Secure Data Management

Colin and Paul talk secure data management and company procedures, with Chris Yeo and Mitch Bernier from Professional Computer Services.


Listen to the full episode here, or read the full transcript below

Paul Martin: Welcome to Risky Business Commercial Insurance with Butler Byers. Paul Martin, here, your host as always, and joining me today, Colin Rooke the commercial risk reduction specialist with Butler Byers. And then we brought a couple of experts with us. We’re going to pick up our conversation about, well, all things computers and cybersecurity and COVID and work from home and all of those topics that come from enabling personnel to work remotely or to work in the office and really how you update things.

So, joining us as Chris Yeo and Mitch Bernier, they’re both with Professional Computer Services. And gentlemen, thank you for joining us again today. And Colin, maybe I’ll get you to step up to the mic first. When we had this conversation in a previous program, in the last program ,we were talking about, okay, COVID came, business went into crisis mode, we sent everybody home. It was kind of like, hurry up and just get it done. And now we’re six months into it. We kind of had time to digest this. We’re used to a little bit of it as it. From your perspective, what are the topics that you’re hearing about today that these guys need to be addressing for us?

Colin Rooke: Yeah, this topic is important because a lot has changed in the last six months. And I think, part two of the show is timely. I think last show we talked primarily about, okay, everyone’s at home, we’re scrambling to get set up. We talked about internet connection. We talked about productivity investment in technology that if you’re using dated and sort of older equipment, maybe, the business owners aren’t really realizing that old equipment means delays and less productivity. We discussed that, and in fact, it was such a good discussion that we didn’t get to the, okay, fast forward to now, what does business look like moving forward and how do we need to adapt? What should be implemented? Are there areas in the IT space that now need a second look or maybe there’s companies out there that are really have ignored it, and now they’re at the point where they can’t.

But from our perspective, and certainly around cyber, any sort of cyber liability application or questions around it, but also general liability as well. What’s new is we’ve got insurers really asking about the company set up. Are we a hundred percent remote? Is it a 50/50? Or what kind of spread? Are you all back in the office? And then what has changed? What new protocols are in place? Do you have a pandemic plan, for example? How have you increased cyber security as a result of COVID-19. There’s questions around equipment that has been brought to the home, are you bringing it back? Are you scrubbing it or are you tossing it? That sort of thing.

We’ve got insurers really asking about the company set up. 

And then, it’s new to us. We haven’t had to answer these types of questions before, and I think it’s really important to have a conversation around what should be done. Do businesses need an IT audit? That’s going to bring them back to the sort of new COVID standards, really what should be done in this space?

Paul Martin: All right, well, let’s bring our experts in and let them respond to that. Chris Yeo and Mitch Bernier from Professional Computer Services. Guys, I’ve got this saying that, “A crisis is a terrible thing to waste.” Because people are really motivated to adopt new ideas and to accept change when they’re in crisis mode. So, six months ago COVID hit the pandemic. Lockdown began, businesses panic. We moved home, we did all the things we needed to do. That crisis part I think is over. So, now what? What are business owners saying to you guys when they’re coming to your office? Or what questions are you fielding most frequently?

Chris Yeo: Well, I think one of the things that are going on right now is businesses need to reevaluate where their data lives. How their staff are accessing it. And some of this comes down to security as well, because once you change where it lives at, you need to make sure it’s still secure. But each organization is going to be slightly different. At our office, we’re still only 40% working at our office for our workforce. I was talking to one of our customers today and they expect for the next six months that there’s going to be 75% working from home.

Businesses need to reevaluate where their data lives and how their staff are accessing it.

So, in order to make that most effective, they need to evaluate, “This is what our it systems are doing for us now, is there ways that we can make this better?” And some of that can happen through a bit of an audit where you go where their IT provider or us would be able to go in and say, “Okay, well, this is what you’re doing now. This is some of the ways that you could make it easier, better for your staff and start moving that way.” Because right now, like you said, this is an opportunity for change.

Paul Martin: Those numbers fascinate me because I think we probably thought, well, those things started to reopen back in July and it’s been gradually more and more as we’re moving along. That probably there was a perception that we would by now be kind of everybody getting back to the office. But you’re saying the opposite of that. That there’s a lot of organizations you’re talking to, as many as three quarters of their people are still at home.

Chris Yeo: Yeah. I don’t foresee us going back the exact same way that we were six months ago. Not for maybe two years yet, because people are going back to school now. The kids are in school. They are going to be bringing potential COVID home. We can’t have that potential COVID come home and then have the parents go to the office and get everyone sick at the office. So, there are lots of organizations that are telling their staff, if you can still work from home, let’s keep you working from home. at the beginning of the pandemic, they talked about air quality. The air quality in New York increased substantially because people weren’t sitting in traffic driving. And, that isn’t something that gets talked about very much related to COVID is, there’s areas in the world where things are actually better because we’re not driving as much.

Paul Martin: It does raise some, I guess, management challenges, if I can use that. So business is going to operate differently. I’m guessing that they’re asking people such as your organization, how do we cope with that? Even our own conversation, last show, we talked about just internet connectivity at home. Some that’s like, sort of 101. Now we’re in the 200 level class, which is, you’re saying where’s data living. What’s the 300 level class going to be? What are the big picture issues that business owners need to be asking themselves so that they can ensure that A, they’re productive, but B, they’re secure?

Chris Yeo: Well, that is certainly a pretty big question because when you look at some cloud computing, you have to look at where the data resides in. And from a privacy point of view, the healthcare industry, well, everything basically that is not in the phone book, is covered by PIPEDA. And that basically, if you store your data outside of Canada, that data is not covered by that anymore. So, certain cloud providers don’t have cloud services in Canada. So, then your data, it could be access by people that shouldn’t have access to that. And that is a big concern and it should be a big concern for every company in Canada is where the data actually lives, if you’re putting it in the cloud.

Paul Martin: Listen, that’s a very big topic and I want to dig into it a little bit, but we’ve got to take a break. So, if you’ll just hang with us for a minute, Chris, and we’re going to take a short break. You’re listening to Risky Business Commercial Insurance with Butler Byers. Back after this.

Welcome back to Risky Business Commercial Insurance with Butler Byers. Paul Martin here and joining us today, Colin Rooke the commercial risk reduction specialist with Butler Byers. And we brought in a couple of experts to provide us with some insight, Mitch Bernier and Chris Yeo from Professional Computer Services. And Chris, just before the break, you were talking about the sort of regulatory or legislative imperatives that come with this. There’s the whole notion of just finding a place to put your data. First, you have to decide who’s going to access it, and where am I going to store it at?

There’s the whole notion of just finding a place to put your data. First, you have to decide who’s going to access it, and where am I going to store it at?

Am I going to keep it in my office? Or am I going to use a sort of centralized cloud service? And then if I do that, I wonder how many business owners really understand PIPEDA, or the Privacy Act, and their obligations under that kind of legislation. Are you find yourself being a bit of a tutor on that topic?

Chris Yeo: Yeah. We’ve talked to a number of our customers about this. There are some really odd requirements, depending on which legislation you’re looking at, between [Castle 00:11:35], between PIPEDA, between the health regulations. From a legal point of view, as a small business owner, if one of my staff is leaving and I’m going to forward that email or forward that person’s email to another person, if there is an email that comes in that is, let’s say, sensitive, whether it’s financial, health, whatever, and it gets forwarded to that other person. Well, Castle says you can’t forward that without the original person, one of the original people’s approval.

So, when you’re onboarding your staff, you should have a document that says, “If you leave, you should know that we are going to forward your email to someone else.” And that you agree to this. Because if that happens, technically through Castle, you are breaking the law. And then if you send somebody’s personal information, AKA health or financial, to somebody else, then, it is all sorts of trouble that you’re looking for.

Colin Rooke: If I can interject, Paul-

Paul Martin: Yes, go ahead, Colin.

Colin Rooke: …you mentioned do business owners understand this, and largely it’s no. And it’s complex, but I would say from my perspective, we spend a lot of time explaining what’s required, what the act means, the changes to that act. There’s certainly a lot of unknown. And then we’re talking about requirements around breach notification. We’re often told later on, “Oh, such and such happened six months ago, but it was fine that we handled it.” Of course our answer is, “Well, it doesn’t end there. You’ve got a duty to notify.” There’s steps you must take when there’s a breach. It’s no longer okay just to say it’s looked after. So, just want to interject with… I agree with Chris that there’s a lot of unknown.

Paul Martin: Colin, while you’re at the microphone, maybe it just put this question to you. The purpose of the show, what we talk about is helping business owners navigate the world of getting insurance coverage. What are insurers saying about this topic that we’re talking about? They probably have some views as well.

Colin Rooke: Yeah. So, cyber security continues to be a hot topic, and it is a weekly thing. There’s a lot of concerns around what companies are doing during COVID and then what will they continue to do, I don’t want to say post COVID, because I don’t see it going anywhere anytime soon. But, what’s the plan now? They’re concerned that, is there education being provided back to the what worked six months ago? The IT is set up for being in the office and, for the regular course of business and how you’ve always ran. And then, now we’ve had to upset that. The concern is, did you make the necessary changes? The remote access, is it secure?

How are you accessing? How many people are accessing? Has there been any advancements in cybersecurity, or do you plan for additional advancements? We’re getting asked a lot more often. I don’t want to say all the time, but certainly in certain classes of business, are you encrypting data? Why or why not? When will you? We’ll actually have terms will say, “We’ll renew this year subject to data encryption by such and such, or two factor authentication.” Previously, again, that was a wishlist. Now we’re saying, or now we’re hearing, it’s got to be done. So, I think it’s a really important time to talk to a company like Professional Computer Services to say, “I’m hearing about these requirements. I’m hearing there’s a lot of terms I don’t understand. I’m getting some questions that I may not know the answer to. Do I have the correct setup for now, but even into the future?”

It does include just connection, right? Productivity, engagement, but also either current or future compliance issues. So, if you think about it from the coverage perspective, if nothing’s done, we’re going to run into scenarios where businesses are struggling to find the coverage. Certainly around cyber security.

Chris Yeo: And, Collin, I think that when you talk about education, I think education is going to be a key component for any cyber security piece. Your staff have to be able to recognize when somebody is trying to get information from them that they shouldn’t be giving. It happens way more than it should, where people will give usernames, passwords, birth dates, all sorts of things that you really shouldn’t be giving to somebody. And then a week later, their bank is phoning them to talk to them about their credit issues that they’ve got, because somebody has gone and has taken that information and utilized it to try and get credit.

Paul Martin: If you think these guys are no good at it, they broke into CRA, right? That was one of the latest ones, but yeah. So…

Colin Rooke: Yeah, that sort of it was like a landmark cyber breach, right? I would think that CRA has decent cybersecurity measures in place and look at the result. And so, if you’re not CRA, and I would argue that most businesses are below that level of security, then you are certainly at risk.

Paul Martin: We’ve only got a few seconds left, but the topic there was a credential staffing, which is something we talked about on a previous program. So there’s the hardware piece, which you guys are helping us understand today, that sort of technology element. There’s also processes that business owners need to put in place so that their staff are actually taking advantage of best practices today, in terms of what you do just procedurally can help to protect the organization as well.

Gentlemen, I want to thank you as always. Time goes by very quickly in this, but this is the topic. We brought you back for a second show. No doubt that there’ll be more to talk about in the future. So, I look forward to the next time we have you back Chris Yeo, Mitch Bernier with a Professional Computer Services. Thank you very much for joining us, and Mitch, next time we’ll give you a chance to talk even. So, all right. And Colin Rooke, commercial risk reduction specialist with Butler Byers. You have been listening to Risky Business. Thanks for joining us. Talk to you next time.