If you’ve glanced at the news recently then you already know about the LifeLabs hack that compromised the data of approximately 15 million Canadians - nearly 40% of the entire country’s population. The medical lab test enterprise revealed that cybercriminals comprised their systems with ransomware well over a month ago, a ransom that LifeLabs paid in order to retrieve sensitive information and regain access to systems. While reports of hacks of this nature are unfortunately not all that uncommon, the concerning part is the blatant failure of the company’s cybersecurity protocol. As they scramble to recover and regain consumer confidence, organizations of all types should recognize these failures as a call-to-action to audit their own cybercrime strategy.
5 Things Organizations Can Learn from LifeLabs Cybersecurity Failure
1. Strict Adherence to PIPEDA is Mandatory
LifeLabs notified the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia about the breach on November 1 2019. However, as of December 17th,
it was reported that the Office of the Privacy Commissioner of Canada had not yet received a breach notification report. A follow-up investigation is being made to verify whether or not there is a
violation of the most recent update to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA requires that impacted organizations immediately report all breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals to the Privacy Commissioner of Canada. In addition, organizations are required to notify affected individuals about said breaches in a timely manner. Given that most of the public is just now finding out about this in mid-December, there may indeed be a violation of the PIPEDA mandate, at which point LifeLabs may face significant fines.
Your company should take this lesson to heart. Ensure that you establish a stringent reporting protocol to respond to data breaches so that all invested parties receive word within PIPEDA’s suggested timeline. You don’t want the Privacy Commissioner of Canada to make an example of you.
2. Migrate Everything to Cloud
LifeLabs indicated that they paid a ransom (undisclosed amount) to get their data back. This implies that they may have not had redundant and readily accessible access to data, which gives hackers significant leverage. If your company does not have an immediately retrievable and a mirrored back-up of all data, you too are highly susceptible to a ransomware attack. Cloud migration is unequivocally the leading solution in both
data and disaster recovery. It allows you to access your files and rapidly redeploy infrastructure or services within minutes of an event.
View our whitepaper on why you need to migrate to the cloud today.
3. Score Your Security
Don’t blindly trust your current IT provider when they say that your systems are secure. We’re sure LifeLabs was confident in their security systems, but clearly this confidence was misguided. Moving forward you need a benchmark to reference, and a tangible way to see progress. This can be found with MS Office 365’s Microsoft Secure Score, an enterprise-level auditing solution that is driven by artificial intelligence (AI) and machine learning. The feature generates a security benchmark score for your company and identifies technical controls that will help protect users and sensitive company data. Even if you already subscribe to MS 365 there’s a good chance that you are not leveraging all of the robust features of Secure Score.
Learn more about MS Secure Score here.
4. Take a Better Accounting of Your Data
LifeLabs
admitted that they were unsure how many of the files were accessed during the breach. Without this information, how is a company to know which stakeholders need to be informed, what was lost and needs to be retrieved? Something as “simple” as turning on the MS Office 365 Unified Audit Logs (for those who subscribe) will allow you to keep a record of everything that has happened in your tenant for the last 90 days. This feature is very useful when your IT team attempts to piece together which files may have been compromised. Remember, an audit of your cybersecurity includes an up to date audit of all files.
5. Know When You’re a Hot Target
LifeLabs CEO Charles Brown called the incident a wake-up call for the industry, but to be blunt someone clearly slept-in because the health and medical industry has been a hot target for hackers for at least the last five years. Have a look at
2019’s list of top targets for hacking groups. If you identify your industry as one of them, it’s time to bring in a professional IT support firm for a cybersecurity audit because more than likely your business is on their (hackers’) list.
As a part of Fully Managed’s digital transformation strategy for businesses, we offer a
full suite of cybersecurity services. Don’t wait another minute to receive an audit of your systems,
contact us today.