Canada: Cybersecurity: Best Practices For Corporate Legal Departments

Aware that data breaches are as much a governance issue as they are an IT issue, corporate legal departments have become accustomed to keeping a wary watch over their organization's digital defences in recent years.

Presently, a recent surge in cybercrime has made robust risk management even more essential.

Quick to  exploit the disruptive impact of the pandemic, hackers are taking advantage of the increase in remote work and online activity to find new targets and more sophisticated ways to breach them. According to CIRA, nearly 3 out of ten Canadian organizations witnessed a spike in cyberattacks during the pandemic.  A quarter of these companies reported a breach of customer and/or employee data.

And legal departments, the company hub for for sensitive information, are a prime target. That's why cybersecurity and data privacy are top of mind for  boards,  general counsel,  and their corporate legal teams heading into 2022. By implementing industry best practices and security-centric tools, legal departments can proactively manage and mitigate their risks to tackle any threats– rather than scrambling to react once the damage is done.

RANSOMWARE AND OTHER CYBERTHREATS

The most threatening cyber trend of 2021 was  ransomware, and a type of attack set to shape the security landscape  for years to come.

A type of malware, ransomware is when hackers obtain sensitive material from their victims and use that material to blackmail them. In January 2021 Quebec-based insurance group,  Promutuel was targeted and, when the company refused to pay, hackers released customer information online.

For corporate legal departments, ransomware is a worst-case scenario, not just in terms of cost, but also because these incidents expose internal vulnerabilities, client information, and sensitive company data. The key to preventing these kinds of attacks is cutting them off at the source by identifying and sealing potential leaks. Hackers' intent on a ransomware attack can find their way behind security firewalls in several ways:

Phishing  – Phishing occurs when a hacker entices someone to reveal personal information such as their password or bank details. In the corporate context, this typically involves a malicious email finding its way around the server firewalls to an employee's account. The email may ask them to download a document or click a link – essentially opening a door that the cybercriminal can walk right through. Cybersecurity analysts  expect phishing to increase in frequency and severity this year.

Business Email Compromise (BEC)  – Email is a common way for bad actors to gain access to company accounts, but not all email breaches are the result of phishing scams. If a criminal can access your email server, they can easily impersonate high-level staff. Communicating as a C suite employee or board member, these cybercriminals can then request information, move funds, or simply browse internal databases for data they can use as leverage for their demands. Aside from ransomware attacks, BEC is the most concerning threat for Canadian executives in 2022, according to  PwC.

Mobile malware  – With more employees either working remotely or adopting a hybrid work routine, there's more business being done via smartphones, tablets, and other personal devices. This gives hackers plenty of opportunity to find a vulnerability in a company's armor via mobile malware – software that specifically targets devices, using SMS messaging or other apps to gain access to the device's functions or data. In its  2022 Threat Report, IT group Sophos called the rise of mobile malware "unstoppable".

API attacks  – Emerging tech has given corporations a wealth of choice when it comes to their office tools. From HR platforms to document archives, workplaces use numerous applications on a daily basis, sharing them across different departments and different teams. In an API attack these tools are compromised, with hackers targeting Application Programming Interfaces (API) that connect apps across a shared network.  Gartner predicts that API breaches will become the most frequent attack vector in 2022.

DDoS attacks  – Known as Distributed Denial of Service, these cyber incidents  increased by 24 per cent in the latter half of 2021 and typically involve bombarding a company's website or other online assets with repeated hits until they crash. While the motive is usually money – pay up or the bombardment continues – in some cases, the DDoS attack provides cover while hackers look for other ways to gain entry into the system. In either case, they can be massively disruptive for organizations, and open them up to further risk.

CYBERSECURITY: WHAT ARE THE INDUSTRY BEST PRACTICES?

Digital resilience means having a risk management framework in place to stop cyberattacks before they start. General counsel and their legal departments (including  legal ops) should work with CISOs and IT staff to create this framework, combining their technical know-how and legal expertise to cover all potential leaks and liabilities.

BE PROACTIVE, NOT REACTIVE

Working from the premise that cyberattacks are a question of when, rather than if, legal departments should approach their security strategy with the mindset that incidents are inevitable and prepare accordingly. Drawing up a strong data recovery plan and implementing a layered defense can stop hackers making inroads into the system and minimize the amount of data they can extract.

Once your data recovery plan is in place, it should be run through simulated attacks to assess its effectiveness and updated at least once a year so it stays current.

EMPLOYEE EDUCATION & ENGAGEMENT

Just as generals heading into battle brief their soldiers, your employees need buy-in and engagement with your risk management strategy. It's critical that this education goes beyond counsel and IT teams to encompass every level, from C suite to interns.

Each employee must learn how to effectively manage their own risks and responsibilities. Tech tools can help, but must be used in adherence to the corporate roadmap. These educational efforts should also include training around the various types of cyber-attacks, how to identify threats, guidelines for remote working, and processes around sharing corporate material and passwords.

LEGAL TECH TOOLS

The best weapon in your fight against cybercriminals is technology. The more sophisticated their attacks, the more sophisticated your security has to be to keep them out.

Follow industry guidelines, and look for software that's compliant with ISO 27001, the highest international standard for IT security.

Streamline your system. Cluttered and chaotic architecture that relies on different platforms from different providers increases vulnerabilities, with multiple pressure points that could be broken open by opportunistic cybercriminals.

By comparison, using  a central hub under a single program brings everything together so data can be easily managed and protected from prying eyes.

Don't overlook analytics.  Two out of five Canadian companies  don't integrate analytics with their security tools and that means they're missing out on the power of data intelligence to strengthen threat modelling and predictive analysis. That invaluable data can help your legal department quantify risks, see how the business needs to shift to accommodate those risks, and plan for a more secure future.

Switch to automation where possible. Never underestimate the power of human error. All it takes is one seemingly small mistake and hackers can find a route into even the most complex systems. Automating key processes in the legal department doesn't just reduce the potential for error, it also secures all the weak links in the chain of communication – user authorization, file sharing, data management – and provides automatic alerts for timely response in the face of a pressing threat.

THE IMPORTANCE OF COMPLIANCE

Without security safeguards in place, organizations won't be able to handle present threats let alone the evolving challenges of the future. Compliance with industry standards and regulatory requirements needs to be embedded at every level, including that of any external partners, subsidiaries, and  legal entities.

A collaborative platform allows for greater visibility, transparency, and oversight of legal entity activities so organizations can be sure they're adhering to security standards and that any potential liabilities are quickly uncovered and resolved.

Similarly, other weak spots such as  contracts lifecycle management  should be assessed and evaluated to determine their risk profile. Given that this is where your most sensitive client information is stored and shared, any breach has serious privacy implications and legal repercussions.

There's no such thing as zero risk, but the  DiliTrust Governance Suite can help you get as close to it as possible. Our intuitive system is an ultra-secure collaborative platform that automates your legal department's core processes.

MODULES INCLUDE:

• Contract management – get insight into every stage of the contract lifecycle with our secure CLM portal. Time-stamped alerts, smart tagging, and intelligent archiving streamline even the most complex contracts with flexible user access rights for enhanced security.
• Legal entity management – maintain complete oversight of all legal entities while centralizing and securing all disparate documentation under one platform.
• Documentation library – allow users to search for, share, and work on confidential documents from a secure location. Users can set access privileges, view real-time reports of all library activity, and track metrics to monitor use.

In the face of growing cyber threats and mounting pressure on legal departments to take a leading role in cybersecurity, DiliTrust prides itself on delivering trusted legaltech tools that meet the most rigorous industry standards as well as fulfilling domestic and international compliance requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.