Steve Waterhouse’s 5-step action plan to secure your data

On International Data Protection Day, we had the privilege of welcoming Steve Waterhouse, a renowned expert and former Assistant Deputy Minister for Cybersecurity in Quebec.

In a hyperconnected world—where cyberattacks are multiplying and geopolitical laws are reshaping the rules—data security is no longer a technical option. It’s a strategic imperative.

Missed the session? Here are the 5 key takeaways to protect your organization in 2026.

1. The cloud is not “magic”

Entrusting your data to a cloud giant does not automatically make it secure. As Steve puts it:
“Security doesn’t depend on your provider. It depends on what you do.”

Take misconfigured Amazon S3 buckets. These storage spaces are frequently breached because companies forget to restrict public access, exposing sensitive documents online.

Start with the basics:

• Review storage permissions
• Enable encryption by default
• Require multi-factor authentication (2FA) for ALL accounts

2. Even if stored in Canada, your data may not be protected from the Cloud Act

Many businesses assume that hosting data in Canada shields them from foreign laws. Not necessarily.

Under the Cloud Act, U.S. authorities can request access to data held by American companies—even if the servers are located abroad.

This includes providers such as:

• Amazon Web Services (AWS)
• Google Cloud
• Microsoft Azure

Key questions to ask:

• Where is my data physically stored?
• Who can access it in case of a legal request?

If sovereignty matters, consider a fully Canadian provider that guarantees local jurisdiction.

3. Cyber threats come from everywhere

The biggest vulnerability isn’t always a masked hacker—it’s human error.

Weak passwords, lack of MFA, poorly reviewed contracts, or unqualified oversight remain common entry points.

According to the Canadian Centre for Cyber Security, external threats remain very real.

Best practices:

• Inventory and classify data by sensitivity
• Apply appropriate encryption and Data Loss Prevention policies
• Enforce least-privilege access and environment segmentation
• Audit permissions regularly
• Train teams with phishing simulations
• Involve leadership in cybersecurity governance

As Steve reminds us:
“Cloud security is not a technical configuration. It’s a continuous discipline.”

4. Compliance is good. Security is better.

Certifications are valuable—but not absolute guarantees.

Key frameworks to know:

• ISO 27001 – Information Security Management standard
• SOC 2 Type 2 – Security, availability, and confidentiality audit
• NIST Cybersecurity Framework – Identify, Protect, Detect, Respond, Recover
• Loi 25 – Quebec privacy regulation
• CMMC – Defense-related cybersecurity certification

A certified provider can still experience a breach. The formula:
Certifications + regular audits + clear contracts + strong governance.

5. The advantages of a sovereign cloud

A sovereign cloud offers:

Legal control
Data governed by local laws and adaptable to regulatory changes.

Regional proximity
Lower latency, local support, stronger supply chain control.

Hosting transparency
Clear visibility into who accesses your data.

Flexible hybrid models
Better resilience against geopolitical risk.

Local certifications
Better alignment with domestic compliance requirements.

As Steve Waterhouse concluded:
“Threats are real—but solutions exist. Now it’s your move.”