Stay informed about our most recent articles, training activites and job offers.

Therrien Couture Joli-Coeur Newsletter

Stay informed about our most recent articles, training activites and job offers.

By clicking "Sign me up", I confirm my registration to the subscription list and I consent to TCJ processing my email in order to send me newsletters on an ad hoc basis. I confirm that I have read and consented to the Privacy Policy.

Write us

By filling out this form, you enable our team to fully understand your needs and offer you the service best suited to your expectations. We thank you for your trust and promise to provide you with a follow up as soon as possible.

By clicking "Send", I confirm that I have read and consented to the Privacy Policy.

Privacy and cybersecurity

An Untested Cybersecurity Plan Is Only Good on Paper

  • Élyse Rioux
  • Dany Guimond-Valcourt
By Élyse Rioux and Dany Guimond-Valcourt
Sunday morning, 10 a.m., coffee in hand. You log into your computer to check your emails. You open your inbox, only to be greeted by a ransom note.

All your data has been encrypted. Your systems are paralyzed. A message demands that you pay a significant amount within a certain timeframe to obtain the decryption key.

You immediately reassure yourself:

-          You are compliant with the Act respecting the protection of personal information in the private sector.

-          You have a cyber insurance policy.

Everything is under control, right?

Not so fast.

Section 10 of the Act respecting the protection of personal information in the private sector is clear: every business must take the security measures necessary to ensure the protection of the personal information it holds. These measures must take into account the sensitivity of the information concerned, its quantity, the purpose for which it is collected and even the medium on which it is stored. However, being compliant does not necessarily mean being prepared.

Compliance with the law is a starting point for governance, not a destination. Too often, policies and procedures remain static legal documents neatly filed away, rarely tested and even less integrated into the organization’s reflexes. Cybersecurity is not solely based on technology or insurance clauses: it requires a coherent combination of people, processes and technologies.

It is now 10:20 a.m. The ransom message is still there. The countdown has begun. And while you’re trying to figure out what’s going on, the attackers know exactly what they’re doing.

You want to activate your incident response plan. But do you know how to do it? Is it accessible? Is it up to date? Do you know who to call? And most importantly, are these people available on a long weekend Sunday morning?

It is often at this point that you realize that roles and responsibilities have not been clearly defined. That key persons have not been trained. That absences, departures and replacements were not anticipated. And that the procedures in place have never been tested in a real-life context.

You are trying to reach your team, but your systems are inaccessible. Your messaging service is compromised. Your usual channels no longer work. Have you planned an alternative means of communication? A secure, out-of-band channel that does not rely on your internal infrastructure? And if so, have you tested it?

An incident response plan is essential, but it is not sufficient on its own. It must be completed by a business continuity plan designed to ensure that operations can continue – at least partially – even without access to critical systems. This requires first identifying those essential systems, understanding how to operate in fail soft mode, have back-up tools, manual processes and teams ready to respond in case of overload or disorganization.

And while you try to stay on track, you already have to think about the next step: recovery. Do you have valid backups? Are they recent? Are they usable? How long will it take you to restore your systems? And most importantly, how much data are you willing to lose? Have you defined your tolerance levels? Your recovery goals?

It is now 11 a.m. An hour has passed, and you still haven’t taken any action. Not out of negligence, but because you weren’t ready. Having a plan is a good start, but it’s not enough. It must be tested, practised and communicated at least once a year—because malicious groups are always ready.

The NIST Cybersecurity Framework, an internationally recognized standard, recommends not only having an incident response plan, but also regularly testing it, training teams and providing alternative communication channels in the event of a compromise. Our privacy and cybersecurity team assists organizations in implementing incident response, business continuity and cybersecurity governance plans.

From assessing your preparedness, training your teams or turning your legal obligations into concrete actions, we are here to help you shift from compliance to resilience.

And if, unfortunately, an incident does occur, we are by your side to coordinate the response, manage the crisis and limit its impact. This includes stakeholder engagement, event documentation, prompt notification to relevant authorities and, when required, transparent information to the persons concerned.

Let’s talk about it before the countdown begins.

Share this article
2