Information protection solutions

Many businesses underestimate the amount of personal or consumer data they hold as well as the various regulations required for storing this data. Companies now face significant penalties—even when no data breach has occurred—due to complex and evolving global data privacy regulations. Many organizations are not fully compliant with data privacy laws such as evolving Canadian laws to protect consumer information or international regulations (GDPR, LGPD, PIPEDA) and may not realize the implications.

From data discovery to technical safeguard design and policy development, our team of privacy professionals will help your organization design a program to proactively comply with requirements. An effective data privacy program can also work in your favour as a competitive differentiator.

To establish an information protection program, an information inventory is critical—you cannot protect information unless you know what you have and where you have it. CISOs need to prioritize the creation of a central source of trust for information assets across the spectrum, quantify and classify it by risk to the organization and create handling and metadata requirements for consistency in ownership, tracking and application of controls.

Our industry-focused team understands how critical processes within organizations use information throughout its life cycle. Combining that experience with technology that facilitates the data mapping and inventory creation, we will work with you to create an information inventory and establish a process to future-proof it.

With the accurate, evergreen inventory in place, protection of data throughout its life cycle is the North Star of information protection. CISOs need to establish a process to capture where new assets store or transmit sensitive data while feeding the information inventory, then implement technology to enable that process. As controls are developed and applied, CISOs need to consider risk and regulatory standards/requirements to ensure alignment with compliance objectives and application of controls in a way that does not compromise the business. When not in use, decommissioning procedures should be developed and applied to evaluate stored data for removal, destruction or secured archiving.

Our team specializes in risk, data privacy and regulatory standards/requirements. We’ll advise you on the design and implementation strategy of an information protection program where data is secured throughout its life cycle. Whether assessing your current data protection practices or designing and implementing a future-state vision and roadmap, we’ll help you build a foundation to sustain your organization for the long term. We’ll advance your cybersecurity posture by incrementally improving capabilities at a pace your organization can successfully adopt while promoting transparency on how the program protects your sensitive data.

While most insider threat cases deal with unintentional disclosure of information, the biggest issue that CISOs face when protecting their organizations are the users themselves. Without an effective insider threat program, individuals with access to data can unintentionally store or transmit it outside of the protections of the organization. To combat this threat, programs should be designed and implemented to consider the identification and classification of individuals within the organization based on risk presented: access to data, system access levels, day-to-day functions, awareness, etc. Programs should also be designed to map threat mitigation techniques and programmatic means to mature the program to levels that are focused on behavioural analytics. Our team will help develop your program from creation of risk personas and classification schemas to implementation of tools and technology to make the protection of your organization from insider threats a reality.

To reduce the risk of insider threats that unintentionally discloses an organization’s information, user awareness programs need to mature continuously and rapidly. Organizations need to focus on regular dissemination of employee expectations and requirements for training and retraining, periodic evaluation of user adherence through social engineering campaigns, ingestion of threat scenario exercises for targeted trainings and communication, and defined frequencies for executives/VIPs, privileged users, employees with access to sensitive data and repeat offenders.

As your advisor, implementor and operator, we’ll work with you throughout your user awareness training life cycle. We’ll provide guidance on a wide range of awareness training solutions to meet your organization’s security needs including program development, content development, live/in-person training, provision and management of computer-based training solutions, social engineering campaigns for phishing and vishing fraud, and the metrics that demonstrate program success. Our team will tailor your security awareness program to fit your unique organizational culture and security/compliance objectives. All programs will be designed to drive employee engagement with relevant and interactive training units, both in person and online.