Law firms’ biggest cybersecurity missteps according to online security and legal tech experts

Asked to identify some of the most pressing cybersecurity issues law firms are facing today, three cybersecurity and legal tech experts were quick to flag, for Canadian Lawyer, the ongoing frequency of incidents involving ransomware and business email compromise, or the growing sophistication of deepfakes and other risks that have emerged with new artificial intelligence tools.  

At the heart of their concerns, however, were not the actions of threat actors – the individuals or entities that deploy ransomware or create fake content to deceive law firms. Rather, it was how law firms themselves are dealing with these issues, and how, in many cases, they’re falling short.  

Borden Ladner Gervais LLP partner Eric Charleston, cybersecurity consultant Mazdak Araghrez, and Spellbook co-founder and CEO Scott Stevenson share the most common mistakes they believe law firms are making in protecting themselves and their clients from digital threats. 

Eric Charleston

Sequestering cybersecurity in the IT department 

As a cyber incident and data breach lawyer, Charleston has helped law firms across Canada respond to dozens of cybersecurity breaches. Law firms are prime targets for breaches for two reasons: they store sensitive information and they handle a lot of money.  

Charleston believes that law firms’ vulnerabilities to cyber attacks often stem from the same issue: the way their governance models are structured.  

“Cybersecurity is still treated by a lot of firms as an IT issue rather than a firm-wide risk management priority,” says Charleston. “It’s sort of delegated and then not overseen. And that problem results in control gaps that should be addressed.” 

Araghrez, who has served as a consultant to law firms in Europe and Canada, including Dentons, echoes Charleston’s sentiment.  

“Everybody thinks cybersecurity is IT’s problem,” he says. “We need to shift that mindset away from just looking at IT being responsible … toward everybody  
being responsible.”  

In Charleston’s experience, few law firm leaders understand how their IT departments assess cybersecurity risks or the steps they’re taking to mitigate them. This makes it challenging for them to evaluate whether IT is providing adequate protection. For example, when IT teams present new cybersecurity measures like security upgrades or training to leaders who are tasked with approving those measures, those leaders typically make assessments “from a procurement perspective,” Charleston says. “How much do they cost? What impediment to work will they make?”  

However, understanding industry trends in security, the consequences of eschewing cybersecurity measures, and how those measures technically work is critical for leaders to ensure their firms have the right level of protection, Charleston says. In cases where leaders are up to speed, they “tend to opt for more security” than those who aren’t, he observes.  

Araghrez, meanwhile, argues that literacy in cybersecurity risks needs to extend beyond IT departments and management to entire law firms. While firms typically require lawyers and staff to take cybersecurity training via programs and videos, “none of us really watch those videos,” he says. “People put the training video on mute and let it play.” 

In his view, a more effective strategy for ensuring that lawyers and staff understand day-to-day cybersecurity risks is to use incentives. Araghrez says firms can build cyber- 
security learning and development into bonus structures, for example, or provide incentives for identifying phishing emails that the IT department sends out every quarter to test lawyers and staff.  

Insufficient protection of client data  

Another issue that Charleston says he’s observed is law firms failing to protect client data that’s shared with third-party vendors and tools. In his experience, this issue is more common at small and mid-sized firms, which often neglect to properly evaluate third-party service providers before agreeing to work with them.  

“It works like this,” Charleston says. “You must have a due diligence program in place where you assess their security before you hire them or sign a contract with them. You then must lock those controls and obligations into the agreement. You must make the vendor promise to be secure in certain ways and to train in certain ways and to notify you of cyber incidents or confidentiality incidents in certain ways. And that’s all got to be in the contract.”  

Even when firms follow all these steps, many fall short of taking one last, crucial measure: auditing service providers.  

“You have to say, ‘You promised this to us, prove that you are actually doing it,’” Charleston says. “That can happen on an annual basis if you’re revisiting procurement on an annual basis with these vendors, but it should occur on some sort of a regular cadence.”  

Mazdak Araghrez

Such due diligence has become increasingly important as more businesses share data with third-party vendors as part of their operations. Many law firms use external cloud platforms, for example, to which they share information on an ongoing basis or share information in relation to discrete mandates. Because such sharing has become more common, “we are seeing … a high percentage of incidents occurring where our clients are not being directly attacked, or they are not having their systems subject to unauthorized access, but rather they are getting notifications from a vendor that they share information with that the vendor has been hit,” Charleston says.  

Charleston notes that, in such scenarios, the law firm, not the third party, remains accountable for the data. “I am accountable to the client that I took the information from,” he says.  

Stevenson, who says Spellbook’s clients include, but are not limited to, large, small, and mid-sized firms and in-house teams, flags another way firms might be compromising the security of client data. 

“There’s a surprising number of law firms that still believe that running on-premise servers and maintaining software even in their own cloud is going to be a more secure way to protect their client data,” Stevenson says. “I think it’s a terrible idea.”  

He explains his argument in non-technical terms: imagine you’re living in a condo building, and argue that everyone is more secure if they each manage their own security rather than having a single security system for the entire building.  

“Securing any application is very difficult. There’s millions and millions of lines of code, many interaction points. The amount of effort it takes to monitor and do penetration testing and to secure a lot of applications generally is enormous,” Stevenson says. Smaller IT teams lack the capacity and resources to “deeply monitor and secure applications and also just … stay on top of constant patching,” he says.  

“It’s much harder to secure your own infrastructure with your own talent versus relying heavily on the talent of Google or the talent of [Amazon Web Services],” he adds. “In the case of Spellbook … we have a dedicated team of engineers that is securing and monitoring that platform 24-7, every hour of the day.”  

Stevenson also notes that larger service providers often have more robust security measures because their clients demand it. Large financial institutions won’t take on third-party service providers unless they meet rigorous security requirements; companies with European Union customers or clients must work with vendors that meet General Data Protection Regulation standards; US healthcare providers must use services that comply with the Health Insurance Portability and Accountability Act.  

If a sole practitioner in Canada uses Spellbook, for example, they will benefit from the same security measures “as a massive hospital network in the US … handling patient data,” Stevenson says.  

Scott Stevenson

Lack of collaboration between firms  

In Araghrez’s experience, one fact that many law firms tend to overlook is how their own cybersecurity is only as good as that of the firms they work with. “We are interconnected,” he says. “Dentons will always work with opposing counsel. The opposing counsel may be from a small or a medium-sized firm.  

“If the weakest link in that chain is a smaller law firm which hasn’t got the right cyber- 
security protections in place, it opens up the threat profile to everybody in that chain.”  

To address this issue, Araghrez recently co-launched The Sentinel Project, an initiative to build a free, open cybersecurity framework for the legal sector.  

“Effectively, what we’re trying to say is, let’s all come together as law firms, as associations, as thought leaders in this space, and develop a platform that is open source, that is free, built by law firms, for law firms, globally,” Araghrez says. “That platform effectively is going to help all organizations of all sizes protect themselves.”  

Araghrez describes the project as a library that will give firms of all sizes access to guidance on improving their cybersecurity. For example, a small firm that wants to obtain certification under a cybersecurity compliance standard like SOC 2 within, say, six months can plug those parameters into the Sentinel platform and access training.  

“The only way that the legal profession can protect itself is by coming together and being on the same team rather than playing against each other,” he says. “Because no, there’s not going to be a single winner when it comes to cybersecurity. We all are interconnected; we work with the same vendors, we work on the same matters, and if one of us gets breached, then that exposes all of us to that.”