In today’s digital age, the security of personal and sensitive data has become a major concern for individuals and businesses alike. From financial information to personal identifiable information (PII), data breaches and unauthorized access can lead to severe consequences.

Thus, it is crucial to ask the following question: Who has your Information?

Private and public organizations alike are targets not just for hacking and ransomware but are also targets to foreign governments.  In the public safety industry, we regularly collect data of residents whenever we interact with them – and are entrusted to keep this information safe. In 2021, 85% of Canadian organizations have been affected by cybercriminals.

When you select a technology provider to supply you a system to manage this information, you are also trusting them to keep this information safe and banking your reputation on them.

Are you sure that you have entrusted your information to those that will keep it secure?

Not all companies take this responsibility seriously and not all data breaches are as obvious as a giant balloon floating overhead, leading to data breaches and other security incidents. Therefore, it is essential to do your research and choose reputable companies and organizations that have a strong track record of data security.

Here are a few key questions to ask your technology providers:

Security Clearances

Who within the solution provider’s organization has access to customer/citizen information?  Some organizations are associated with foreign governments (e.g. China), and the data sets could be mined for private information.

Security clearances are an essential aspect of data security. Your solution provider should only employ workers and contractors who pass “Enhanced” or “Secret” security clearances from Police Forces within Canada.

Data Management

Another critical question to ask is whether your data is leaving the country. Many companies outsource their data processing, app construction and storage to third-party vendors, some of which are located within foreign countries. While this may be cost-effective for the company, it also poses a massive security risk to your information.

Even if data sharing was not intentional, what happens if it gets into the wrong hands?  This is where data encryption is critical to minimize risk of unintentional data loss.  Encryption should be leveraged when the data is on a device, in transit, and while it is stored.

Prevention

To prevent a bad actor from using the “front door” of your application to access information, a username and password are not enough these days.  Secure systems leverage multi-factor authentication to prevent unauthorized access to the information systems.

As well, the system should have regular Penetration tests to ensure that they are actively addressing security concerns within their systems.

Incident Management

If a data breach does occur with your selected vendor system, what are their processes to alert you to this?  Would you even know if your data was breached?

There are several processes related to incident management that your technology providers should be providing to ensure your protection.  For example, with the new bill C-26, Canadian businesses operating in critical infrastructure sectors will be required to report cyber-attacks to the federal government.

Certifications

We are not all technology or security experts, nor should we all be.  Adherence to certifications provides peace of mind that your information is protected and that you have selected vendors that value the protection of your information.

There are multiple certifications that you should seek when working with a technology vendor.  Each of the above categories has certifications that should be sought out to protect the data you collect and manage.

Your technology vendors should be adhering to the following security & process standards at a minimum:

Security Clearances

1. All staff within your vendor organization should adhere to “enhanced” or “secret” security clearances. These vendors should be able to present current clearances within your region.

 Data Management

1. The cloud that sores your data should provide a current SOC Level 2 compliance report.
2. The data should be stored in Canada or the United States, and never leave these nations.
3. The solution should either have an active “NPISAB” approval (Provided by the RCMP), or hold a current “CJIS” audit result if managed within the United States.

Prevention

1. Your solution provider should implement Multi-Factor authentication within your platform.
2. Your solution provider should provide results from regular 3^rd party penetration testing that includes the “OWASP” penetration of the system.
3. You may wish to request a current compliance with NIST or ISO 27001 standards.

Incident Management

1. You solution prover should adhere to ITSM processes for incident management.

In conclusion, data security is a critical aspect of the digital age. It is essential to ask the right questions and do your research to ensure that your data is secure.

We, at Smart Squad, take these questions seriously. With every member of our team working in the law enforcement branch in one way or another, we have security at the forefront of our mind.

You have to ask yourself, who has access to my information?