A firewall is software or hardware that sits at the edge of your network between your company and the Internet. It’s designed to keep the bad guys out and to allow legitimate connections into your network if needed (think email, access to a company website if it’s hosted locally, etc.). A firewall acts a lot like a traffic cop–it stops you at the edge, decides whether or not to allow the traffic that’s coming in or out the network based on a predefined set of rules, and then either permits, blocks, or drops the traffic, depending on what the rules tell it to do. Every company needs a firewall to protect their employees, their systems, and their data.

MDR is an acronym for Managed Detection and Response. It also goes by EDR, Endpoint Detection & Response, and XDR, Extended/Anything Detection & Response. In a perfect world it’s designed to act as an early warning system, letting you know in real time if something bad is happening against your network or systems and in some cases to automatically respond on your behalf, either with tools or

They say a chain is only as strong as its weakest link. That holds true with cybersecurity as well. With most companies outsourcing services to companies like yours (and ours!), what we do to protect ourselves directly impacts the overall security posture of our customers. There’s a lot of talk around third-party vendor risk management. Companies want to know what you’re doing to protect yourself and any information and resources you’re providing to their business. Don’t be surprised to see risk assessment questions on RFPs and as part of Master Service Agreements (MSAs), vendor risk assessments are here to stay!

Privacy and security go hand in hand but they deal with two different aspects of information protection. Security focuses on protecting the information from unauthorized access while privacy focuses more on protecting the contents of the information and making sure it isn’t accessed or shared inappropriately. Companies have an obligation to ensure that any sensitive information they have (employee data, customer data, transaction data, etc.) is not only secured from unauthorized access, but is also handled properly even by those people who are authorized to access it. Think of health records as a good example; while a health practitioner may have access to all Ontario health records through a digital platform, they are only authorized to access records directly related to patients they are working with. If they access records of someone who they shouldn’t (remember when Rob Ford was in hospital and some of his information was leaked?) it is considered a privacy breach but not a security breach.

Canada’s law around privacy, the Personal Information Protection and Electronic Documents Act (PIPEDA), governs how private Canadian companies are responsible for the collection, use and disclosure of personally identifiable information (PII) during the course of their regular business activities. Each company has a responsibility for ensuring that it only collects information that it needs to conduct business and that it stores and controls access to that information in a secure fashion. They should also make sure that it securely destroys that information as soon as it no longer needs to keep it. PIPEDA also has strong breach notification provisions, meaning that if you have a breach, you have an obligation to report the breach to both the people affected by the breach, and Canada’s privacy commissioner. Failure to do so can result in significant fines and penalties.

Payment Card Industry (PCI) is a set of standards created to ensure that when businesses take credit card payments online, they do it in a secure manner and minimize the risk of credit card theft. The PCI Council creates the rules (there are 150 of them) which dictate everything from firewall configuration to security protection on devices used to store, process, or transmit credit card data. The onus is on the business to ensure you are following the guidelines and to periodically (typically at least annually) conduct a self-assessment against the requirements to make sure you’re still compliant. Failure to follow the PCI guidelines can result in fines and can also result in your business not being able to take credit card payments.

The General Data Protection Regulation (GDPR) is a law created by the European Union to protect its citizens’ information. It includes the concept of the “right to be forgotten”, meaning if an EU citizen doesn’t want you to have their information, they have the right to request that it be deleted entirely except proof when completed. The GDPR doesn’t directly apply to North American companies, however, we expect something similar will come into law in Canada (Bill C-11), and different US states have started to implement their own variations, including California and New York. If you do business in the EU or have EU citizens as customers, GDPR applies to you. Take it seriously as significant fines for non-compliance can apply!

The National Institute of Standards and Technology (NIST) was tasked in 2012 by then-president Obama to create a set of common-sense protection actions that SMBs could take to better protect themselves from Internet-based exposures. The result of their activities is the Cybersecurity Framework (CSF), a set of foundational controls that provide guidance in 5 key areas: Identify, Detect, Protect, Respond, and Recover. They provide guidance on not just what should be done, but also, in some cases, provide proscriptive directions on how to protect your business, your employees, and your data.

The California Consumer Privacy Act (CCPA) is a state statute designed to protect the personal information of California residents. It gives residents the right to know about information being collected about them and why it’s being collected, the right to request information be deleted (with some exceptions), the right to opt-out of having their information sold, and the right to non-discrimination for exercising these rights. Only California residents have rights under the CCPA. Further, the CCPA only applies to for-profit businesses and those doing at least $25 million USD in annual sales.

A Systems & Organizations Control (SOC) audit provides information about how a service provider is operating. It’s typically validated by an independent third party and provides insights into security, availability, processing, confidentiality, and privacy. Basically an overview of how the service provider manages its operations. The SOC report acts as an extra level of assurance for a customer doing business with a service provider, it also gives the service provider a set of guidelines to follow to help them protect their business and their customers.