With new AI tools coming up every now and then, each offering amazing benefits, data security is increasingly getting out of focus, and out of your control. As Canadian businesses, we are dealing with a lot of uncertainties and challenges amidst tariff threats from the United States. While operational efficiencies are important, we should not undermine the importance of data security and ownership.
Why You Should Care
Just in the last few weeks, a lot has changed about our perception (or illusion) of data security. As a rule of thumb, what’s out there on the public Internet is out of your control.
► Take the case of the newly formed DOGE (Department of Government Efficiency) in the United States. This department now has access to all Treasury data, including SSN (Social Security Numbers), tax data, personal debt, household income, salaries, departmental budgets, transactions … you name it.
► Everyone is using AI tools like OpenAI’s ChatGPT to improve productivity. But did you know LLM providers like OpenAI reserve the right to store, analyze, and use your queries to make their models better. So if you have entered confidential data when interacting with LLM tools, your query is sitting somewhere on a third party’s server in clear text.
Data Security: The Basic Checklist
- Do I have access to my application's data? (No brainer, but you'd be surprised to know that many don't)
- Is my data inside Canada (or the jurisdiction I prefer)?
- Is my data encrypted at rest and who manages the encryption?
- Do I have a data breach protocol in place?
- Have I restricted access to production databases, except for limited users like DBA and System Admins?
- How is my critical business data backed up?
- Is there any Disaster Recovery process in place?
- Can I export the data in popular formats like CSV, JSON etc?
- Can I erase the data (and backups) if there is a reason to do so?
- Is there compliance with Data Protection laws?
- Do we have policies around using online LLMs like ChatGPT?
Data Security: Some Recommendations
If you have not checked some of the boxes above, you should consider your technology adoption policies and vendor selection processes to ensure your data is secure and you have control over it. Some of the following might not apply to you, but here are our general recommendations.
- Secure credentials to access your data using database clients like DataGrip, DBeaver, MongoDB Atlas etc.
- If you are cloud-hosted, insist on resources being deployed on Canadian regions (or your jurisdiction of choice)
- Enforce key roation every 3 to 6 months for symmetric encryption. Set up automatic key rotations
- Use private endpoints to access data on cloud (vs. accessing them over public Internet)
- Institute database scans on a regular basis. Data Governance is also important.
- Restrict access to production databases to only a few users
- It's 2025! Automate daily database backups. Ensure database restore actually works.
- Define a Restore Point Obective (RPO) and Restore Time Objective (RTO) for database restores
- If you're using a SaaS solution (for example, QuickBooks) ensure data can be exported easily
- Know the data retiontion policies of Low Code / No Code / SaaS products (if you're using one)
- Ensure credit card information, health records etc. are being handled according to industry standards like PCI, HIPPA etc.
- Establish LLM usage policies with the same rigour as you would for NSFW services
This is by no means an exhaustive list of action items you can take to protect your organization’s data. However, we hope that this can be used as a starting point of having a dialogue around data security.
—
If you found this article valuable, why not subscribe to our newsletter? You can unsubscribe anytime, but we’re confident you’ll love the insights we share!
