How to Protect Against Identity Theft: A Guide for Canadian Businesses and Consumers

I have a confession: I never used to think much about identity theft. I knew it existed, and I’d heard stories of people’s lives being upended, but I assumed it couldn’t happen to me. I realized how wrong I was when I stepped into my role as Director of TELUS Online Security a few years ago. Not only could it happen to me, but fraud has already affected more than four in 10 Canadians, leading to losses of over $530 million last year.

The risk of identity theft seems to be worsening, yet we accept this risk in exchange for convenience every time we complete a digital transaction. Take a moment to think about how many accounts you’ve opened and purchases you’ve made online. Hundreds, perhaps? You’ve entrusted each of these organizations with your data, likely in the form of contact details, passwords, and credit card numbers. Now, how confident are you that they’ll keep your data safe? 

“The risk of identity theft seems to be worsening, yet we accept this risk in exchange for convenience every time we complete a digital transaction.”

All it takes is for one of these organizations to be breached for your data to be exposed, an occurrence that’s more common than people might realize. Even sophisticated brands have been infiltrated by criminals intent on obtaining customer and employee data. In the wrong hands, this info can be used to access your accounts or apply for credit in your name. 

Our personal info is everywhere. So much of our lives have migrated online, where Canadians are spending over six hours a day for entertainment, work, and education. The solution isn’t to avoid the internet out of fear of being hacked but to understand how to guard ourselves. We can embrace our digital lives while staying protected, but everyone must do their part if we are to make the Internet truly safer for Canadians. 

Identity Theft at Work: Employers Must Protect Employees 

As our lives become increasingly digital, there’s now a greater need for digital safety. Similar to how we protect our physical belongings and health, we must also protect the personal information that’s being shared and stored online. I’ve been thinking a lot about the responsibility employers hold to protect their employees from cyber threats, and I believe it goes far beyond corporate security practices. 

“Nine in 10 Canadian workers would like to have identity theft protection as part of their workplace benefits package.”

In a recent study conducted by Norton¹, almost nine in 10 Canadian workers would like to have identity theft protection as part of their workplace benefits package and employers seem to agree, with a similar percentage considering cybersecurity important for their employees. Yet, fewer than one in 10 employers currently offer this benefit. With lines blurring between work and personal life, along with the realization that nearly three-quarters of Canadians are using personal devices for work¹, it’d be unwise to ignore the mounting evidence that cyber safety is essential for both people and businesses to prosper. An employee’s actions outside of work hours can (and does) affect their company’s security. There’s a strong and compelling business case to empower the workforce with cybersecurity. 

If so, why aren’t more companies doing it? 

First, many are not yet convinced it’s their responsibility. According to the same study conducted by Norton, employers are more than twice as likely to point to employee actions than company policies as having a greater impact on cybersecurity risks at their organization. Eight in 10 employers note the greatest risks as being insufficient knowledge or due diligence within their workforce. I observe this myself with the companies I interact with—they acknowledge the importance of their employees’ cyber safety, but they don’t necessarily believe they’re responsible for investing in it. 

A second, related factor is that our society isn’t yet demanding cybersecurity from our employers. Few Canadians would consider a workplace that didn’t offer healthcare benefits and vacation time, yet personal data left vulnerable could lead to devastating consequences. Companies could provide meaningful assistance while nurturing a culture of care and well-being. Without the pressure of widespread expectation or government regulation, they’re free to pursue other priorities. 

“If your company doesn’t offer cybersecurity benefits, the first step is to ask your manager or HR rep a simple question: “Why not?””

This must change. Our digital lives and data are as important to protect as our health, money and physical assets. These facets of well-being are interconnected. Identity theft can have a disastrous impact on our health and finances, straining the benefits already offered by our employers. It’s time for companies to step up and invest in their staff’s cyber safety, during and outside of work hours, minimizing risks to both their employees and their businesses’ security. We need to raise our expectations of our employers, and company decision-makers need to listen. If your company doesn’t offer cybersecurity benefits, the first step is to ask your manager or HR rep a simple question: “Why not?” 

Businesses Must Do More to Protect Customers

According to a recent study from IDC², three in four Canadian organizations have experienced a data breach, most of which have occurred in the last three years. This might not come as a surprise to you. Stories of high-profile breaches have become commonplace in the news, and this may even be a source of anxiety in your own career. Cybercriminals are more sophisticated than ever before, and they’re finding ways into the systems of big and small companies alike. 

Of the businesses that have suffered a breach, 16% weren’t prepared with a response plan. I imagine that many of them went into firefighting mode, scrambling to mitigate the damage with all available resources. A quote from Harvard Business Review comes to mind: “Firefighting is one of the most serious problems facing many managers of complex, change-driven processes. Serious problem-solving efforts degenerate into quick-and-dirty patching. Productivity suffers. There isn’t enough time to solve all the problems. Solutions are incomplete, patched, not solved. Problems recur and cascade. Urgency supersedes importance. Performance drops.” 

With data breaches posing a real and persistent threat, businesses must be proactive in preparing a thorough response plan to protect their customers’ data, and they must also continually optimize this plan as threats and technology evolve. Efforts shouldn’t be focused exclusively on preventative measures, because these measures can’t be foolproof. Once data has been compromised, it’s crucial for companies to take action to help prevent this data from being used to access customer accounts or commit fraud. A strong response plan involves notifying affected customers of the situation and the actions being taken, as well as equipping them with cybersecurity tools that can help minimize the consequences. This is why we’ve developed a version of TELUS Online Security designed to help businesses protect their customers and employees.

“Over three-quarters of Canadians accept the fact that security breaches will happen and can be managed²—what’s critical for them is how a brand responds.”

Data breaches can be crippling, but they can also present opportunities to strengthen customer loyalty and trust. Over three-quarters of Canadians accept the fact that security breaches will happen and can be managed²—what’s critical for them is how a brand responds. Breach response and remediation plans shouldn’t be designed purely as damage control, but also as means to instill trust that brands have their customers’ backs during difficult times. 

Loyal, trusting customers are also good for business. Three in four Canadians would use a brand’s products the same amount or more after a well-handled data breach², implying that these potential disasters can be turned into revenue-generating opportunities if managed with care. 

We Must All Do More to Protect Ourselves from Identity Theft 

“It won’t happen to me; I’m not rich or famous.” I hear this often when identity theft comes up in conversation, and it has become my mission to debunk this misconception. I understand where they’re coming from, though, because I once thought the same myself. They never seem to know what to say when they learn that Canada is one of the hardest-hit countries in the world when it comes to data breaches, with the second-highest data breach per capita cost and over 91 million data records lost or stolen between 2013 and 2022. 

I’m hopeful that Canadians are beginning to wake up to this unfortunate reality. We’re realizing how much of our personal info is being stored online and how vulnerable it is to hackers. Most of us are concerned (86% of us, according to one recent study¹), but less than a third of us use a fraud-detection service or a VPN while logging into public Wi-Fi. Concern must lead to action. 

The first step is to be informed. Learn about the threats that exist and how to minimize them. Have open conversations with your family and friends about cybercrime, as you would about anything else that might endanger them. Subscribe to services that help you prevent, detect and recover from these threats.

We should expect more from our employers and the organizations we engage with online, but each of us is also responsible for our own cyber safety. Cybercrime will continue to evolve, but we are neither helpless nor alone in navigating it. The internet doesn’t have to be such a dangerous place if we work together to protect our personal information. We have the power to help shape society’s cybersecurity defences now and into the future, and it starts with staying informed of the threats that exist, understanding how to minimize these risks in our daily lives, and demanding more from the companies that hold our data. 

1. Findings of a survey conducted by Norton in partnership with Angus Reid Group from July 20 – August 7, 2022, among a representative sample of 1,287 employers and 1,502 full-time employees across Canada. 

2. Findings of a survey conducted by TELUS in partnership with IDC in August 2022, among a representative sample of 1,512 consumers and organizations across Canada.