As COVID-19 forces businesses to shift to remote work, leaders must safeguard their organizations from heightened cyber risks. Blakes lawyers
discuss the challenges and share strategies to navigate cybersecurity in the time of COVID-19.
Mathieu: Hi, I’m Mathieu Rompré.
Peggy: And I’m Peggy Moss. This is episode 2 of the Blakes Continuity podcast.
Mathieu: Today on the Continuity podcast, we will hear about some of the big questions clients are raising with respect to cybersecurity in the time of COVID-19, and frankly, at any other time, too.
Peggy: Questions such as: "How likely is a ransomware attack?"
Mathieu: Do businesses need to update their cyber plan in light of the current health crisis?
Peggy: And what do you do if you’re offered 4,000 bitcoins from a distant relative who died without an heir? Seriously, though, I didn’t even know I had an Uncle Morton, and if I just click on this link, I can accept a transfer…
Mathieu: Wait… Peggy, Peggy, no. No, do not click on anything, please.
Peggy: Ah, right. Oh, maybe we should bring in the pros.
Mathieu: Let’s begin with cybersecurity preparedness. Imran Ahmad is a Partner at Blakes in Toronto. We also have with us Sunny Handa, who leads the tech group at Blakes. He joins us from Montréal.
Imran, hi, thank you for joining us. Has the pandemic increased cyber risks for your clients?
Imran Ahmad: Yes, in fact we are seeing an increase in cyber threats and cyber-attacks related to COVID-19 work arrangements. There are a couple of ways that hackers are targeting organizations, primarily by targeting their IT environment. The two areas where we have seen significant uptick in terms of cyber risk has been primarily on the ransomware side of things, as well as wire fraud. And I’ll get into that very, very quickly.
On the ransomware side, as I mentioned, what the hackers are trying to do is get access to the network and lock it up by taking advantage of one of those three big pillars of the IT world or infrastructure that the company has. What they’re trying to do is, under the guise of COVID emails or information related to "updates," have staff members basically click or download a file which will be malicious in its content and the way it operates on the system. And as a result, what ends up happening is the system either directly or indirectly will get encrypted.
The second risk that I was describing was wire fraud. Because of the fact that a lot of folks are now working remotely and don’t necessarily have the ability to pick up the phone and talk to their colleague next door or in the office, you will see hackers get into mailboxes or be able to craft emails under the guise of a COVID type of scenario, be able to provide new instructions on banking transfers or payments and if diligence isn’t deployed in those kind of scenarios, we may have a situation where funds are transferred to a fraudulent account at the end of the day.
So, we’re seeing an increase in these two areas: ransomware and wire fraud.
Mathieu: And in terms of what you’re hearing from your clients, are there issues that you would’ve expected to hear but haven’t so far?
Imran: So, I think, by and large, clients are asking the right questions in terms of IT security and broader cybersecurity practices. I typically provide them with what I call sort of my top five list of things to think about ― you know, it’s a good starting list ― they can add to it, it can be customized, and just very quickly, I’ll go through those key five elements"
1. If folks are working remotely and using network access you want to make sure you’ve got two-factor or multi-factor authentication rolled out across the environment.
2. You want to make sure that you send out frequent cyber-hygiene reminders to staff members.
3. You want to make sure that they have good protocols in place in case of any financial changes or transfers of payments to suppliers or vendors. That’s something that’s really important. It does avoid the whole wire-transfer issue if you have an analogue process in place where they literally do pick up the phone and call a colleague to validate a request of that nature.
4. You want to be able to implement password resets much more frequently. So, for example, some organizations will have password resets done every 30 days. Given the environment we’re in you may want to consider having that period shortened.
5. And then lastly, we’re all accustomed to calling helpdesk for various issues that come up. I think in the event of working remotely, where something does seem suspicious or odd, having that protocol in place to report it back to IT and have them take the proper steps and have that done quickly so that there’s no lag time is really a key element.
Peggy: Thank you, Imran. Sunny, would you be willing to give us a sense of the kinds of issues you’re seeing on the cybersecurity front from clients these days?
Sunny Handa: Sure. You know, we’ve had a lot of experience over the past couple of years dealing with all sorts of different breaches. What we’re noticing now ― and I don’t know if this is a result of the fact that everybody is in some form of isolation at home ― we’re seeing a lot of business emails compromised.
We’re also starting to see, you know, ransomware changes, in the sense that there are different variants that are being put out there. So, these are different types of malware we’re seeing in the market. They are pretty nasty, and we’re also seeing the ransom demands shifting.
So, it’s a toxic mix of things that I think we’re starting to see. Whether it’s as a result of the isolation or not is sort of hard to say. It's contemporaneous, meaning it’s happening at the same time. I suspect some of it is due to the fact that people are, for example, you might be sending things to a home email address now because you’re going to be at home and so you might not be on a guarded, wall-protected system at work, so perhaps some of those are related to isolation that we’re all doing. But it could also be because we were on a bit of curve upwards in terms of seeing cyber breaches happen ― hard to know.
Peggy: When you talk about ransomware, what kind of changes are you seeing? Are you willing to talk about it?
Sunny: Sure. We’re starting to see different variants come out with more frequency by variant, I think it’s like sort of an apropos analogy. These are different types of viruses that are being modified. Unlike a biological virus, with these types of viruses we’re starting to see hacker groups come out with different types and unleash them.
In terms of changes, I’d say that one of the biggest changes ― the most dramatic that we’ve seen ― is the price of ransomware. Now, ransomware is not the only type of attack but it is the most common that we seem to be seeing in the Canadian marketplace, and the ransom demands, meaning the ask in terms of compensation to unlock your system, seems to have gone up quite dramatically over the past 12 months. Whereas, you know, two, three years ago we would see, you know, a few thousand dollars here and there for different types of attacks, and we’d never see anything north of hundreds of thousands of dollars. Now, it is ― I wouldn’t say it’s the norm ― but it is not surprising when we get asks in the millions of dollars for big enterprises.
Peggy: Apart from those changes both in terms of the escalation of price on the ransomware, and I’ll say the wiliness of the approach, are you seeing other issues now whether because of COVID or because of just ― we’re a couple of years into this cybersecurity practice. What are you seeing that’s changing as a whole?
Sunny: Well, I think we’re getting ― first of all, our practice has been inundated with breach work, you know, over the past year, so you know, we’ve been seeing, I guess, a growth in the service industry that services these breaches, not just ourselves ― forensic providers, you know. Also, PR firms, insurers have become much more sophisticated in terms of insuring the risks and attending to clients who might be looking for cyber insurance. So, I think that’s something that I think I’ve noticed that’s changed.
I’ve also seen businesses reaching out with greater frequency, but not enough in advance of being breached, in other words, doing the preparation work. So, you know, part of our practice is handling breaches that are in progress, which is not fun for any client to go through, but other clients are calling us ahead of time saying: “You know, before this happens to us, is there anything we need to do, or are there some best practices we need to engage in? You know, can you help us?” So, I think those are the most notable changes.
Peggy: Sunny, thank you very much.
Mathieu: Imran and Sunny work closely with our national Cybersecurity team, including litigator Nicole Henderson, who joins us now. Nicole, you often become involved following an incident. In order to respond properly, is there anything companies need to be thinking about right now?
Nicole Henderson: Well, from a litigation perspective, our approach to breach response is always focused on minimizing or mitigating litigation risk as much as possible, particularly class action risk. And so, we would really encourage organizations to be thinking very carefully about their cybersecurity incident response plans at this time.
So first of all, of course, if your organization doesn’t already have a cybersecurity incident response plan, this is really a key time to develop one. And if you do, it’s also a good opportunity to take the time to review it carefully and think about whether any adjustments are going to be necessary to address the current circumstances. So, just as an example, a common first step in a breach response plan is to assemble the key people on your breach response team.
So, ask yourself now: Do you know how to connect with those people quickly in a world where you all may be working remotely? Or if you’re locked out of your system due to an attack, do you have home or cell phone numbers for everyone on your team in a world where you can’t just walk down the hall and let them know what’s going on? Would you have secure methods of communicating with all those people? Those questions sound simple, but in a crisis response scenario, you don’t want to have to spend precious hours thinking through how to adapt in the moment. Better to do that thinking upfront and be confident that your organization will be prepared to act quickly and decisively if the worst happens.
Imran: And just building on what Nicole mentioned, one of the things we have seen being a big factor in terms of an effective response is the speed of execution. So, all of the elements that Nicole mentioned with respect to the cyber response plan and the type of tweaking that the organizations have to make to it are absolutely critical. For example, even thinking about insurance and forensic firms that may be required to help in a crisis scenario while folks are working remotely is going to be a key element to be addressed in the incident response plans, so that you can reach out to them quickly and that they can get proper accesses so that they can start to work on remediation.
Who do you contact obviously internally, but external vendors is really key when it comes to an effective cyber response. In fact, there is a direct correlation in terms of speed of execution to responding to an incident, and the ability of an organization to mitigate the impact, or at least the very negative impacts related to cybersecurity-type of incidents.
Peggy: Imran and Nicole, whether we’re working remotely or we’re back in our offices, what kind of things do you advise Canadian businesses to start thinking about in terms of enterprise risk management, if they haven’t already started down that path?
Nicole: Peggy, this isn’t related directly to the pandemic, but for a number of years now, we’ve seen a really a significant increase in cybersecurity class actions, and this really seems to be a growth area for some entrepreneurial class counsel, which is a significant enterprise risk issue for all kinds of organizations. In recent years, we’re finding that it’s not uncommon to see one or more class actions filed within a day or two of a disclosure of a significant data breach. So, things really do move very quickly, even while an organization may still be dealing with breach response.
The good news that we have seen are signs in several cases that a prompt and effective breach response really can mitigate litigation risks. So either supporting arguments against certification of a class action, or even militating in favour of a more modest settlement than might otherwise have been the case. So, this is really a good time, as we say, to be focused on these issues and not let your guard down.
Imran: From my perspective, there are two key elements that organizations can think about and start working on either within a COVID-19 world that we currently live in or when folks start getting back to the office afterwards. The first one is really understanding and managing the entity or the organization’s digital footprint. Understanding what data they have, where they keep it, and how they keep it. That data mapping, that data inventory exercise, is a really critical one, and that can have a direct impact in terms of not only just responding to a breach, but understanding what kind of legal obligations organizations may have either in Canada or elsewhere that they may be operating. So that would be number one.
Number two, and this sounds like something that we would probably hear in a school, but preparation or practice makes perfect. Making sure that organizations are really focused on the key elements of a response, maybe through a tabletop exercise, or having a revised and updated or, frankly, a practical cyber response like Nicole had outlined a little bit earlier, are going to be all key elements, including training staff on a regular basis, especially in a COVID-19 world, with what is good cyber hygiene: flagging suspicious emails; being on alert for any abnormal activity; if you get a request for an account transfer or change of banking details, being a bit more vigilant and take that extra step to be able to verify the validity of that request.
So, these are all tactical steps, but more practically speaking, the preparation and the readiness of the organization is really something that organizations should be focusing on.
Mathieu: Thank you. Imran, Sunny and Nicole, you’ve given us a lot to think about. I know you have other presentations and bulletins coming up, as well as a cybersecurity study.
Peggy: Listeners, if you’d like more information, please check out the Blakes COVID-19 Resource Centre on our website. Until next time, stay safe, online and at home.