On July 23, 2025, the Canadian Centre for Cyber Security (the Cyber Centre) published guidance outlining security and privacy protection measures that organizations may implement when developing and maintaining their website (the Guidance).

The Guidance describes websites as gateways between the internet and organizations; and threat actors can exploit an organization’s website vulnerabilities and misconfigurations to steal, alter or delete sensitive data. To protect against cyber attacks, the Guidance outlines eight aspects that an organization should consider when developing and managing its website:

  1. Secure Web Architecture: Segregate website service components, so that one component being compromised does not compromise other components. This segregation should also be done for the application server and database to protect sensitive data. Also, include redundancies in the web services components (e.g., by replicating them) to ensure that operations continue if one component fails.
  2. Implement Strong Authentication: Implement a strong password and passphrase policy which includes multi-factor authentication to validate a user’s identity.
  3. Define Access Control: Define specific access controls and give individuals only the set of privileges that are essential to performing authorized tasks.
  4. Assess Service Providers: Review a service provider’s data security and privacy protection capabilities and policies before contracting with them.
  5. Validate Inputs: As early as possible, verify that users and applications can only input properly formed data, such as in fields, forms or queries.
  6. Review Security Configurations: Identify any vulnerabilities such as unused ports or web services; turn off directory browsing; deactivate browser credential caching; implement configuration management; and remove any unnecessary web operation files, including any backup files that could contain passwords.
  7. Manage Sessions Securely: Randomize and set session identifiers at an acceptable minimum length to protect against brute force attacks; and store sensitive session tracking data on web servers with an appropriate retention period (and destroy the data when the period ends).
  8. Secure Operations: Continuously monitor website activity for anomalous behaviors such as repeated login or injection attempts; implement a patch management process to promote ongoing security and functionality of web services; and promote security awareness within the organization and with customers.

For the full Guidance, click here.

Summary By: Victoria Di Felice

 

E-TIPS® ISSUE

25 08 06

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.