In her keynote address, cybersecurity expert Dr. Ann Cavoukian provided an in-depth look at her concept of privacy by design, which prioritizes the security of personal data, and an openness from both companies and governments to disclose what personal information they are collecting. In an age when our individual data is collected and stored at an unprecedented rate, citizens need guarantees of their privacy. If we don’t control our own personal data or even know what data has been collected about us, our freedom has been compromised, argues Dr. Cavoukian, which leads to a culture of fear that hinders a society’s ability to grow and prosper.

There’s also a sound business strategy in having a transparent approach to data collection (that is, making users fully aware of what you know about them.) If there’s a mistake in the data, the only people who can correct it are the ones who own it, said Dr. Cavoukian. If you open up and show individuals what data you have, and give them a chance to asses it, it will ultimately be more accurate and you’ll get a much better end result when applying this data to a given task.

The need for privacy also applies to what Dr. Cavoukian calls “data at rest.” Companies routinely collect all kinds of data from users just because they can. Much of this data ends up in storage, unused and essentially “at rest.” Encrypting the data will ensure both the privacy and freedom of customers should a breach occur, as encrypted data will ultimately be useless to hackers. If you use decent encryption, it’s highly unlikely that you’ll be hacked, said Dr. Cavoukian.

With malware creation having been automated, “the threat landscape is increasing by definition,” said Yogen Appalraju, national cybersecurity lead for EY Canada. Breaches are hardly ever personal, and instead are usually the result of malware that’s been programmed to scan the internet in search of potential security holes.

"Security practitioners have to be right 100 per cent of the time. A hacker only has to get it right once,” noted Julius Azarcon, chief information security officer and risk advisory global practice leader for Scalar.

“The comfort you should take away,” said Appalraju, “is that cyber security data protection is being elevated to the C-Suite and the board level, and that’s a good thing.” Where Appalraju has previously seen inadequate resources being put towards data protection, he now notices far more conversations about security happening among those in senior leadership positions at big companies. These days, cybersecurity is now “in the top five in the prioritization lists for organizations. We’re seeing good practices being put in place.”

As much as your organization might be working to protect its data, breaches can, and likely will, happen.

Adam Blinick, director of public affairs for Uber Canada, stressed the importance of having an incidence response plan for when breaches do occur. “Having an incidence commander who knows how to lead the company through an event is critical. And having it well-documented, knowing which stakeholders are needed at the table, is really essential to respond well to an incident,” he said.

Educating internal staff, partners and customers about data protection can help to create a “shared responsibility model” that will work to reduce the likelihood of a breach, said Azarcon.

“Have conversations about what you’ll do when you get hacked and how you’ll respond,” added panelist Gwen Beauchemin, a cybersecurity consultant and CEO of Tillet Consulting. “That will bring about data preservation activity ahead of time.”

End-to-end security was a common thread of the discussions, with several speakers noting the need for secure storage at every touchpoint in the process of collecting and using customer data. This is particularly important when working with contractors or other third parties who may have access to the data your company collects.

“It’s around contract management,” said Beauchemin. Third parties should be proactively informing you, the client, of any incidents, and they should be keeping you up to date on how they’re managing data collection, storage and security risks. “You want to feel as though you’re working with a good and trusted contractor,” she added.

As a word of caution, speakers also noted that as the collector of user data, your company is ultimately responsible if a breach were to happen. ‘You are the organization in control,” said panelist Lindsay Wasser, co-chair of privacy and data protection for McMillan LLP. “You have to make sure your contracts require vendors to tell you about a breach so that you can meet your legal obligations.”

In his closing keynote address, futurist and digital strategist Jesse Hirsh reminded attendees that the internet is a relatively democratic tool, open to anyone to use and learn new skills,­ including those related to hacking and security.

“There’s no barrier to entry,” said Hirsh. “Anybody who so desires can become a security professional, or hacker.”

While the idea that anyone can be a hacker is something of a frightening prospect, Hirsh noted the flipside of this concern is anyone can learn how to properly protect themselves from having their information stolen. In fact, learning about security on an individual level will help companies be more secure ­ if your employees have an ongoing dialogue about security with their supervisors, and with each other (Hirsh likes to call these discussions “nerd councils”), the better prepared your organization will be in the event of a breach.

“Have an informal learning network within the organization whose job it is to think creatively about the risks that come with new technology,” said Hirsh. Everyone in an organization is a potential attack victim, so “the nerd council’s job is to keep the company as high up on that learning curve as possible.”