Lexpert Magazine

60 LEXPERT MAGAZINE | SEPTEMBER 2017 from different IP addresses. "If you're an e-commerce or other business completely dependent on your IT infrastructure, to have your systems completely shut down or paralyzed is catastrophic in many cases," says Ahmad. Whether to pay a ransomware demand is, therefore, not an easy decision to make. When the University of Calgary was at- tacked in June 2016 and its computer sys- tems coopted, it decided to pay a $20,000 demand (the university had cyber insur- ance, including for ransomware). "Email was available to all faculty and staff users within five business days of the attack," Karen Jackson, General Counsel, said in an email interview. "ere is no indication that any personal or other university data was released to the public. e university chose to pay ransom and obtain the de- cryption keys to protect key research and information that may have been lost as a result of the encryption of laptops, desk- tops and servers. We did not want to risk the loss of a research scholar's life's work as a result of the attack." e decision to pay is "a simple cost- benefit analysis," says Dolan. "In one of our cases, the client did a little digging and found that for virtually all of the [com- promised] information they had backups, so they didn't pay. In another case, the cli- ent needed the files released quickly and couldn't establish whether the files were backed up, so they did pay." Victim companies also need to consider whether the hackers, like many blackmail- ers, will release their data. "I've seen it both ways," says Ahmad. "I have seen the honest criminal, if you wish. You pay the amount, they give you the key and they walk away. On the other hand, some will take the money and give you the key. But the flip is they will come back in a couple of months and, more oen than not, try to exploit an- other vulnerability." Prevention is an obvious critical step to take in reducing the potential harm an at- tack can cause. "As someone who manages our IT, I can say we pay for top quality anti- virus protection," says Danny Schwartz, a partner at Lax O'Sullivan Lisus Gottlieb LLP. "We pay to have our machines locked down if [an attack] was to happen, so the damage would be limited. And all our data is backed up. No system is foolproof, but what you want are multiple redundancies." Schwartz adds: "To use a low-tech anal- ogy, at Christmas time, the burglars case houses to see whose lights are on and which homes are dark. You want yours on." He also recommends that firms prevent visitors from logging on to the firm's net- work. "Back in the day, we'd give them the password to our Wi-Fi. You can't do that anymore. For years, we have had a com- pletely segregated network for guests." e City of Mississauga has installed its own fibre optic lines for some of its most vulnerable services, says Bench, rather than using a telecom provider or having them cloud-based. "I believe Toronto does this for some services, too," says Bench. Determining risk is another key con- sideration for an organization. One way to assess vulnerability is to conduct what is oen referred to as a "white-hat" exercise (also known as a red-team investigation), in which outside experts are retained to ex- plore whether they can breach the client's defence systems. e City of Mississauga, as an example, followed this route. "We're seeing more and more of it," says Ahmad, but it's still not where it should be." Hengesbaugh says that, in the US, it's mostly online clients who are conducting these kinds of white-hat exercises. "I think people who have done it have had some kind of success but I don't think it's en- tered the mainstream yet." at could soon change. e demand is sufficient enough that some educational institutions, such as Humber College in Toronto, are now offering a Certified Ethical Hacker certifi- cate program. It's imperative, of course, to ensure that the ethical hackers, as well as any third par- ties that an organization conducts business with, are completely trustworthy. Unfor- tunately, that doesn't always happen. "It's increasingly concerning that some organ- izations fail to consider whether the third parties are, themselves, cyber-secure," says Nishisato, who has seen clients hurt be- cause this didn't occur. "Issues frequently arise where there's been a data breach of the third-party service provider, and it tries to manage it on its own and doesn't disclose [the breach] to its customers." He recommends having a right-to-audit clause in third-party agreements and invoking it as required. It stands to reason that the more cyberse- curity protocols an organization puts into place, the better it will be able to respond to any breaches that occur. It will also re- sult in lower cyber insurance premiums. In a December 2016 article, NetworkWorld. com noted that, "Last year, U.S. insurers earned $1B in cyber premiums. You can minimize your premiums by showing your insurance company you're actively mitigat- ing cyber risks, which is a win-win: lower your risk and secure a more cost-effective insurance plan." Not only that, it will reduce the numer- ous costs associated with investigating and responding to a breach. "ere are many reports that say if you invest early on you will be saving two to three times aer a breach," says Nishisato. "Do the calculus. Nine times out of ten, if not ten of ten, it makes more sense to spend a bit of time and resources on the risk-management side. It will help mitigate tons of your damages." Although not every firm has the resourc- es to spend a lot of money on prevention, just preparing a simple document, which | IN-HOUSE ADVISOR: CYBERSECURITY | IMRAN AHMAD > MILLER THOMSON LLP I've seen it both ways. I have seen the honest criminal, if you wish. You pay the amount, they give you the key and they walk away. On the other hand, some … will come back in a couple of months and … try to exploit another vulnerability.

• cover
• Front
• big
• back