Cyber Security in the Public Service

Every day, you rely on your smartphone for many tasks, from setting alarms to checking emails and browsing social media. Whether you use an Android or an Apple device, you are one of the many Canadians who rely on these platforms for daily needs.

At work, you use a Windows-based computer, and you may use Microsoft Edge, Google Chrome, or Firefox as your browser, depending on which ones are permitted by your organization. You follow Government of Canada (GC) policies and procedures for storing and handling documents and data, as outlined by your organization. You’ve completed the mandatory online security training, and you trust that IT security is effectively protecting the GC network and data.

However, it is important to understand how your personal and professional data practices are connected. You are the epicentre of a network of private companies that collect, store, and use your data in different ways. Each service or company operates under its own terms, privacy policies and security risks. When you share your personal data, you’re trusting various companies with your information. But when it comes to professional data, you’re safeguarding sensitive information belonging to the government and the public. As a government employee, it is important to understand how your data practices affect not just yourself but also the government and the public.

What is cyber security?

Cyber security is the protection of digital information and the infrastructure on which it resides, including your own data and sensitive information you store locally, online, or in the cloud.

Data breaches, hacking, malware, ransomware, viruses, phishing—you can’t avoid hearing about nefarious attacks and actors. The online world has become a scary place, and as a public servant, you have been warned about the need for cyber security.  Let’s explore different ways people view cyber security with a simple quiz.

Which one are you?

In both our personal and professional lives, we each have distinct roles and duties. However, regardless of these roles and duties, our personal values and how we see ourselves greatly influence our approach to handling data. If we don’t care about our own data, how can we be responsible and diligent with the data we handle at work?

Fear is a common response to threats, but it can also lead us to become defensive or reluctant to venture out of our comfort zone. When we learn about data breaches or cyber attacks, we might brush them off as irrelevant or inevitable, thinking, “that doesn’t concern me,” or “it won’t happen to me.” However, you could be targeted as a government employee, as a consumer, or as a Canadian, or you could get swept up in a broader attack that's not targeted.

What is the real risk of cyber attacks?

In 2024, the World Economic Forum identified cyber insecurity as one of the top five most likely global risks in the next two years. Misinformation and disinformation was ranked as the top risk.

Moreover, public concern regarding this issue is on the rise. The 2024 Edelman Trust Barometer revealed that 75% of Canadians worried about the existential societal fear of hackers, an increase of 5% year over year.

In light of these concerns, it’s important to address misconceptions. Cyber threats aren’t exclusive to large departments. Social engineering, ransomware, and various other attacks pose risks to organizations of any size. In the public service, the data we handle and the systems we use are all potential targets for hackers and competitors.

We often focus on the financial consequences of a cyber attack, such as the expense for new IT systems, security software, hardware and compensating those affected. However, it’s equally important to consider the damage to an organization’s reputation caused by such incidents. This reputational harm can devastate an organization and derail its efforts towards modernization.

Consider the potential consequences if:

• personal information entrusted to us by the Canadian population was lost or stolen
• your departmental network fell victim to hacking, with malware introduced into it
• a Government of Canada server experienced a coordinated surge in traffic, causing the server to crash and websites and services to become unavailable

How would these events reflect on the government's image? And what financial burden would taxpayers bear as a result?

Here are eight simple actions you can take to make yourself and your organization more secure from cyber threats:

• Secure your connections and devices.
• Keep an eye out for suspicious emails or texts: Can you spot a phishing scam? Many departments tell their employees not to open email from unfamiliar email addresses, even if the source appears to be reputable. Be wary of emails that contain grammatical or spelling errors, address you by your last name or your email address, ask that you click on a link, have suspicious attachments, ask for sensitive information, seem too good to be true, or make any kind of unusual request. When in doubt, follow up with the organization using a different method than the email or text, like via their official website or by calling them. Follow your organization’s steps for reporting suspicious emails. Be savvy about social engineering; it comes in many forms.
• Beef up your passwords: choosing better passwords or passphrases can prevent many cyber crimes. A longer password, think 12 characters or more, is strong against several types of password attacks. Do not reuse passwords or choose predictable ones like Password123. Making your passwords unique and a little more complex can make a difference.
• Maintain the physical security of organizational and personal devices: Keep external doors and file server rooms locked and refuse unauthorized entry to strangers. If a hacker can get into the building and sit down at a terminal, the job of breaking into a network is that much easier.
• Assess risk: Understand what to protect. Take proactive steps to understand the threats your organization faces and prioritize your efforts by honing in on medium and high risks.
• Be security aware: Make sure that you and your team are fully trained. Having the latest technology to protect yourself is not enough when your biggest flaw could simply be poor password management or how your coworkers are storing data. Do they know what’s expected of them and what’s permitted?
• Build a strategy: Much like you would plan what to do in the event of a fire, plan what to do before, during and after a cyber attack. The strategy should complement business objectives and focus on continual improvement.

Are you cyber safe? Take the Get Cyber Safe Checkup to find out.

Resources

• Course | Discover Cyber Security (DDN235)
• Course | Security Awareness (COR310)
• Article | Don't be a Character in an Espionage Thriller
• Article | Level Up Your Cyber Security Skills: Stay Ahead of Evolving Threats!
• Article | Outsmarting Social Engineering
• Article | Cyber Security Tips to Protect Yourself
• Web page | Report a cyber incident (for both individuals and organizations)
• Web page | Get Cyber Safe
• Web page |Canadian Centre for Cyber Security