Category Archives: Cybersecurity

Cybersecurity 101: Common Sense Can Make All the Difference

Posted on by

The Slaw blog had a good basic post yesterday morning on cybersecurity for law firms. It made me want to share some of their advice, to which I’d add a few of my own and which may apply not only to professionals but also to any type of organization.

As you may notice, a lot of this is basically common sense, as applied in the digital age:

  • Start by asking yourself what type of data your organization handles, and contemplate what problems you may have were it to fall in other hands or become unavailable;
  • Inventory all devices which your organization uses, including in particular those that connect to its systems and/or the Internet and make sure your personnel knows the dangers associated with plugging anything new (for ex., an infected USB stick);
  • Realize that anything you plug into the Internet (i.e. make accessible) may become a point of entry for eventual hackers or infections, in particular any devices that have not been fully updated (including any firmware and software running on it) – make sure all your hardware and software are regularly updated (starting with your router and computers/servers);
  • Stop allowing or using weak passwords and force everyone to use a solid password manager;
  • Better yet, have everyone in the organization access every tool that can be through Two Factor Authentication (2FA);
  • Acknowledge that employees require on-going cybersecurity training and reminders, and actually schedule it so that it does happen, at least every year,. Including as to things like:
    • The risks associated with using passwords (such as weak or reused ones);
    • Problems which may be triggered by navigating one’s browser to a malicious site or clicking on a link in an email;
    • The dangers of activating, opening or clicking on attachments;
    • The concept of social engineering and its role in many attacks;
  • Know in advance who you will call in case of an incident to investigate or remedy, and make sure your personnel knows what your game plan is;
  • Do not assume you are safe because no one would bother attacking you, as we’re all potential victims of cybersecurity incidents, as anyone can fall victim to an attack without even having been specifically targeted.

With Québec’s passing of a new personal information stature, further to Bill 64, I’d say now’s a good time to brush-up on your cybersecurity practices and safeguards!

Québec Adopts New Personal Information Protection Statute

Posted on by

Québec formally adopted last week an overhaul of its statute meant to regulate personal information handling by businesses, in the province. Bill 64 was an attempt to bring the Québec Loi sur la protection des renseignements personnels dans le secteur privé in line with more modern pieces of legislation used abroad, including the famed GDPR, in Europe.

The revised statute now includes more strenuous obligations for organizations handling such data, and includes potentially huge fines (we’re talking millions) for businesses which may be caught violating the law. Yes, I think we can safely say that the province of Québec now has a real piece of legislation to govern how organizations are supposed to protect personal information when collecting, using or communicating it.

Though the statute was formally adopted, one should note, however, that most provisions included in Bill 64 will come into force only in September 2023, thus giving business about 2 years to shape-up. During that time, the Québec watchdog (the “CAI”) will also seek to provide guidance by coming-up with rules and protocols that it expects businesses to apply and abide by.

A limited number of provisions will come into force in September 2022, including those related to the obligation for businesses to disclose security incidents that may have exposed personal information to loss of theft, including for example pursuant to hacking incidents. The Québec media reports that the government intends to curb a culture of negligence when it comes to adequately handling and protecting personal information. After almost 30 years of being governed by an obsolete statute as to personal data, Québec businesses certainly have work to do!

U.S. Offers $10M Reward to Help Fight Against Ransomware

Posted on by

The U.S. started cranking-up the heat on cybercriminals responsible for recent important ransomware attacks on American businesses and organizations. This include offering a reward for millions of dollars to anyone who provides specific information as to the criminals behind those recent attacks.

The move is part of several initiatives by the U.S. to try and start getting a handle on the problem of ransomware, a problem which is fast reaching epidemic proportions. Who knows, large rewards like these may help motivate citizens and businesses to investigate recent attacks and, who knows, even track down those responsible for these cyberattacks. Can’t hurt!

In addition to those rewards, it seems the U.S. is also continuing to tighten banking regs (to squeeze those trying to cash cryptocurrency paid as ransom) and increase international collaboration.

It is hoped initiatives such as these may help obtain more information, in particular, as to recent sophisticated attacks which were, more than likely, sponsored by foreign States such as Russia, China and North Korea.