Experts discuss how bad actors are evolving and what law firms can do to stay safe
Canadian law firms are already ill-prepared for cyberattacks, and the wider use of artificial intelligence will only make the situation more challenging.
Software company Cisco recently published a report showing that AI adoption in Canadian businesses is quickly outpacing their security protocols. The report revealed that while 80 percent of organizations have experienced an AI-related cyber incident in the past year, only three percent are fully prepared to defend against these threats.
Furthermore, more than half of organizations are struggling to fill cybersecurity roles – an increase from around one-third last year.
While the report didn’t focus on the legal industry, experts agree that law firms are especially vulnerable due to their appeal to threat actors and security practices that leave much to be desired.
Matt Saunders, a cybersecurity lawyer at Borden Ladner Gervais LLP’s Montreal office, describes law firms as the “bright and shiny object” cyberattackers seek and a “treasure trove of very interesting, sensitive and important information.”
Saunders explains that law firms have valuable resources and reputations to protect, making them attractive targets.
He points out that firms are not only targeted for ransomware payments but also for corporate espionage. In high-stakes deals, one party may hack a law firm to gain an edge; similar tactics are used in litigation and arbitration to access sensitive information.
Saunders warns that AI amplifies cyber risks in several ways – mainly through deepfakes, more convincing spear phishing attacks, and more sophisticated ransomware tools.
Emails may now come with video or voice attachments that convincingly mimic senior leaders, making it harder for staff and lawyers to detect fraud.
While AI brings many new challenges, it’s not the only threat to Canadian law firms’ cybersecurity readiness.
John Anthony Smith, founder of cybersecurity services company Conversant Group, says most law firms – and even many security leaders – still wrongly believe they can entirely prevent cyber breaches.
He says cybersecurity has two pillars: prevention and recovery capabilities. The problem is that firms are heavily investing in the avoidance of breaches while largely ignoring the latter. This is dangerous, he explains because threat actors often aim not just to breach systems but to destroy the firm’s ability to restore its data – something that can be fatal to the business regardless of reputational damage.
“E-discovery data is the single most targeted data set in a law firm... and, in most law firms, that is the single least guarded subset of data,” he says.
Smith says firm size doesn’t matter and that large firms, boutiques, and mid-sized practices are all equally unprepared.
While larger firms may have more resources and good intentions, they often suffer from overconfidence.
His company conducts breach analysis, and he says he has learned that organizations often knowingly fail to back up all critical data and lack a single survivable copy of their backups.
Smith says this widespread gap in recovery planning is one of the biggest and most overlooked threats facing law firms today.
“Most law firms and most security leaders, still to this moment, believe they can actually prevent all forms of breach,” he adds.
Saunders says that law firms often make the mistake of thinking they won’t fall victim to a cyberattack – either because their firm isn’t big enough or interesting enough to threat actors or because they fail to take threats seriously until it’s too late.
He adds that poor data management practices make everything worse if a breach occurs.
He adds that law firms often deal with complex data across multiple locations and jurisdictions, which makes it essential to know where data is stored and who can access it.
With proper data mapping, planning, and backups (either off-site or in the cloud), firms can recover faster and resume operations more quickly after a disruption. Without that preparation, Saunders says, recovery becomes far more complex.
Dealing with ransomware groups is inherently risky, as outcomes can vary depending on how the attack was carried out and which threat actors are involved. Even if a victim pays a ransom for a decryption key or a promise of data deletion, Saunders says there’s no guarantee the attackers will follow through.
While most groups operate on an "honour among thieves" model to maintain credibility with future victims, others may break their promises. He adds that they sometimes deliver corrupted data, fail to return stolen information, or even sell access to other criminals.
“The entire process is unpredictable,” he adds.
Smith says that recovery is often incomplete even when ransoms are paid and decryptors are provided. Firms can lose access to databases, as attackers don’t stop database services before encryption – leading to corruption and permanent data loss.
He says threat actor behaviour is evolving, with a growing trend toward outright data destruction. In the past, attackers primarily encrypted data to extort ransom payments. He explains that many are quicker to delete data, especially if they suspect the victim won’t pay.
Smith compares it to a hostage scenario in a movie: attackers increasingly “prove” their control by erasing large amounts of data as a pressure tactic.
“They are sending data pinkies in a box, like they would in a movie when criminals abduct a person.”
This shift makes breaches even more devastating. He says that if attackers delete both the backups and the encrypted data, recovery becomes impossible.
Saunders says cybersecurity measures shouldn't exist in isolation – they must be part of a larger business strategy.
While having a cybersecurity or incident response plan is essential, it should integrate with broader crisis management efforts. This planning, he says, ensures firms are ready to make difficult decisions, such as whether to pay a ransom, within a structured framework.
However, he stresses that a plan is only effective if implemented and tested.
Instead of a rarely read document sitting on a shelf, firms need a “living, operational tool” that employees understand and can use. He recommends conducting regular tabletop exercises – simulated crisis scenarios involving staff from all levels – to ensure everyone is familiar with the response process before a real incident occurs.
He also points to basic measures like multifactor authentication, strong password policies, regular updates, and employee training as essential, low-cost tools that form the foundation of effective cybersecurity.
Smith says the first and most crucial step for law firms is to face the reality of their cyber vulnerabilities. Drawing on an old saying that “people make decisions either from pain or vision,” he says that most law firms, unfortunately, only act when confronted with pain.
He adds that generic penetration tests often don’t show the readiness of law firms’ cybersecurity systems, as they lack context.
He argues that the most effective assessments are those rooted in a real breach context, measuring firms against how actual threat actors operate – how they gain access, move laterally, exfiltrate, and destroy data.
Saunders says that firms must fully understand their data – how it’s mapped, stored, protected, and backed up – as this step supports prevention and response planning.
He adds they should assess their internal cybersecurity posture, including policies, procedures, and IT resilience.
Finally, he emphasizes the value of cyber insurance coverage, which can provide access to vital resources during an incident, such as breach coaches, legal advisors, forensic investigators, crisis communication experts, and cyber extortion negotiators.
With the right coverage, he says, “firms can make a single call and quickly mobilize a comprehensive response team in the event of a cyberattack.”
AI experts who have spoken to Canadian Lawyer in the past repeatedly point to rainmakers – senior lawyers who bring in significant revenue and often operate with greater autonomy – as a major cybersecurity risk, as they sometimes ignore the advice of their tech-savvy, often younger, colleagues.
Saunders says that even the most successful lawyers – whether independent rainmakers or well-integrated team members – are not immune to cyber risk, and their achievements mean little if a ransomware attack shuts down systems, leaks client data, and triggers legal and regulatory fallout.
To drive this home, he says firms must ensure everyone, from senior partners to summer students, understands the risks and is trained to respond.
“They all have to do it, just like they would do for a fire drill,” he says.
Smith says there is some reason for optimism. His company typically gets involved with law firms in one of two ways: during a breach – when the firm is in full crisis mode – or, more often now, through a proactive assessment.
Encouragingly, he says that most of their law firm clients are coming to them before an incident occurs, seeking forward-looking evaluations to identify vulnerabilities before attackers do.
“Cyberattacks are one of those situations where an ounce of prevention is worth a pound of cure,” Saunders says.
