COVID-19 & Cybersecurity Risks

On November 2nd and 3rd, I was given the opportunity to attend the Canadian Technology Law Association (CAN-TECH) annual conference. At the forum, I learned more about the legal aspects of technological COVID-19 responses, proposed frameworks for digital identity, financing and start-ups in the current environment, working from home and its impact on diversity, and the latest legal developments related to privacy, cybersecurity, video games, and artificial intelligence. I particularly enjoyed the plenary session on “Cybersecurity: Shielding Your Clients from Expanding Threats” because of my interests in cybersecurity and privacy law.

In the cybersecurity plenary session, the experts discussed the recent cybersecurity threats in the midst of the COVID-19 pandemic. The global COVID-19 pandemic has been said to add “new elements” to the threat environment leading to a drastic increase in the volume of cyberattacks and breaches during the past 12 months in Canada. In Canada, more than a fifth of businesses experienced a cybersecurity breach that negatively impacted their operations. For instance, ransomware attacks refer to hackers infecting a computer or network with viruses that encrypt and hold the data “hostage” until a ransom is paid. Ransomware attacks cost Canadian companies around $2.3 Billion when downtime costs are factored in.

Moreover, hacking groups, like Maze and REvil, are increasingly conducting double extortion attacks where hackers exfiltrate and download sensitive data before launching a ransomware attack. The attackers can maximize their chance of getting the companies to pay the ransom by threatening to sell or auction the encrypted data. Most of these cyber attackers demand the ransom in cryptocurrencies, making it very difficult for law enforcement agencies to track and investigate the crimes.

The attackers choose different sized businesses and organizations for various reasons. For instance, health care providers, law firms, government organizations and large companies are often targeted by advanced persistent threat (APT) attacks, which require the attackers to carefully research and choose their victims over a long period. Executing an APT attack usually requires more resources than other attacks and is typically done by experienced and financially-backed cybercriminals. Cybercriminals might choose to attack large companies to demand greater ransom payments.

Cybercriminals also choose small and medium-sized organizations and businesses because they are seen as soft targets who do not have the same level of preparation, protection and resources. Moreover, small and medium-sized companies often outsource their IT needs to third parties, creating another cyber risk level for small-sized companies to mitigate. Consequently, small and medium-sized companies must get cyber insurance, which will allow them to access resources that may otherwise not be accessible to them. Cyber insurance may also provide coverage and protection for liability regarding third-party risks.

Though having cyber insurance is extremely important, cybersecurity risk mitigation and management practices are critical to minimize breaches' harm. It has been said that 90 percent of successful breaches are initiated through phishing emails, malicious attachments, unpatched systems or “vulnerabilities,” or lack of two-factor authentication systems. To mitigate an attack, best cybersecurity practices, such as having a detection plan, threat intelligence, disaster recovery, training, fire drills and having sufficient back-ups, must be in place prior to the attack. Adopting and applying the best cybersecurity practices is incredibly important during the pandemic for those who work from home in an environment that might not have the same formal cybersecurity protections and processes in place. This is true, especially for lawyers who have to meet their professional responsibilities such as the obligation of confidentiality, privilege, and the duty of technological competence. It is very important to know and meet these professional and ethical responsibilities even as a law student. Hence, I am very happy that I was given the opportunity to attend this conference, as it taught me a tremendous amount about the most recent and significant developments in Canadian and international technology law.

Written by Elif Babaoglu. Elif is a contributing IPilogue editor and an avid privacy and tech-law enthusiast with a particular focus on artificial intelligence.