Lavery: What to do before, during and after a cyber incident?

Telecommuting, data storage in the cloud, the development of intelligent diagnostic support and process automation tools, combined with the growing sophistication of computer attacks, mean that all organizations are vulnerable to a possible cyber incident. . Meeting with two lawyers specializing in cybersecurity from Lavery.

Cybersecurity is more than ever an issue to which organizations must pay particular attention, regardless of their size and sector of activity. And for Lavery, the very concept of cybersecurity is very broad. It affects both the highly publicized aspects of personal information, the leakage of this data, but also trade secrets or interrupted business operations. The team has developed a range of services to support SMEs by offering a preventive approach to cybersecurity.

“To achieve this, we had to develop an internal culture of cybersecurity to better make the links between our different legal sectors in order to better play our advisory role and to bridge the gap between governance and the language of IT specialists. which ensure the deployment of technical measures. It was the key to being able to offer a complete solution to companies,” explains Éric Lavallée, partner and director of the artificial intelligence laboratory at Lavery.

Pervasive VulnerabilityHistorically, the firm has always had this expertise in technology law and the protection of personal information. However, technology-related risks affect all areas of law — intellectual property, governance and labor law in particular — and Lavery has adapted its service offering accordingly. “For an SME, when you think about technology law, you don’t always feel challenged. However, it affects the whole [de l’écosystème d’affaires]. This is why, in our cybersecurity initiatives, we insist on the fact that it concerns us all. As soon as a company uses the Internet, the risk of a cyber incident exists,” adds lawyer Selena Lu.

Even companies that have the best protection technologies can be just as vulnerable if they don’t have policies in place to regulate the use of IT tools. “Humans are often behind a cyber incident,” continues the lawyer. Technology does not protect against social engineering. Just think of the e-mail announcing a change in a supplier’s bank account. Cybersecurity is a combination of technological, physical and governance factors. »

Governance and cybersecurity“In terms of commercial law, there is also the whole contractual aspect: how to adapt contracts with suppliers and partners, communications and the entire decision-making system. Will the provider adequately protect the information I share with them? says Éric Lavallée.

In terms of governance, there are also obligations on the part of managers and directors that directly concern the IT security of a company or organization. “We must exercise caution and diligence and ensure that the company’s assets are protected. If this is not done, the company may face legal action and the directors could incur personal liability,” warns Selena Lu. (Law 25) provides, among other things, that the person with the highest authority in a company or organization must ensure the implementation of such measures and that he is under the obligation to disclose any computer incident threatening the data held by a business.

“It’s important to adopt policies that are not solely focused on very technical aspects, such as encryption methods or data transfer processes, suggests Mr. Lavallée. We must approach the risk from the angle of vigilance while remembering that it will have to be adapted and updated by following trends in cybersecurity. For example, a company should consider implementing a policy governing employee behavior on the appropriate use of a company’s computer equipment. This is also accompanied by appropriate sanctions, but it is still necessary that the company has given clear instructions to the employees. In this regard and to properly support its clients, the Lavery team has developed its expertise in cybersecurity by forging links not only with other international firms, but also with the university research community and in the information technology ecosystem.

The tipping point is reachedThe methods used to carry out a cyberattack are evolving. According to experts, we are now seeing an upsurge in spyware to seek out sensitive information. Phishing is still very present, and above all more sophisticated to better usurp the communication style of a company or supplier. Also, security vulnerabilities are still scrutinized by hackers.

For the two lawyers, there is no doubt that cybersecurity is everyone’s business, “especially since the pandemic, when we are teleworking. We have reached a tipping point. It is becoming a concern for society: cybersecurity has major economic impacts and all companies must be concerned about it, depending on their reality, from the self-employed to large companies,” specifies Éric Lavallée.

In a hyper-connected world, no company is safe from suffering a cyber incident which can result in a data leak with harmful consequences not only for the reputation of an organization with the public, but also for the management and continuity of its day-to-day business. For a company, a first step towards better protection requires an accurate assessment of needs and risks: “In a fraction of a second, many company secrets and personal data can be shared,” says Ms. Lu. information security and privacy by default and not seeing these efforts as steps that will come later, often in response to an incident. The culture of cybersecurity must be established at the heart of organizations in a collaborative approach and be supported by specialists aware of the latest trends. »

Ask the right questions

For more information, it is possible to download the white paper on cybersecurity and its tools by clicking on the following link:

This content was produced by Le Devoir’s special publications team in collaboration with the advertiser. Le Devoir’s editorial team had no role in the production of this content.

We would like to say thanks to the author of this post for this incredible content

Lavery: What to do before, during and after a cyber incident?

Check out our social media accounts as well as other pages related to it.