The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1544922
30 www.canadianlawyermag.com LEGAL REPORT TECHNOLOGY Araghrez, meanwhile, argues that literacy in cybersecurity risks needs to extend beyond IT departments and management to entire law firms. While firms typically require lawyers and staff to take cybersecurity training via programs and videos, "none of us really watch those videos," he says. "People put the training video on mute and let it play." In his view, a more effective strategy for ensuring that lawyers and staff understand day-to-day cybersecurity risks is to use incen- tives. Araghrez says firms can build cyber- security learning and development into bonus structures, for example, or provide incentives for identifying phishing emails that the IT department sends out every quarter to test lawyers and staff. Insufficient protection of client data Another issue that Charleston says he's observed is law firms failing to protect client data that's shared with third-party vendors and tools. In his experience, this issue is more common at small and mid-sized firms, which often neglect to properly evaluate third-party service providers before agreeing to work with them. "It works like this," Charleston says. "You "It's much harder to secure your own infrastructure with your own talent versus relying heavily on … Google or … [Amazon Web Services]" Scott Stevenson, Spellbook must have a due diligence program in place where you assess their security before you hire them or sign a contract with them. You then must lock those controls and obliga- tions into the agreement. You must make the vendor promise to be secure in certain ways and to train in certain ways and to notify you of cyber incidents or confidenti- ality incidents in certain ways. And that's all got to be in the contract." Even when firms follow all these steps, many fall short of taking one last, crucial measure: auditing service providers. "You have to say, 'You promised this to us, prove that you are actually doing it,'" Charleston says. "That can happen on an annual basis if you're revisiting procure- ment on an annual basis with these vendors, but it should occur on some sort of a regular cadence." Such due diligence has become increas- ingly important as more businesses share data with third-party vendors as part of their operations. Many law firms use external cloud platforms, for example, to which they share information on an ongoing basis or share information in relation to discrete mandates. Because such sharing has become more common, "we are seeing … a high percentage of incidents occurring where our clients are not being directly attacked, or they are not having their systems subject to unauthorized access, but rather they are getting notifications from a vendor that they share information with that the vendor has been hit," Charleston says. Charleston notes that, in such scenarios, the law firm, not the third party, remains accountable for the data. "I am accountable to the client that I took the information from," he says. Stevenson, who says Spellbook's clients include, but are not limited to, large, small, and mid-sized firms and in-house teams, flags another way firms might be compro- mising the security of client data. "There's a surprising number of law firms that still believe that running on-premise servers and maintaining software even in