Language selection

Government of Canada / Gouvernement du Canada

Search

Cyber Security in the Public Service (DDN2-A39)

Description

This article explains the basic concepts of cyber security in a Government of Canada context and describes the simple actions that will help keep organizations safe from cyber threats.

Published: April 24, 2024
Type: Article
Contributor: Digital Academy

A colourful fortress guiding against oncoming threats.

Cyber Security in the Public Service

Every day, you rely on your smartphone for many tasks, from setting alarms to checking emails and browsing social media. Whether you use an Android or an Apple device, you are one of the many Canadians who rely on these platforms for daily needs.

At work, you use a Windows-based computer, and you may use Microsoft Edge, Google Chrome, or Firefox as your browser, depending on which ones are permitted by your organization. You follow Government of Canada (GC) policies and procedures for storing and handling documents and data, as outlined by your organization. You've completed the mandatory online security training, and you trust that IT security is effectively protecting the GC network and data.

However, it is important to understand how your personal and professional data practices are connected. You are the epicentre of a network of private companies that collect, store, and use your data in different ways. Each service or company operates under its own terms, privacy policies and security risks. When you share your personal data, you're trusting various companies with your information. But when it comes to professional data, you're safeguarding sensitive information belonging to the government and the public. As a government employee, it is important to understand how your data practices affect not just yourself but also the government and the public.

What is cyber security?

Minimalistic pink rope barrier.

Cyber security is the protection of digital information and the infrastructure on which it resides, including your own data and sensitive information you store locally, online, or in the cloud.

Data breaches, hacking, malware, ransomware, viruses, phishing—you can't avoid hearing about nefarious attacks and actors. The online world has become a scary place, and as a public servant, you have been warned about the need for cyber security.

Which one are you?

Cyber Security Personality Quiz

Take this quiz to discover your cyber security persona and learn more about various attitudes and practices in digital security.

  • Instructions

    Instructions

    This quiz consists of five questions, each with four answer choices. Please select the option that best describes your approach or reaction to the prompt.

  • Quiz

    Quiz

    1. Your reaction to news about data breaches:

      1. I'm concerned but feel helpless to do much about it.
      2. I don't know if I'm part of the data breach, but I panic and immediately rush to check my security settings and change all my passwords.
      3. It's worrying, but I trust the systems in place to handle it.
      4. I stay informed and ensure my security measures are updated.

    2. Managing passwords:

      1. I use the same few passwords; it's too hard to remember more.
      2. I'm always on the edge, relying heavily on my password manager and constantly updating my passwords, fearing the impending threat of cyber attacks.
      3. I have a few passwords I rotate; it seems sufficient.
      4. I use strong, unique passwords for different accounts.

    3. Your approach to new apps and services:

      1. I don't read terms; they're going to do what they want anyway.
      2. I fear potential data breaches, so I meticulously analyze the terms and investigate the app's security policies.
      3. If it looks fun or useful, I'll try it out without much worry.
      4. I like to inform myself about the security concerns and strengths of an app before installing it.

    4. When you hear about advanced cyber security measures:

      1. It sounds too complex; I wouldn't know where to start.
      2. I focus on all the technical details and the latest cyber security measures.
      3. Seems like overkill for someone like me.
      4. I keep up to date and apply what's relevant and practical.

    5. Your view of online privacy:

      1. It's a lost cause; everything is public now.
      2. It's a constant battle that needs vigilant defence.
      3. I'm not too worried; I have nothing to hide.
      4. It's important, but manageable with the right actions.
Scoring and results

Scoring

If you have a tie, review the questions involved in the tie to determine which letter you most strongly identify with.

Results

Mostly A's: Maybe you are thinking, “It's too late. Privacy is dead and I have nothing to hide, so I've given up trying to protect myself from threats. Yeah, it's scary, but I really can't do anything about it.” However, you have more control than you think, and we are fighting this fight together.

Discover Cyber Security (DDN235) is a short, info-packed course recommended for anyone as an introduction or refresher. If you have the basics and want to go a little deeper, you might try Cyber Security for Small and Medium Organizations or Cyber security considerations for social media account management.

Mostly B's: Maybe you are thinking, "Black Mirror is an accurate portrayal of what's already happening. There are malevolent groups out there mining our data for profit and orchestrating personal attacks. Ordinary citizens like me are at real risk. We have to read the terms and conditions of every app we download, carefully manage privacy settings on every device, cover our cameras, and assume everything we post, draft or say out loud can be used against us." While it's important to pay attention to risk and threats, it's also important not to let excessive fear and paranoia take over. By making smart decisions and practising good cyber hygiene, you can protect yourself without having to put in a lot of effort.

Here's an article to get you started: Level Up Your Cyber Security Skills: Stay Ahead of Evolving Threats (DDN2-A19)

Mostly C's: Perhaps you are thinking, "Social media and apps have had a hugely positive impact on my life. I love being connected. The benefits of living digitally far outweigh the risks. People might occasionally get scammed, but banks and the government are looking out for us, so the risk is pretty low. Fake videos are made about prominent figures; I'm not rich or famous, so I'm not concerned." However, consider the risk versus the reward. You are probably exposed to more risk than you realize, and both limiting your exposure and adopting good cyber security practices are really worthwhile. Maybe ask yourself if the post, activity or technology is really benefitting you.

Here's an article to get you started: Outsmarting Social Engineering (DDN2-A29).

Mostly D's: Maybe you are thinking, "I know that cyber risks are real. But my level of fear is low because I've learned how to protect myself and my organization, and—most importantly—I take the necessary actions every day to do so." This attitude is great for managing cyber security risk. Understanding risks and taking meaningful, reasonable steps to protect yourself is important. Keep learning and understanding so you can make good decisions and keep up to date with cyber security!

Here's an article to get you started: Cyber Security Tips to Protect Yourself (DDN2-A06).

In both our personal and professional lives, we each have distinct roles and duties. However, regardless of these roles and duties, our personal values and how we see ourselves greatly influence our approach to handling data. If we don't care about our own data, how can we be responsible and diligent with the data we handle at work?

Fear is a common response to threats, but can also lead us to become defensive or reluctant to venture out of our comfort zone. When we learn about data breaches or cyber attacks, we might brush them off as irrelevant or inevitable, thinking, "that doesn't concern me," or "it won't happen to me." However, you could be targeted as a government employee, as a consumer, or as a Canadian, or you could get swept up in a broader attack that's not targeted.

What is the real risk of cyber attacks?

Misinformation and disinformation concept of two open cranium people having their heads filled with garbage.

In 2024, the World Economic Forum identified cyber insecurity as one of the biggest global risks we face in the next two years. Misinformation and disinformation was ranked as the top risk.

Moreover, public concern regarding this issue is on the rise. The 2024 Edelman Trust Barometer revealed that 75% of Canadians worried about the existential societal fear of hackers, an increase of 5% year over year.

In light of these concerns, it's important to address misconceptions. Cyber threats aren't exclusive to large departments. Social engineering, ransomware, and various other attacks pose risks to organizations of any size. In the public service, the data we handle and the systems we use are all potential targets for hackers and competitors.

We often focus on the financial consequences of a cyber attack, such as the expense for new IT systems, security software, hardware and compensating those affected. However, it's equally important to consider the damage to an organization's reputation caused by such incidents. This reputational harm can devastate an organization and derail its efforts towards modernization.

Consider the potential consequences if:

  • personal information entrusted to us by the Canadian population was lost or stolen
  • your departmental network fell victim to hacking, with malware introduced into it
  • a Government of Canada server experienced a coordinated surge in traffic, causing the server to crash and websites and services to become unavailable

How would these events reflect on the government's image? And what financial burden would taxpayers bear as a result?

Eight simple actions

Here are eight simple actions you can take to make yourself and your organization more secure from cyber threats:

  1. Secure your connections and devices.
  2. Keep an eye out for suspicious emails or texts: Can you spot a phishing scam? Many departments tell their employees not to open email from unfamiliar email addresses, even if the source appears to be reputable. Be wary of emails that contain grammatical or spelling errors, address you by your last name or your email address, ask that you click on a link, have suspicious attachments, ask for sensitive information, seem too good to be true, or make any kind of unusual request. When in doubt, follow up with the organization using a different method than the email or text, like via their official website or by calling them. Follow your organization's steps for reporting suspicious emails. Be savvy about social engineering; it comes in many forms.
  3. Beef up your passwords: Choosing or passphrases can prevent many cyber crimes. A longer password, think 12 characters or more, is strong against several types of password attacks. Do not reuse passwords or choose predictable ones like Password123. Making your passwords unique and a little more complex can make a difference.
  4. Maintain the physical security of organizational and personal devices: Keep external doors and file server rooms locked and refuse unauthorized entry to strangers. If a hacker can get into the building and sit down at a terminal, the job of breaking into a network is that much easier.
  5. Assess risk: Understand what to protect. Take proactive steps to understand the threats your organization faces and prioritize your efforts by honing in on medium and high risks.
  6. Be security aware: Make sure that you and your team are fully trained. Having the latest technology to protect yourself is not enough when your biggest flaw could simply be poor password management or how your coworkers are storing data. Do they know what's expected of them and what's permitted?
  7. Build a strategy: Much like you would plan what to do in the event of a fire, plan what to do before, during and after a cyber attack. The strategy should complement business objectives and focus on continual improvement.
  8. Are you cyber safe? Take the Get Cyber Safe Checkup to find out.

Resources

Learn more

Stay connected

Date modified: