The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1544922
www.canadianlawyermag.com 31 Insurance Portability and Accountability Act. If a sole practitioner in Canada uses Spellbook, for example, they will benefit from the same security measures "as a massive hospital network in the US … handling patient data," Stevenson says. Lack of collaboration between firms In Araghrez's experience, one fact that many law firms tend to overlook is how their own cybersecurity is only as good as that of the firms they work with. "We are inter- connected," he says. "Dentons will always work with opposing counsel. The opposing counsel may be from a small or a medi- um-sized firm. "If the weakest link in that chain is a smaller law firm which hasn't got the right cyber- security protections in place, it opens up the threat profile to everybody in that chain." To address this issue, Araghrez recently co-launched The Sentinel Project, an initia- tive to build a free, open cybersecurity framework for the legal sector. "Effectively, what we're trying to say is, let's all come together as law firms, as asso- ciations, as thought leaders in this space, and develop a platform that is open source, that is free, built by law firms, for law firms, glob- ally," Araghrez says. "That platform effec- tively is going to help all organizations of all sizes protect themselves." Araghrez describes the project as a library that will give firms of all sizes access to guid- ance on improving their cybersecurity. For example, a small firm that wants to obtain certification under a cybersecurity compli- ance standard like SOC 2 within, say, six months can plug those parameters into the Sentinel platform and access training. "The only way that the legal profession can protect itself is by coming together and being on the same team rather than playing against each other," he says. "Because no, there's not going to be a single winner when it comes to cybersecurity. We all are interconnected; we work with the same vendors, we work on the same matters, and if one of us gets breached, then that exposes all of us to that." "It's much harder to secure your own infra- structure with your own talent versus relying heavily on the talent of Google or the talent of [Amazon Web Services]," he adds. "In the case of Spellbook … we have a dedicated team of engineers that is securing and monitoring that platform 24-7, every hour of the day." Stevenson also notes that larger service providers often have more robust security measures because their clients demand it. Large financial institutions won't take on third-party service providers unless they meet rigorous security requirements; companies with European Union customers or clients must work with vendors that meet General Data Protection Regulation standards; US healthcare providers must use services that comply with the Health their own cloud is going to be a more secure way to protect their client data," Stevenson says. "I think it's a terrible idea." He explains his argument in non-tech- nical terms: imagine you're living in a condo building, and argue that everyone is more secure if they each manage their own security rather than having a single security system for the entire building. "Securing any application is very difficult. There's millions and millions of lines of code, many interaction points. The amount of effort it takes to monitor and do penetration testing and to secure a lot of applications generally is enormous," Stevenson says. Smaller IT teams lack the capacity and resources to "deeply monitor and secure applications and also just … stay on top of constant patching," he says. "The only way that the legal profession can protect itself is by coming together and being on the same team rather than playing against each other" Mazdak Araghrez, cybersecurity consultant