Navigating online breaches is top of mind in the AI-driven age
In an era where digital transformation and cyber security are pivotal to the success of major corporations, Charles Daoust’s role at Air Canada is more crucial than ever.
As senior legal counsel at the iconic Canadian airline, his insights into the complex interplay between cyber security, marketing, and commercial law offer a unique perspective on the challenges faced by modern businesses. And the first major challenge that springs to mind? COVID and its impact on cyber security, of course.
"The last five years have been challenging for everyone, particularly when it came to cyber security during the COVID pandemic,” says Daoust. “Everyone went online in a matter of weeks – even days. Law firms and companies had to adjust quickly to this new reality of having almost all employees working remotely.”
‘Ransomware - we all know the drill’
Daoust underscores the accelerated pace of digital adoption and the accompanying legal challenges. And one of the most significant legal challenges he addresses is the rise of cyber threat – especially ransomware.
“Ransomware, being a big issue, we all know the drill,” he says. “You get locked out of your systems, you're asked to provide bitcoin or financial compensation in exchange for the information that they have compromised – ‘they’ being threat actors.”
And Daoust isn’t alone in his concerns around cyberattacks. According to research from Astra Security there’s around 4,000 cyber-attacks every single day – happening on average once every 14 seconds. What’s more, data from GetApp found that over the past three years, phishing activity has soared by more than 40% with 45% of employees targeted falling victim to impersonation attacks while 30% received fraudulent package delivery alerts.
It's clear that even as cyber security becomes more sophisticated so too does the art of the scam. Will companies that fall victim ever get their money back? What are the legal repercussions of a cyber data breach? How can employers educate their people around the ever more pervasive risks?
“All of these questions are really hard to answer because threat actors are getting better by the day,” adds Daoust. “Large organizations, such as large law firms or legal departments or really any company with a big number of employees are prime targets for phishing campaigns. Some of these campaigns are sophisticated and use different tactics designed to evade typical cyber security measures deployed by these organizations.”
‘It’s about raising awareness amongst clients and employees’
But it’s not just employee phishing scams that legal departments need to ready themselves for. In the digital world, the legal aspects of brand protection are critical in the context of cyber security.
"It's all interconnected to the cyber security,” says Daoust. “Brand protection has evolved significantly in our ever-changing digital marketplace. It’s about raising awareness amongst clients and employees to be mindful on the web.”
A key objective of cyber security is to protect the brand and reputation of a law firm or a company that can be subject to a data breach.
Policies, plans, training and awareness are also critical in combating cyber threats here.
"If you have properly trained personnel, such as lawyers, paralegals and all the administrative [teams], then everyone with access to a given system that holds data will have a basic understanding of the terminology and concepts of cyber security," Daoust adds. The legal sector needs a comprehensive understanding of cyber security concepts to effectively manage the associated legal risks – such as confidentiality, integrity, and availability. Concepts that are becoming ever more important include Multi-Factor Authentication (MFA) and encryption.
"MFA adds a layer of protection to employee accounts, ensuring it's the actual employee logging in,” he tells Canadian Lawyer. “When there's an onboarding of those tools, it is important to make sure to review all the IT security standards and to make sure that they're safe and secure. One question here is how do we do this without significantly affecting our operations? The good news is that SaaS and cloud-based solutions are still extremely popular.”
This is where you can focus a bit more on the IT security standards of the SaaS solution you're onboarding, according to Daoust, and to make sure that MFA is in place and that employees have robust password for logging into those systems.
“I think these are the first questions to ask. Having backups and ensuring that appropriate controls are in place to protect backups. Make sure that, if a threat actor does get into your system, you know you have a good back up frequency and that the data most critical to your organization is safeguarded.”