Rising number of cyberattacks ‘without smoke or fire’ say Lavery experts

Vigilance critical as businesses grapple with ever-evolving threat landscape

Rising number of cyberattacks ‘without smoke or fire’ say Lavery experts
Eric Lavallée and Selena Lu are both partners in Lavery’s Business Law Group

This article was produced in partnership with Lavery Lawyers.

Mallory Hendry of Canadian Lawyer sat down with Eric Lavallée and Selena Lu, both partners in the firm’s Business Law Group, to discuss the safeguards businesses should be looking at.

As recently as a few years ago, most of the small- and medium- sized enterprises (SMEs) Lavery Lawyers dealt with had no plans in place in case of a cyber incident. But now, as businesses grapple with a changing landscape that includes the impact of the global COVID-19 pandemic and emerging considerations such as shifting governance requirements, “we want to discuss the increasingly important awareness and preparedness required from our clients to face cybersecurity challenges,” says Eric Lavallée, partner and trademark agent in the Business Law Group at Lavery.

“We’re in a situation where we strongly recommend our clients have a plan – and it needs to be in constant evolution,” says Lavallée. “They could have very good technological measures, but when there’s a new challenge they need a good governance structure. That’s the most important change we’ve seen in the last couple of years.”

Along with colleague Selena Lu, Lavallée is focused on bringing awareness to clients and assisting them in implementing appropriate cybersecurity procedures. Over the last year, the duo developed tools for SMEs to increase their knowledge about and vigilance around cybersecurity, including a 60-question questionnaire that helps foster a better understanding of what the business has in place in terms of governance, human resources, IT and software. They then meet with the client to go over responses, discuss best practices and make recommendations. The hope is that by filling out the questionnaire, they start thinking about things they may not have considered before, says Lu, also a partner in Lavery’s Business Law Group.

“Nowadays it is not a matter of if, but when a cyberattack is going to occur and it needs to be part of the strategy of every company, at every level,” Lu says, adding having the right competency on the board has become even more vital considering they now have legal obligations regarding cybersecurity, such as Bill 64 requiring them to name someone responsible for personal information.

Whether it is a change in technology or putting in place the right people around an issue, businesses need to actively manage risk through vigilance, training and having that crucial adaptable plan in place. Lu compares it to a fire drill exercise: when there’s a cyber incident, everybody needs to know where the closest exit is, how to evacuate and where to meet up as well as who to call for assistance ­– ideally as quickly as possible.

Though the incidents people tend to think of involve waves of ransomware that made the fact there has been an attack obvious – frozen computers, employees receiving messages that the information was diverted by hackers, or ERPs being taken over, for example – “among the more interesting challenges our clients are facing are a rising number of attacks without smoke or fire,” says Lavallée, who along with Lu wrote a recent blog post on the subject.

“The threat now is if you don’t have a good plan, you may never notice they’re taking your trade secrets or personal information from your clients away from you,” he says. “That kind of attack is a silent attack, and it is very dangerous for a company. Once they realize the situation, if they’re not ready to take immediate action, it is probably too late.”

The targets are not always the big corporations that people imagine hackers want to attack – even smaller companies need measures to protect assets, Lavallée notes. There should be safeguards in place to protect against things like human error, and good governance could ensure prevention as well as control over sensitive information of the business in the face of an attack.

And it is not always the technological that businesses need to be concerned about, Lavallée says. He points to a client he had, a small company in the food industry, whose founder was a computer scientist. The client assured Lavallée that all assets were in the cloud and secure. But when Lavallée visited the company for a meeting one Friday afternoon, nobody answered the front door. Walking around back, Lavallée saw a large garage with doors open and no employees in sight. The computers were running with no screen savers and he could easily see information such as the machinery controls and the recipes used. While their cloud was indeed extremely secure, “they forgot that cyber security also includes physical measures.”

“Some best practices seem simple but are critical – like locking your doors or calling your supplier after receiving an email asking you to change bank accounts for your regular payments,” Lavallée says. “That’s why we need to talk to the clients, because sometimes they just see part of the problem and rely too much on technology itself to protect them. Those common-sense measures are part of cyber security, even if they’re not technological.”

Ultimately Lavallée and Lu want awareness of and protection against cyberattacks to be common knowledge for SMEs, especially in the face of ever-evolving threats. Lu points to the pandemic, and the speed with which companies brought in new technology to enable a remote workforce: it is a positive shift because during a challenging time it kept businesses running, provided opportunity and enabled growth – but it is a change that’s led to greater risk exposure and therefore calls for increased vigilance and preparedness.

“Since the pandemic, it is a matter of survival – these businesses don’t have a choice anymore,” says Lu. “We’re able to do business around the world, but we have to figure out how to protect ourselves from all the threats around the world as well.”

Eric Lavallée is regularly called upon to assist businesses of all sizes, from start-ups to large corporations in drafting licensing agreements and business contracts in high technology as well as implementing protection and due diligence strategies for their intellectual property needs. He also runs the Lavery Legal Lab on Artificial Intelligence (L3AI).

Selena Lu’s practice focuses on mergers and acquisitions and the drafting of standard contracts. She frequently advises clients abroad on commercial law matters relating to investment and expansion in Canada. Selena offers practical and innovative solutions to her clients, who are mainly entrepreneurs and owner-operators.