The rise of the digital economy and the ever more online nature of the corporate world has led to a corresponding rise in threats to business operations. Cybersecurity is more important than ever before to prevent firms from being exposed to data breaches, theft, and even ransom. Navigating this complex and interwoven environment can be confusing, expensive, and uncertain, and finding the right strategies and best practices can be difficult. We asked data protection specialist Vanessa Henri of Fasken to detail how companies can optimize their cybersecurity and avoid data breaches through best practices and preventative action.
With the increasing reliance on emerging technologies in the virtual workplace, such as cloud computing, the Internet of Things, artificial intelligence, digital twins and 3D modelling, should clients be concerned about new types of cybersecurity risks?
Each technical environment certainly brings its own threats and vulnerabilities which must be carefully assessed – clients should always be concerned of their technical environments, and emerging technologies are no exception to the principle.
By way of examples, the use of IoT may impair incident response detection capabilities as many IoT devices do not collect appropriate logs for ensuring forensic readiness, and machine learning raises cybersecurity concerns such as data poisoning attacks.
It is important for clients to manage their risks at the organization level, but also iteratively and proactively, in particular when handling emerging technologies. Prior to implementing such technologies, clients should perform all proper risk assessments and quality assurance testing. Quality controls should include security and privacy metrics identified at the planning stage.
What are the advantages to relying on in-house IT security as opposed to hiring external firms to provide these services? What advice can you offer clients trying to decide which option to choose?
Cybersecurity is a complex ecosystem of vendors and subcontractors, and most organizations combine in-house and external capabilities. The board of directors is always accountable for protecting corporate assets, but it can outsource some of the technical and organizational measures required. To choose the best option, organizations should prepare a business case. When comparing options, they should consider factors relating to people, processes and technology, such as:
- Human Resources Cost. Most agree that there is a shortage of skill (or at least, of experienced employees) in the cybersecurity sector. Salaries are often very competitive, and it is difficult for SME to attract talents, especially when there is no senior to train a more junior employee.
- Knowledge Maintenance Cost. To remain afloat with the threat landscape, cybersecurity professionals need continuing education. They also have certifications to maintain and must be involved in various industry forums. This comes at a cost.
- Expertise Requirement. Certain activities require advanced skills, which can be costly and unnecessary to maintain in-house or as part of day-to-day activities, such as digital forensic. Certain monitoring activities may also require staffing outside regular business hours, such as managed security services.
- Threat Intelligence Considerations. Organizations that keep certain functions in-house, such as a security operation centre, typically increase their capabilities to better understand their threats, vulnerabilities and risks. This also allows them to generate threat intelligence to train machine learning models to respond to their environment.
How can firms minimize their exposure to third-party data breaches occurring to business partners or vendors?
Implementing a vendor due diligence process is a critical part of a cybersecurity program. Each vendor should be screened to determine if it has implemented adequate technical and organizational measures to reduce risks of security incidents. Performing vendor due diligence can be a daunting task and can require significant resources. To mitigate operational impacts, firms should consider a triage phase during which vendors are assigned a criticality rating based on the overall risk tolerance. By way of example, a vendor with access to confidential or sensitive personal information, such as health records, should be subject to a more thorough due diligence. The vendor due diligence process should account for the technological environment of the vendor and be reviewed periodically to ensure continued compliance. Other mitigating measures can include:
- creating a secure digital work environment to work collaboratively with consultants;
- reducing data sharing with third parties to what is strictly necessary;
- ensuring that sensitive data is securely deleted whenever it has served its purpose and there is no more legal retention requirement for such data; and
- ensuring encryption at the file-level, and even at-use when possible (while enforcing appropriate key management practices).
How does a business’ cybersecurity affect its relationship with its insurers?
It is no surprise that insurance firms have changed their stance on cybersecurity premiums in their current threat landscape. It is much more difficult to obtain and maintain insurance, and insurers now require organizations to do their part by implementing adequate technical and organizational measures. It is frequent for insurers to have minimal requirements. Organizations that are negligent and suffer a data breach risk being uninsurable, and risk having to share their forensic reports with future insurers, leading to known risks.
What is ransomware and why is it such a threat? What are some of the other strategies used by hackers to attack and threaten businesses?
There are almost as many types of ransomware as there are criminal gangs developing and using these malwares! However, they generally share the common characteristics of restricting access to files in return for a payment, often in cryptocurrencies. Certain gangs will also leak your data if organizations decide to avoid the problem together by restoring from backups through a redundant architecture. In exchange for the payment, criminals promise to return a decryption key to access the blocked files.
However, the world of cybersecurity is vast and complex. Industrial systems in critical infrastructures can be attacked leading to kinetic damages, network communications can be intercepted with man-in-the-middle attacks, advanced persistent threats can target trade secrets or algorithms can be rendered ineffective through data poisoning attacks in the test environments. Each organization should know the threats relevant to its activity through threat modelling exercises. Common attacks such as ransomware can be noise to more targeted and persistent attacks, in certain cases, with national security implications.
What legal options do Canadian firms have if their data systems have been breached? Similarly, what legal obligations do they have to other parties who may have been exposed as a result of a cyberattack? How does this change if the clients are in Canada or are internationally-based?
Legal recourses depend on the types of data which have been breached, and the manner in which it has been breached, or even how an organization defines what constitutes a breach. Attribution is difficult in the digital world and except in cases involving disgruntled employees, it is rare that information assets such as trade secrets are recovered when caused by digital misappropriation such as cyberespionage. Unless the breach is related to a third party’s breach of contractual obligations, few legal recourses can make up for the damages. Among other things, the firm may have to:
(i) notify the authorities, different regulators, business partners, employees and end users;
(ii) offer credit monitoring services; and even
(iii) be held liable for damages to third parties.
In the world of information assets, different laws and contracts may apply at the same time, all with different notification requirements for organizations. In the United States alone, there are dozens of laws on notification, most with different thresholds or requirements. Depending on where the information is collected, an organization may have to notify third parties worldwide.
Vanessa specializes in data governance and emerging technologies at Fasken. In 2020, she was named one of Canada’s Top 20 Women in Cybersecurity by IT World Canada and is part of the panel of judges for the 2021 competition. Vanessa is a lecturer at St-Thomas University’s LL.M. in Cybersecurity Law and Policy, in Miami, where she also sits in the board of advisors. A published author, her work on the dark net was funded by the Quebec Bar prior for publication, and Vanessa was featured as a speaker in international conferences such as Code Blue in Japan. She holds an ISO 27701:2019 Lead Implementer certification and is a Certified Data Protection Officer. Prior for joining Fasken, Vanessa was acted as a Data Protection Officer for a multinational and holds a master’s in law on Cyberespionage from McGill University.