How Your Legal Department Can Support Your Corporate Cybersecurity Strategy

As tensions rise in Europe, cybersecurity experts are warning corporations to be on high-alert for a possible Russian cyber attack, so if your organization is still putting the finishing touches to its security strategy, now is the time to prioritize protection.

Cyber attacks rose by 800% following the outbreak of conflict in Ukraine. While those in finance, government, and infrastructure are most at risk, attacks can happen to any organization with an internet presence.

Geopolitical events may have made the issue more urgent but cyber crime has been on the increase since the pandemic began, spiking as online activity increased. From ransomware to DDoS attacks, the risks are growing as hackers become increasingly inventive.

Corporate legal departments have a key role to play in helping their organizations get ahead of these risks, taking a proactive approach to root out areas of vulnerability while drawing up plans on how to mobilize in response to threats and sustain operations in the event of a breach.

Creating an effective security strategy can’t be the sole purview of CISOs and senior executives. General counsel should have a seat at the table, making sure policies are in line with global and domestic regulations around compliance and privacy, as well as identifying liabilities.

Involving these key players is just one of many industry best practices around cybersecurity as companies employ all the defenses at their disposal to combat risk.

Cybersecurity best practices

Company-wide engagement & training

The cause of most cyber attacks is human error, with sloppy security habits responsible for over 80% of cyber incidents.

Unfortunately, hackers know this and many of their modes of attack are designed to dupe unwary employees into giving them access to their system. Many of these attacks take the form of phishing (where victims are enticed into revealing personal information such as passwords) or business email compromise (where hackers impersonate senior staff to request confidential information via email).

Training employees to become more cyber aware means training them to practice ‘zero trust’ so they’re skeptical of unusual activity and can quickly pinpoint any red flags. Staff should also be trained in good cyber hygiene such as safe password selection, proper email etiquette, and how to protect their devices.

These efforts need to involve every level of employees, from senior executives and board members to new interns to ensure everyone’s up to date on the organization’s security policies and protocols.

Secure remote working environments

With the workforce moving to a remote or hybrid model, it’s important to secure personal devices, cloud networks, and other points of entry into the system as these present easy access opportunities for hackers.

Mobile malware targets devices, looking for a backdoor into a company’s system via messaging or other apps. As more employees work out of the office, doing business from their smartphone or tablet, it becomes even more crucial to lock down devices with tools such as multi-factor authentication, password managers, and other security apps.

Disaster planning

Once your organization has a cybersecurity plan in place, it’s important to put it to the test.

Putting the strategy through its paces in a no-risk sandbox environment helps stakeholders quickly hone in on its strengths and weaknesses, with the flexibility to address those areas as needed.

Simulated attacks are also an effective way to train employees, getting them familiar with their responsibilities in case of a breach.

Resilience

Cyber experts often talk about resilience, but what does that exactly mean in this context?

The World Economic Forum (WEF) has identified four main components of resilience:

Anticipate – Plan for a myriad of threats, including both existing and emerging risks.

Withstand – Build layered defenses that offer various means of protection rather than relying on a single solution, and run through scenarios to thoroughly test drive each so you can be confident they are as sturdy as possible.

Recover – Comprehensively map out different responses to different threats, so counsel know exactly what to do if and when cyber criminals strike. Recovery efforts should focus on limiting damage by quickly identifying a breach and securing systems, as well as next steps around liabilities and maintaining operational capacity.

Adapt – Technology never stands still, and neither should your security. An effective strategy must be flexible enough to pivot to meet emerging threats.

Uptake of technology

According to a recent WEF report, 81% of senior executives believe that digital transformation is the main driver in improving cyber resilience.

Multi-layered digital defenses are your organization’s best weapon against hackers, and advances in legal tech offer robust protection.

Automating formulaic tasks such as contract management, document archiving, and litigation monitoring doesn’t just free up legal department resources, it also reduces human error, improving security.

Using a centralized hub for Board communications and entity management also helps reduce risk, streamlining all activity in a secure portal with highly-controlled access, enhanced visibility, and greater transparency than disparate systems.

The role of the Corporate Legal Department in creating and implementing a cybersecurity framework

The primary function of any corporate legal department is to protect their organization from liability and ensure compliance with applicable legislation.

In a cybersecurity context, this means keeping abreast of data privacy regulations. If your organization does cross-border business, it needs to comply with global standards such as Europe’s General Data Protection Regulation (GDPR) as well as those in force here in Canada such as Personal Information Protection and Electronic Documents Act (PIPEDA).

Regulations can also vary according to jurisdiction and sector so companies operating in Canada should be aware of provincial requirements as well as federal. While PIPEDA is the overarching legislation, Alberta, Quebec, and British Columbia have their own privacy regulations, similar in scope but local to those provinces.

The Bank Act applies to the use of personal financial information by federally-regulated financial institutions in Canada, while health-specific privacy laws apply to those organizations working in the healthcare sector.

Wherever a company stores their information, they must abide by the rules in that particular location. So bear in mind that if your organization does business in the US, it will be subject to the Freedom Act and CLOUD Act – both of which give the federal government the power to access confidential material under certain circumstances.

Knowing the legal responsibilities and ramifications around data privacy and protection is the first step. Disseminating that information to CISOs is the next. While the IT department doesn’t need to know the minutiae of each law, they should be aware of compliance efforts so they can tailor their tech solutions accordingly.

How the DiliTrust Governance Suite supports cybersecurity efforts

The DiliTrust Governance Suite is a market-leading Software-as-a-Service (SaaS) solution for corporate governance and legal activities, designed with security in mind.

Compliant with the highest industry security standard, ISO 27001, our tech platform allows you to move sensitive corporate data from multiple, unsecured services and locations, to a centralized hub where you can confidently edit, share, or archive it as needed.

Comprising five individual modules, the suite’s stringent privacy features include password protection, 256-bit data encryption, security audits, and penetration testing with input from forensic security experts.

  • Our collaborative Board Portal secures board communications while keeping every item readily accessible so they can be edited and shared as needed without exposing the organization to risk.
  • The ultra-secure Documentation Library archives sensitive documents while allowing for secure user access and sharing. Admins have complete visibility so they can track and log every interaction and keep updated audit records.
  • The Entity Management module allows for greater visibility into subsidiaries, offering more transparency so head office can quickly identify weak spots before they’re compromised. Organizations need clear lines of communication between all entities and the platform facilitates this with secure sharing and real-time oversight.
  • Streamlined Contract and litigation management solutions automate time-consuming tasks, reducing the risk of error and helping companies stay compliant with data protection legislation.

With the DiliTrust Governance Suite, security is built into every step of the legal department’s processes, making it an invaluable toolkit for implementing cybersecurity best practices. Contact us today to find out more or book a demonstration.

SPEAK WITH AN EXPERT