Keep your info (& your biz) secure with insights from our experts

Business best practices evolve in response to the changing world around them - which is to say, quickly! And while your focus may (rightly) be on what got you into business in the first place, matters of security, privacy and compliance are both critical and complex.

Fear not! From prevention and detection to selecting the right partner, our experts are here to help.

Insights from Stefan DeCosse, Director, Information Security

Commit to continuous security awareness training.

While your people are your greatest asset, they can unfortunately also be your weakest link in terms of information security. It’s all too easy to accidentally click a malicious link or be fooled by a sophisticated phishing attempt.

The best way to combat this is to stay up-to-date and educate your staff on what to look for in general, plus current threats in particular. One trend we’ve noticed since the start of the pandemic: an increase in malicious messages purporting to be from local health authorities.

Invest in layers of industry-leading technology, and don’t be afraid of upgrades.

As security threats continue to evolve, so must your protection against them. While selecting well-reviewed technology upfront is critical, frequent reassessment of whether or not it still meets your needs is just as important. The security world moves fast, and what could have been an effective option two years ago might be practically obsolete today.

This means not only running updates (annoying? Perhaps. Necessary? Definitely) but also adding new solutions to fill the gaps. You’re safest if you’re leveraging multiple different security tools at once - that way, if one fails, you’ve got others in place as backups.

It can be challenging to know where to even begin in assessing the efficacy of your security system unless you’re a security expert by trade. Unless you’ve got the skill set in-house, I recommend hiring a consultant who lives and breathes security - they’ll set you on the right path.

Have a plan for detection and recovery!

If you do experience an information security breach, you’ll be best equipped to minimize damage and downtime if you’ve already got an incident response plan (IRP) in place. This should identify who needs to be notified (both internally and externally, like clients and other stakeholders), processes and procedures for offline work, how to isolate impacted systems, and more.

Much like information security itself, this isn’t a “set it and forget it” scenario - your IRP should change anytime you have an organizational change that would impact the response (including moving staff to a remote or hybrid work model). This means practice, practice, practice. And don’t miss an opportunity to learn from your mistakes!

Insights from Grainne Grande, General Counsel, Privacy Officer

Consult the experts to stay on top of privacy law changes.

Whether it’s the federal Personal Information Protection and Electronic Documents Act (PIPEDA), regional guidance around health information, or parameters for particular industries, there are a wide breadth of laws governing the collection, use, retention, transfer, disposal and security of your employees’ and clients’ personal information (PI). Do you know which laws are applicable to your day-to-day operations?

These laws change quickly; in fact, like Quebec’s recent privacy modernizations, several other provinces are in the process of overhauling their privacy laws, many of which are likely to create new obligations for Canadian businesses.

Your best bet for making sure you’re aware of upcoming (and even more importantly, already-enacted) changes is to consult with trusted providers who can assist you in understanding, implementing and incorporating these significant privacy and workplace changes from a technology, compliance and operational perspective.

Brush up on privacy best practices for remote work.

Whether your staff is all-remote, hybrid or flexible, working out of the office presents its own privacy challenges. Two ways to avoid some of the most common pitfalls include:

• Creation and communication of remote work PI standards: These can include requirements for equipment and materials to be stored in a secure locked area when not in use, restrictions around which devices and networks employees use to access employer systems, or rules for where electronic PI is stored within an employer system.
• Training around sensitive and confidential material: Most businesses control some degree of sensitive material, including business information, PI, and intellectual property. Microtraining and “do’s and don’ts” are both effective ways of entrenching good habits and ensuring staff are handling this information with the required care.

Ensure your incident response plan addresses impacts on privacy.

As Stefan describes, having an up-to-date and well-rehearsed incident response plan (IRP) in place puts you in the best position to respond to any unexpected event, including a privacy breach. In fact, some federal and provincial laws, regulations, guidelines and contractual obligations that may require certain organizations to develop and maintain an IRP.

From initial developments to ongoing updates, it’s important to make sure your IRP takes into account the laws and best practices around PI and is set up to help you minimize damage.

Insights from Michael Penman, Chief Operating Officer

Understand how legislation influences your role… and vice versa.

Legislation changes fast - in fact, in response to the COVID-19 pandemic, over 400 administrative and legal changes impacting employers and employees were enacted in 2020 alone (Source: Canadian Payroll Association). In that time, payroll became a more strategic business function than ever before, providing guidance to their organizations on federal and provincial financial aid and incentive programs, as well as policy changes related to workers’ compensation, employment standards, pandemic pay, job protection, emergency leaves and tax administration leaves.

So while it’s of course important to stay on top of legislative changes, it’s also important to recognize that you have an influence on how this legislation evolves! The voices of the industry and industry associations are more influential than ever… so let yours be heard.

Partner with the pros to stay compliant.

Just like your clients rely on you for guidance (after all - you’re the expert!), you don’t need to shoulder the load alone when it comes to matters of legislation and compliance.

A trusted workforce management solutions provider will keep you informed about industry developments and what they mean for you. This allows you to focus on building your own clients’ trust, educating your staff and growing your business… and keeps you on the right side of compliance (a critical consideration in your daily operations).

Seek out training to guide the evolution of your compliance policies and processes.

It’s key to continue investing in compliance education and resources (whether that’s people, processes, solutions or technology). If we’ve learned anything in the COVID-19 pandemic, it’s that sometimes change is the only constant.

Since “you don’t know what you don’t know,” consider committing to periodically attending industry events and training sessions (whether virtual or in-person). They’ll connect you with peers and other experts, all of whom understand the challenges and opportunities you’re facing and can provide helpful feedback on how to best respond.

I also recommend periodic check-ins on regulatory agency websites and subscribing to industry newsletters and blogs, which will deliver insights right to your inbox.