NOTE: This article was written for and first appeared in the June 2025 issue of The Advocate, produced by the Saskatchewan Trial Lawyers Association
Cybersecurity is a broad topic that encompasses both opportunities and risks for companies. Technology and tools are continuously evolving in both sophistication and complexity. A company’s ability to protect its systems, networks, programs and data is a critical business function. When a cyber event occurs, the impact can be catastrophic and result in business failure.
Some of the common financial impacts after a cyber event may include:
- Loss of ability to conduct business while the issue is being remediated,
- Loss of vendors or customers who decline to do further business with you,
- Reduction in market value of the company,
- Significant increases in expenses to hire experts, mitigate the damage and rebuild systems,
- Increased monitoring costs on behalf of both the company and individuals impacted, ie. credit bureau reporting or inappropriate use of lost data,
- Increases in legal costs to manage the event,
- Demands for ransom from cyber attackers,
- Loss of cyber insurance, or renewed policies that become cost prohibitive,
- Potential third party liability for damages caused by the cyber event.
Other implications may include:
- Permanent loss of data or information,
- Public disclosure of sensitive information such as trade secrets or proprietary data,
- Loss of business reputation or brand diminishment in the market place,
- Difficulty to meeting external filing or reporting requirements,
- Inability for the business to recover or to return to its previous activity level,
- Inability to sell the company,
- Increased scrutiny by regulators or privacy commissioners,
- Increased attempts to attack your systems.
Investing in the security of your systems and data, including mobile devices and remote access, is a proactive way to reduce the risk of a cyber event. This investment should be managed on a continuous basis to ensure that processes and systems continue to be up to date, use current technologies and reflect best practices.
Where appropriate, engage IT experts to design your IT environment. Companies use many different types of software and tools that are both purchased and internally developed. IT experts can ensure that your products appropriately link together and reduce the risk that there are gaps in your security. It may also be prudent to engage IT experts to review your system on a regular basis to ensure any technology or best practice changes have been properly implemented. Independent IT experts may be used to test the robustness of your system by simulating an attack which provides information about where your system may be vulnerable.
While focusing on the physical, digital and technical aspects of your information technology systems is very important, an equally critical component of cyber security are the users of the system. Those who look to do harm to your company will attempt to attack both the digital security you have in place as well as the care and attention that your users place on their day to day activities. Many common cyber attacks involve gaining the confidence of users who may unwittingly create an opportunity to get access to your system. As a result, the skill level of your users, as well as their awareness of potential risks, has a significant impact on the safety of your system. Training employees about common attacks, types of risks as well as indications of fraudulent emails or phone calls can increase the number of people who are vigilant about security and reduce the risk of an inadvertent security breach. Many companies use continuous training to ensure this information is top of mind for everyone and quickly integrates new employees.
From a governance perspective, technology and cyber risks continue to grow in prominence and many companies now assign the management of this area to a manager or executive role, and in some cases, have created a new position solely focused on this area. If cybersecurity and the potential implications noted above are a significant aspect of your business, consider whether cybersecurity has been adequately integrated into your key business activities, such as strategy, budgeting, marketing and risk management.
