The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1544922
www.canadianlawyermag.com 29 According to cybersecurity and legal tech experts, most law firms are ill-equipped to address modern cybersecurity risks, writes Jessica Mach Law firms' biggest cybersecurity missteps ASKED TO identify some of the most pressing cybersecurity issues law firms are facing today, three cybersecurity and legal tech experts were quick to flag, for Canadian Lawyer, the ongoing frequency of incidents involving ransomware and business email compromise, or the growing sophistication of deepfakes and other risks that have emerged with new artificial intel- ligence tools. At the heart of their concerns, however, were not the actions of threat actors – the individuals or entities that deploy ransom- ware or create fake content to deceive law firms. Rather, it was how law firms them- selves are dealing with these issues, and how, in many cases, they're falling short. Borden Ladner Gervais LLP partner Eric Charleston, cybersecurity consultant Mazdak Araghrez, and Spellbook co-founder and CEO Scott Stevenson share the most common mistakes they believe law firms are making in protecting themselves and their clients from digital threats. Sequestering cybersecurity in the IT department As a cyber incident and data breach lawyer, Charleston has helped law firms across Canada respond to dozens of cybersecu- rity breaches. Law firms are prime targets LEGAL REPORT TECHNOLOGY for breaches for two reasons: they store sensitive information and they handle a lot of money. Charleston believes that law firms' vulner- abilities to cyber attacks often stem from the same issue: the way their governance models are structured. "Cybersecurity is still treated by a lot of firms as an IT issue rather than a firm-wide risk management priority," says Charleston. "It's sort of delegated and then not overseen. And that problem results in control gaps that should be addressed." Araghrez, who has served as a consul- tant to law firms in Europe and Canada, including Dentons, echoes Charleston's sentiment. "Everybody thinks cybersecurity is IT's problem," he says. "We need to shift that mindset away from just looking at IT being responsible … toward everybody being responsible." In Charleston's experience, few law firm leaders understand how their IT depart- ments assess cybersecurity risks or the steps they're taking to mitigate them. This makes it challenging for them to evaluate whether IT is providing adequate protection. For example, when IT teams present new cyber- security measures like security upgrades or training to leaders who are tasked with approving those measures, those leaders typically make assessments "from a procure- ment perspective," Charleston says. "How much do they cost? What impediment to work will they make?" However, understanding industry trends in security, the consequences of eschewing cyber- security measures, and how those measures technically work is critical for leaders to ensure their firms have the right level of protection, Charleston says. In cases where leaders are up to speed, they "tend to opt for more security" than those who aren't, he observes. "Cybersecurity is still treated by a lot of firms as an IT issue rather than a firm-wide risk management priority" Eric Charleston, Borden Ladner Gervais LLP