< Browse more articles

Consider the following scenario: you get a call from your head of information technology telling you that the organization’s network was targeted by hackers and that information related to your members, employees, partners and other stakeholders was likely stolen. The scenario is not as far-fetched as it may seem. In fact, cyber-attacks have been steadily increasing in sophistication, frequency and magnitude - with media reporting, what appears to be, major cyber-attacks almost on a weekly basis. In such an environment, how should organizations prepare for the unexpected? While the challenge is significant, it is not insurmountable – so long as management is engaged and has a clear plan for how to respond to a cyberattack.

The term “cybersecurity” generally refers to the technical, physical, administrative, and organizational safeguards that an organization implements to protect, among other things, “personal information”, trade secrets and other intellectual property, the network and associated assets. When it comes to cybersecurity, an organization’s Board of Directors and/or its officers have a risk oversight responsibility – meaning that they must oversee the corporate systems that ensure that cybersecurity risks are properly managed.

In many instances, the impacts of a cyber-attack (e.g., reputational harm, litigation, cost of remediation, etc.) can be significantly mitigated where management has taken steps to effectively prepare the organization to respond quickly and effectively to a cyber-attack.

Preparing Your Organization

There are several steps management can take to prepare their organization to withstand a cyber-attack. Although these measures will not entirely eliminate the possibility of a cyber-attack, they will certainly mitigate the negative consequences of such an attack and also serve to demonstrate that management had acted diligently.

  • Know Where You Stand. In order to prepare adequately for potential cyber threats, map out your organization’s networks and IT systems, including a clear understanding of what the key business functions are, as well as where the organization’s critical data resides and how they are protected. Consider encrypting all critical data and limit your employees’ network privileges to only those required for them carry out their duties.
  • Build a Cyber Monitoring Team. Communication and coordination between different departments is critical to effectively counter cyber threats. Consider building a team consisting of knowledgeable managers and professionals (internal and external) who will meet regularly to asses threat levels, discuss how to address gaps and make recommendations to management on how to protect the organization’s digital assets. The team should not be limited to or be the sole responsibility of your IT department – rather, the team should also include legal and management executives. Care should be taken in putting together the team by ensuring that the right people are around the table and that the team’s mandate and deliverables are clear.
  • Audit and Test Security Measures. Each security measure implemented by the organization should be audited and tested on a regular basis. Results of these audits should be regularly reported to management to ensure that the leadership team is aware of any potential cyber threats, understand the organization’s cyber risk profile, assess the effectiveness of current defences and be able to can take necessary remedial steps. If necessary and appropriate, consider engaging third party security experts to conduct audits or suggest remedial measures.
  • Educate and Train Staff, Then Repeat. Training staff is a critical element of cybersecurity (if not one of the most critical). They need to understand the importance of protecting the information held by the organization. To do so, staff will need a basic grounding of potential cyber risks and how to make good judgments online when faced with cyber threats such as spear phishing.

    Staff need to know and understand the policies and best practices you expect them to follow in the workplace (e.g., how to avoid cyber threats such as spear phishing or how to secure data when traveling to offsite conferences or meetings). These policies should be drafted in simple and practical terms.

    Since cyber threats are constantly evolving, ensure regular staff training, including holding refresher workshops.
  • Be Aware of Supply Chain Risks. Address potential vendor and supply chain risk by restricting access to your network to only what is necessary. Organizations should consider requiring vendors to provide notice of suspected breaches, require third-party security audits and obtain adequate indemnification. Organizations will also want vendors to ensure that they (and their employees) follow proper cyber hygiene.
  • Cyber Risk Insurance. Insurance is a key part of risk management and can offer organizations significant protection in the case of unplanned events. Organizations should review their existing insurance coverage in the case of a cyber-attack. If it is deficient, consider investing in cyber-risk insurance that would cover network breaches, data loss and potential litigation costs.
  • Have a Plan. Organizations must prepare for the eventuality that they will at some point be victim of a successful cyber-attack with their network and data being compromised. The key to handling an attack effectively is preparation. Organizations should map out key legal and other issues that will need to be addressed in the case of a cyber-attack (e.g., notification to regulators or security agencies, use solicitor-client privilege, escalation of communications to senior management, business continuity plan, public relations strategy, etc.).
Responding to a Cyber Attack

Many analysts believe that it’s not a question of “if” but rather “when” an organization will be the target of a successful cyberattack. If an organization believes that it has been the victim of a cyber incident, the steps it takes in the moments following this discovery will be crucial in mitigating the legal, business and reputational fallout.

  • Activate the Response Team. Upon discovering a cyber incident, the organization should immediately activate the incident response team which should include representatives from relevant parts of the organization (e.g., legal, IT, human resources, etc.). The incident response team should diligently record all steps taken from the time the incident was discovered (e.g., a description of all incident-related events, details of all communications regarding the incident, a description of each employee's duties in response to the attack, a listing of how each network system was impacted by the cyberattack, etc.).

    At this point, the organization should seriously consider retaining external legal counsel (who has cybersecurity response experience) who will engage outside forensics team to determine the scope of the breach and prepare any written reports. Direction by outside counsel will help protect information and evidence collected under solicitor-client privilege, a key factor should the cyberattack ultimately result in litigation.
  • Containment and Assessment. The cyber incident team should move quickly and take steps to contain the breach, including (i) blocking any authorized access to the network, (ii) implementing steps to recover and/or restore any lost information or data, (iii) considering shutting down the network (or part thereof) that has been compromised, (iv) revoking or changing network access codes, and (v) implementing steps to address any weakness in the network. If the breach appears to involve theft or other criminal activity, the organization should notify law enforcement.

    Gathering accurate information and employing countermeasures as quickly as possible may result in limiting the scope of the cyberattack, defend the system from additional attacks, and provide law enforcement with information to begin its investigation.
  • Preservation of Evidence. Preservation is critical when dealing with a cyber incident, the more evidence that is collected and preserved, the better positioned the organization will be to ascertain how its system was hacked.

    After the necessary information and evidence of an attack has been preserved, the organization should begin to transfer its information onto a “sanitized” system. When transferring information/data, care should be taken to ensure that the new data is completely free of any documents that were compromised. In order to maintain authenticity of the documents, access to the documents should be restricted and a clear chain of custody should be maintained.
  • Notification. Assuming that the cyber incident has resulted in data being compromised, the organization should consider its obligation to notify (i) individuals whose information was compromised, (ii) law enforcement, (iii) the organization’ insurer, (iv) financial institutions, credit card companies or credit reporting agencies.

    Notification can be an important mitigation strategy that has the potential to benefit both the organization and the individuals affected by a breach – if managed properly. If a cyber incident creates a risk of harm to the individual whose information was compromised, those affected should be notified. Prompt notification to individuals in these cases can help them mitigate the damage by taking steps to protect themselves.

    Each incident needs to be considered on a case-by-case basis to determine whether, for example, privacy breach notification is required to the appropriate privacy agency (e.g., office of the federal and/or provincial privacy agency).
  • Preventing Future Attacks. Once the immediate steps are taken to deal with the immediate consequences of the cyber incident, the organization should take the time to investigate the cause of the breach and consider whether to develop and/or refine its existing prevention plan. The level of effort should reflect the significance of the breach and whether it was a systemic breach or an isolated instance.
  • Prepare For the Fallout. Depending on the nature and scope of the cyberattack, the organization should be prepared to deal with the potential fallout related to the cyber incident. In some instances, the organization will need to manage potential reputational harm, deal with litigation and address the financial impact of the cyber incident for several years. In all instances, the key will be to inform management and to have a clear roadmap on how the organization intends to deal with the consequences of the cyberattack.

Organizations that have been the victim of a successful cyber-attack will admit that it can be a crippling event, especially if the business was not prepared. The key to mitigating the risks associated with a cyber-attack is to be aware of the threat and be prepared to respond effectively to a cyber-attack.