Protecting your digital assets

By Lynne Yryku June 20, 201820 June 2018

Protecting your digital assets

 

“The number of people who are trying to infiltrate networks today greatly exceeds those who are trying to prevent intrusion. So the external hacker world is always half a step ahead of the people who are trying to maintain the integrity of the system,” says Stephen Spracklin, Legal Counsel, Information Technology and Intellectual Property with the City of Mississauga. “It is not a matter of if; it’s when—and then how prepared are you to deal with that eventuality.”

“We handle an average of about 40 to 50 incidents per month [across Canada],” adds Daniel Tobok, CEO of Cytelligence Inc. “Ransomware has been a very big problem in the industry over the past 24 months. People are getting hit left, right and centre, especially the small- to medium-sized organizations, which are getting hit every single day. And now the problem with ransomware is that the bad guys are getting very sophisticated. The average bad guy spends about 28 to 64 days on a network before actually hitting them with the infection. […] We just dealt with a municipality that had literally just under 1,000 servers taken down and to repair all the servers you’re looking at millions of dollars.”

It is not only server repairs that will cost you—according to the Ponemon Institute’s 2017 Cost of Data Breach Study, the average total cost of a data breach in Canada is $5.78 million, or $255 per lost or stolen record, plus a 9% loss of customers in the aftermath.

With the stakes this high, Canadian businesses are paying attention. PricewaterhouseCoopers’ The Global State of Information Security® Survey (GSISS) 2018 found that security budgets have increased by 73 per cent on average in Canada. However, despite this increasing awareness and investment, most Canadian organizations still do not actively examine their defences, with only half running drills at least annually for cyberattacks. Failing to prepare is preparing to fail.

White hat hackers

Last year was a prime example of how diverse, extensive and deeply troubling digital attacks are becoming—remember Equifax, Yahoo and WannaCry (to name only a few)? Cybersecurity is an issue that should be on the table at every organization. However, many struggle to understand and manage emerging cyber risks.

At its most basic, cybersecurity is the combination of hardware and software that ensures the integrity, confidentiality and availability of an organization’s information, which includes the communications that may enter and exit from that secure environment.

“Cybersecurity is not a product,” explains Catherine Lovrics, Partner with Bereskin & Parr LLP. “It is a process and it is iterative and it is ongoing. And understand that cybersecurity really has shifted focus from technological lockdown to monitoring and ensuring there are rigorous systems in place to identify—and identify quickly—if there is anomalous activity.”

“In order to have a truly robust cybersecurity system, you also need to have a feedback mechanism that is assessing the strengths and the vulnerabilities of the system that you put in place,” says Spracklin. “So cybersecurity is not only about setting up the environment, including putting in the intrusion detection and other preventative measures, it is also about the tools with which you test your network and test your security parameters.”

There are multiple kinds of penetration testing, or pen testing, you can do. Auditing your system processes and policies by testing for vulnerabilities and potential intrusions is a good start and should be done on a regular basis.

However, pen testing needs to be more than a scan or tick-the-boxes compliance requirement. Doing it properly means hiring one or more ethical, or “white hat,” hackers to try to actively subvert your security protocols and methodologies, and intrude upon your secure environment. This may mean using malware attacks to shut down your servers, social engineering and phishing expeditions to gain access, and more. Then the hacker tells you what they did, what they were able to do and what you need to do to fix it.

“Twenty years ago when somebody needed a true security audit,” explains Tobok, “they would perform or hire somebody to perform [ethical hacking]. People went away from it because there was a stigma that it was overly expensive but also part of the problem was the vendor community realized there are only so many smart people who can do this type of work, so we can’t rely on that; we have got to turn it into a commodity.”

“Ethical hacking is part of the solution/prevention,” says Christine Holmes, Regional Director at AlertEnterprise and former corporate counsel. “It is an important piece of the puzzle, the checklist of things you should be doing. Why wouldn’t you, as opposed to why would you? You can be proactive and try to analyze and mitigate potential gaps or you can be disappointed and learn about them another way.”

Spracklin adds a caution with regard to the outcome of pen testing: “You should make sure you own the content of the reports. One of the things that is always hotly contested is the ability of the third party to use where the vulnerabilities are with regards to your network for the purposes of other engagements.

I feel pretty strongly that you should own the intellectual property in that report and own the right to restrict access to that information. You may want to give the cybersecurity firm you are working with access to the fact that a vulnerability may exist so they can protect other clients’ networks but you don’t want it to be identified with your network and you don’t want your specific vulnerabilities to be known by anyone else.”

An increasing number of organizations are onboard. Apple, Facebook, Google, the Pentagon and Uber run “bug bounty” programs, and several municipalities regularly hire ethical hackers to test their systems. And while companies tend to be tight-lipped about such activities, Tobok points out that 25% of his company’s business nowadays is proactive, before an attack is discovered.

It takes a village

However, it is impossible to create your cyber fortress without buy-in at all levels, and cooperation and collaboration between business units. While senior leaders must take ownership of cybersecurity and integrate it into operations, training of all employees is equally important.

“It is the human factor that makes all of this difference in all of these breaches because roughly 50% of these breaches start by phishing,” explains Tobok. “People click on things they’re not supposed to and their credentials get compromised.”

“You want to ensure that there is due attention paid to your HR procedures to train your employees because they’re really part of any good safeguard or any good security system,” says Lovrics. “It’s not just the C-suite and your IT department that need to buy into cybersecurity; it’s the entire organization.”

Organizations need to create a cyber risk management culture—and that is where legal can step in.

The in-house counsel role

“I think this really comes down to the key role of the legal team, which is to manage risk,” says Yasmin Visram, Senior Managing Counsel at Industrial Alliance Insurance and Financial Services Inc. “And I don’t think you can effectively manage risk if you don’t understand the risk. So I think [the relationship between legal and IT] is an important dialogue and interface that has to happen.”

Indeed, if a business is using technology, it is crucial in-house counsel get a seat at the table. They need to know what the IT real estate looks like, where the data is, how it is protected and what the crisis management plan is if something goes wrong.

“Knowing the law is not enough,” says Spracklin. “You have to know the technology as well and then be able to apply it to the technology. I think it is critical in the area of cybersecurity that you understand the technology, that you understand how a system architecture is designed, how the software is deployed and what tools your organization is using to prevent vulnerabilities from being exploited because it is difficult to advise on risk if you don’t understand how your cybersecurity system is built and what it does to prevent intrusion.”

Even absent strong technical skills, in-house counsel still play a key role. “You can still guide the corporation on crisis management generally and in particular on reputational impacts. You have to be agile, but lawyers have a tendency to fall into lawyerly patterns. We focus too much on legal risk and not enough on business risk,” explains Visram. “You want to be the strategic business advisor.”

With their eye on the entire organization, it is really in-house counsel who know the business and are well positioned to connect the dots. Use your position strategically. Talk to the business units and people throughout the organization, especially in IT, because you are going to bring a different perspective. Use this as an opportunity to both learn and educate.

“I think a lot of time in-house counsel are expected to know everything and obviously it’s impossible to know everything as maybe the only person in your legal department or with a small in-house team. I think it’s a good idea to know what the scope of the landscape looks like or have an idea of the legislation so you know when your obligations get triggered,” says Amanda Branch, Associate at Bereskin & Parr LLP. “It’s easier to be prepared and have tested out those plans and then you know who to call, you know who to have at the table and you know what your processes are going to be.”

“As we develop relationships within our companies, we are hopefully developing relationships of trust, relationships where we can be relied upon for strategic business advice,” adds Visram. “Because during a crisis, it is that foresight and guidance that is going to be critical for senior management.”

Lead the charge

Massive data breaches and the constant collection of personal information are routinely in the headlines and on the boardroom agenda. Security issues are some of the greatest ones facing companies of any size and in any industry today. You must embrace your role as guardian and get involved in the discussions.

“Preparing the organization for the fact that you could be breached in the future, and preparing your systems and securing them, and doing things [like ethical hacking] proactively,” says Tobok, “that’s absolutely what’s going to make a big difference in you becoming an actual victim.”

Even without a specific IT background, in-house counsel can play an important role if they make the time to educate themselves and get prepared. “It is not to be underestimated how difficult an area this can be and how important it is to get good advice,” says Spracklin, adding, “After you’ve been hacked, it is too late.”

“If you are someone who is saying, ‘What’s our risk plan? What do we have in place from a security perspective? How are we looking at that, just so I have an understanding?’” explains Holmes, “it is going to show that you’re not just a cost centre. You are actively involved and a partner in the business, and you bring value.”

Lynne Yryku is the Executive Editor of CCCA Magazine. This article was first featured in the Summer 2018 issue of CCCA Magazine.

Filed Under:
Comments
No comments


Leave message



 
 Security code