The cybersecurity threat landscape is constantly evolving — as are the regulations that govern your users’ data. But is your IT security footprint keeping pace?

That’s the question that worries Jacques Latour, Chief Technology Officer of the Canadian Internet Registration Authority (CIRA). As businesses invest in cybersecurity solutions, they may be unaware that they’re leaving themselves open to unnecessary risk by allowing sensitive customer data to cross international borders.

“The best way to secure your internet data is to understand your infrastructure footprint and that means keeping your infrastructure in Canada at all times,” says Latour. “Taking your cyber infrastructure offshore means you’re subject to the laws and policies of another jurisdiction, and that puts your data at risk.”

Upcoming changes to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) mean that Canadian businesses will face enhanced requirements to disclose data breaches. According to Scott Smith, Senior Director of Intellectual Property and Innovation Policy at the Canadian Chamber of Commerce, these changes mean that Canadian companies now have increased responsibilities when it comes to user data. “Canadian companies will have to demonstrate how they use appropriate tools, technology, and internal processes to protect the personal information they’re collecting, storing, and disclosing,” he says.

Data sovereignty an issue

As the organization that manages the .ca domain name registry on behalf of Canada, CIRA is used to thinking globally and acting locally. Last year, CIRA unveiled its D-Zone DNS Firewall service to provide Canadian organizations with a made-in-Canada solution for protecting their networks from malware, ransomware, and other cyber threats. However, according to Latour, building up Canadian cybersecurity capacity isn’t simply an exercise in national pride — it’s becoming a regulatory imperative.

The easiest way to ensure your data isn’t subject to the laws of another jurisdiction is to make sure it stays in Canada. Data in transit is often not encrypted, and the more jurisdictions it enters, the more opportunities it has to be exfiltrated.

Currently, some of Canada’s internet infrastructure routes data through the U.S. and other countries. In addition, many cloud-based cybersecurity vendors store data outside of Canada. According to CIRA’s 2018 Internet Factbook, 69 percent of Canadians are concerned about the implications of cross-border data flows on the security and privacy of their personal information — and justifiably so, according to Latour. “The data in motion goes through a number of nodes so if your information isn’t encrypted in transit, it can be easily captured at any point between you and the final destination,” he says. “Even without this type of capture, you still leak metadata information like dates, times, sources, destinations, and types of traffic.”

Building Canadian cybersecurity expertise and infrastructure

As part of its mandate to build a better online environment in Canada, CIRA has helped build up the country’s network infrastructure by supporting a series of Internet Exchange Points (IXPs) that ensure data sovereignty. Its D-Zone DNS Firewall leverages that infrastructure — all of which is located in Canada — to serve billions of DNS queries and to proactively block malware, ransomware, and phishing attacks. With more than 20 years of experience in protecting the Canadian DNS, CIRA has built a cybersecurity solution that is made in Canada, for Canada.

According to CIRA’s 2018 Canadian Cybersecurity Survey, 32 percent of Canadian businesses have been hooked by a phishing attack, a number that should be causing IT managers to rethink where their data is stored and routed, and who has access to it.

“Having made-in-Canada infrastructure means you know where your data flows within Canada and that increases your security posture,” says Latour.