Law Firms' Cybersecurity Gaps Trace to Siloed IT Ownership, Experts Say

Canadian law firms face rising ransomware, business-email compromise, and AI-driven deepfake threats. Despite the growing danger, many firms still delegate security to IT departments without firm-wide oversight. This siloed model creates control gaps that threat actors can leverage.

Eric Charleston, a breach lawyer at Borden Ladner Gervais LLP, says cybersecurity is still treated by many firms as an IT issue rather than a firm-wide risk management priority. Mazdak Araghrez, a cybersecurity consultant, adds that everyone views cybersecurity as IT's problem and argues the mindset must shift so that everybody is responsible. Scott Stevenson, co-founder of Spellbook, warns that many law firms mistakenly believe on-premise servers are more secure for client data, calling it a terrible idea.

When security lives only in IT, lawyers and staff rarely see it as part of their daily duties, leading to low engagement with training and poor vendor vetting. Leaders who approve security tools often judge them on cost and convenience rather than risk reduction. Consequently, firms miss chances to enforce contractual security clauses, audit third-party providers, or adopt modern controls like multifactor authentication and network segmentation.

- Elevate cybersecurity to a firm-wide risk committee that includes partners, finance, and practice leaders. - Require mandatory, interactive security training with measurable outcomes, such as simulated phishing tests tied to performance incentives. - Implement a vendor due diligence process that includes pre-contract security assessments, contractual security clauses, and annual audits. - Deploy technical controls aligned with MITRE ATT&CK mitigations: enforce MFA (countering T1078), disable macros (mitigating T1204.002), and segment networks to limit lateral movement (addressing T1021). - Adopt a zero-trust architecture for remote access and cloud services, verifying every request regardless of location.