We spoke with Emeline Manson, trainer in fraud prevention and cybersecurity, and Erwan Jonchères, associate lawyer and head of the data division of Lex Start Avocats to understand the importance of updating one’s cybersecurity knowledge.
1 – The threat has changed
The risk of having your computer or even your phone hacked is not new. However, it seems that the threat is more present since the beginning of the pandemic. Is this really the case?
The threat is much more personalized,” answers Emeline Manson. It used to be that cybercriminals would send a hook to a mass of people and wait for them to bite. Nowadays, hacking attempts come in the form of an institution you trust or a colleague in your network.”
The trainer gives the example of frauds proceeding by hacking a LinkedIn or Facebook account. It is indeed confusing to receive a private message from a friend or colleague inviting us to click on a corrupted document or link.
There’s a lot more social engineering going on than there used to be,” she summarizes. Cybercriminals are appealing to our emotions to convince us to click on fraudulent links.”
The cybersecurity expert reminds us that, since the pandemic began, we’re also more connected than ever:
When telecommuting, we’ve become accustomed to sharing documents on different platforms, which opens a door to new phishing attempts.”
2 – The Laws have changed
Besides the purely technological aspect, the other fundamental element that has changed in the last year in the cybersecurity file is the legislative framework. Quebec for instance has followed the example of the most stringent states in terms of privacy (think of the European Union’s General Data Protection Regulation or the California Consumer Privacy Act) by adopting the Personal Information Protection Act (Bill 64).
We’ve given a lot of rights to individuals, and now we’re trying to protect their ability to manage their personal data,” explains Erwan Jonchères. The consequence is that we’re putting heavy obligations on companies, under pain of huge penalties.”
Unfortunately, too many executives are unaware of the changes they must soon make in their own companies. In a May 2021 PwC survey, 37% of Quebec business leaders said they “do not understand the impact” of PL 64 on their organization.
When you talk to them about Bill 25 or Bill 64, many are not aware of what is coming or have only a vague idea, not knowing that, already, on September 22, 2022, the first provisions come into force,” said Emeline Manson. There is still a lot of information work to be done on this subject.”
3 – Because it is both “simple”… and “complicated”!
The subject of cybersecurity may seem daunting to some. However, Emeline Manson is reassuring about the complexity of the basic principles for reducing one’s exposure to cyber risks.
If you take each concept individually, it’s still pretty simple. What’s complicated is getting people to change their behaviour. It’s uncomfortable at first. If you want to get them to adopt safer practices, it requires change management within the company.”
The goal is not to achieve zero risk, warns Erwan Jonchères. Different strategies can be put in place to reduce risk, but other strategies will have the effect of mitigating the impact of an incident, should it occur.
I like the image of an apple tree where the lowest apples are the ones you pick first,” says the Lex Start lawyer. With every measure we put in place – whether it’s dual authentication, using a password manager or a robust backup strategy – it’s kind of like we’re getting off the ground and reducing our vulnerability to cybercriminals.”