21 June 2019

Protect your business from a data breach

A data breach can be costly for any business. Visit our site to find out what you can do to safeguard the personal data in your organization’s care.

Questions? Ready to get started?

Data breaches are big business for cybercriminals. Organizations collect a wide range of personal data on their employees and customers – data that is of great interest to hackers. A survey conducted by Statistics Canada found that about half the cybersecurity incidents reported by companies in 2017 involved perpetrators attempting to access unauthorized or privileged areas or attempts to steal personal or financial information.1

Cybercriminals are searching for personal information – such as names, passwords, social security numbers, emails, addresses, account numbers, IP addresses and more – that can be used then be sold on the dark web and/or used to gain access to other sites, such as financial or e-commerce sites.

Reduce your risk

Siva Ram, HSBC’s Head of Business Security and Fraud, Global Liquidity and Cash Management suggests the following approaches to minimize the risk of a data breach:

  • Complete a risk assessment and identify issues that need to be addressed. Use a framework such as the NIST Cyber Security Framework or the Center for Internet Security – Critical Security Controls to identify assets and issues.
  • Know what regulatory requirements apply to your organization, in terms of cross-border data sharing restrictions, GDPR, PIPEDA or other regulations. The Government of Canada has a suite of resources to help you understand your privacy obligations under PIPEDA and provincial privacy laws, as well as guidelines for protecting data, requirements if you are transferring personal information to an organization in a foreign country for processing, and a summary of the GDPR.
  • Implement well-defined authentication requirements and access controls.
  • Ensure you have multiple levels of control in place to protect against attacks – including hardening your servers, segmenting your network, appropriately firewalling wireless access points, constantly updating software to the most secure versions, and installing anti-malware scanners on email and web gateways.
  • Limit staff access to sensitive data to the minimum needed to perform their function. For example, do not allow root privileges for application accounts and tailor your roles to ensure there are no superfluous privileges. This will help contain damage in the event of a breach.
  • Implement multi-factor authentication and multi-step login processes.
  • Have detection tools in place so you can immediately detect an attack. Many automated tools are available; typically you will require a central log analysis tool to correlate the data coming in from multiple sources. The generated alerts will be sent to a Security Operations Centre, which will then follow clearly laid out procedures for escalation and response.
  • Constantly raise awareness of cybersecurity threats with staff so that they are more likely to spot phishing emails or other attempts to gain access to your system.
  • Develop an incident response plan that includes securing data; communicating with regulators, customers and other stakeholders; and taking some or all of your services offline to contain damage.

As an individual, you can also take steps to protect yourself from the consequences of a potential data breach. At the very least:

  • Use a different password on each online site where you have an account.
  • Enable multi-factor authentication if it is available.

Knowing your obligations to safeguard data

All businesses are required by the Personal Information Protection and Electronic Documents Act (PIPEDA) to safeguard personal data in their possession and alert their customers and the office of the Privacy Commissioner of Canada if there has been a breach. Penalties for failing to follow the law include fines of up to $100,000 per violation.

If your business operates internationally, you’ll also need to stay abreast of applicable foreign regulations. For example, if you do business in the European Union, you must comply with the General Data Protection Regulation (GDPR) and its rules for how organizations can collect, use and store personal data – including data held offsite or with vendors. Failure to comply can result in high financial penalties.

The costs of a data breach

While legislation is one way of forcing companies to protect personal data, the cost – both financial and reputational – of a major data breach is often far higher than any penalty.

A global study of 10,000 consumers found that 70 per cent of respondents would no longer do business with a company if their data had been breached and 93 per cent would consider taking legal action.1

Education is your strongest defence

Protecting against data breaches is a shared responsibility. Individual error – such as falling prey to increasingly sophisticated phishing attempts – still remains one of the top reasons for a breach. Make education a priority within your organization so that all employees maintain a healthy vigilance when it comes to cybersecurity and know how to recognize text and phone scams, phishing and business email compromise scams.

1 https://www.cutimes.com/2017/11/29/70-of-consumers-would-stop-following-a-business-af/?slreturn=20190208145923


The information presented is not meant to be comprehensive and does not constitute financial, legal, tax or other professional advice. You should not act upon the information contained in this document without first obtaining specific professional advice. While reasonable care has been taken in preparing this document, HSBC does not make any guarantee, representation or warranty (express or implied) as to its accuracy or completeness. The information presented in this document is subject to change without notice. Certain of the products and services offered by HSBC and its subsidiaries and affiliates are subject to credit adjudication and approval. This document does not constitute an offer to provide the services and products described and the provision of such services and products remains subject to contract.

Issued by HSBC Bank Canada (“HSBC”) © Copyright HSBC Bank Canada 2019. ALL RIGHTS RESERVED.

You are leaving the HSBC Commercial Banking website.

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.

You are leaving the HSBC CMB website.

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.