Kelly Nicholson (Field Law) was the Chair of this panel. Panel
participants were Linda Dalgetty (Vice President (Finance and
Services), University of Calgary) and Justin Fong (Partner,
Cyber-Security Division, Deloitte).
Justin detailed how cyber-attacks have risen to number five on
the world's top threats list. As the data volume of our
organizations increases, so too does our risk of attack. There are
a number of different kinds of "hackers" (from casual
limited attacks to advanced, persistent threats from hostile
nation-states). Alarmingly, most cyber-attacks go unnoticed at
first: it takes an average of 241 days to detect an attack and
begin to respond.
In May of 2016, the University of Calgary suffered a catastrophic
ransomware attack affecting a number of key areas. Linda Dalgetty
discussed the importance of utilizing your resources (including
following insurance recommendations) and ensuring your board of
governors is ready to respond in a timely manner. It cannot be
assumed that everyone involved will understand the IT language and
issues presented, and it is important to find a common language
between parties in order to develop an effective response. She
offered guidance on how to stay proactive and consistent in
external messaging, and discussed the risk-balance approach that
the University ultimately decided to take. For the University of
Calgary, reputational risk was the most important component of
their decision to pay the ransom. The nature of the
University's research work meant a loss of data could risk the
loss of an employee's lifetime of valuable research and
development work.
Justin and Linda emphasized that there are a number of steps an
organization can take to prepare for a cyber-attack and respond in
a timely manner. In these situations, the first 24 hours are
critical. Running regular, thorough assessments of your
operational, reputational, and financial risks will ensure you and
your organization are not caught unaware by one of the biggest
threats of the modern era.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.