliant with these standards and protocols. I advised the call-centre agent that her claim to be 100-per-cent secure suggests that the ministry is actually ignorant of cybersecurity. I guess this is where she had to go off-script – she said she'd pass along my concerns and have someone get back me.

I'm still waiting for that callback. You'd think that a provincial government ministry running a public health-care system would take security seriously.

Ah, you might be saying, they just outsourced that survey to a call centre. But outsourcing is no excuse. Companies that care about customer privacy take the time to vet their outsource partners to ensure that they adhere to the same privacy and security standards. You don't want your partner to be the weak link in the chain.

Indeed, the majority do this by having the host company sign documents attesting that they comply. A full 10 per cent of companies go the extra mile and receive real-time security and usage reports and alerts from their partner companies. Applications such as RapidPhire by Phirelight Systems enable them to see how their partners are using their networks and storing their data as well as receiving security alerts. Now that's taking security seriously.

If my health ministry ever got back to me, the next question I'd ask would be: "Are you securing all your networks, or just some?" Many companies, lured by the cost savings of switching their phone systems to voice over Internet protocol (VoIP), neglect to include the voice network when listing their security compliance. In fact, a 2015 survey of 100 companies conducted by VoIPshield Systems showed that just 3 per cent of companies and organizations were securing their VOIP systems. And guess what? The Canadian government is not among them.

In 2014, the government put in a VoIP system and neglected to include security in the request for proposals. This has never been rectified, despite news reports about it. Sadly, it probably won't be rectified until there is a major security breach through the phone system of some major organization. That breach may well have already occurred – it just hasn't been discovered yet, because there is no VoIP security system in place to detect it.

As for my health questionnaire, I never did fill it out. If my provincial government was trying to get a broad sample of its population – men, women, educated, poor, wealthy – they are probably finding that the results from the survey are a bit skewed. I mean, who gives personal health details in an online survey? Not me. And probably nobody else who knows anything about IT security.

To be clear, "100-per-cent secure" is 100-per-cent pure baloney. Remember that the next time you give personal information over the phone or online to a government employee.