Are legal firms risking confidential information?

When it comes to information security, the weakest point in any organisation is usually its employees. And given legal sector employees arguably have access to a broader array of sensitive information than those in any other industry, it’s a real cause for concern in the sector. That is why this industry has some of the most stringent regulations with regards to user security.

However, research among 500 US and UK legal sector employees reveals many legal organisations still have huge gaps in their security protocols. Holes in everything from the on-boarding process and training new employees to basic network access restrictions have revealed themselves in our recent report, ‘Legal and Law Enforcement: Information Access Compliance’.

Failing to provide information security training when on-boarding new employees

The ethical standards designed to protect attorney-client privileged communications and other legally privileged information such as patents, copyright and trade secrets are well known in law. However, it was surprising to see that almost a third (31 per cent) of professionals in legal practices were not given information security training during on-boarding.

Some of the high-profile attacks on organisations in 2014 and 2015, such as those at Sony Entertainment and JP Morgan, occurred as a result of compromised employee credentials, urging companies to place even more importance on security training. Section 3 of the Law Society’s ‘Lexcel England and Wales v6 Standard for legal practices’ specifically states that practices must conduct 'training for personnel on information security'.

The research shows that far too many law industry organisations are putting data at risk by ignoring training at various stages of employment — and are therefore non-compliant. 69 per cent of employees in the UK law sector did not receive IT security training when they first joined their organisation. In addition, more than half (55 per cent) say that their organisation does not provide any security training whatsoever.

Another area that was found to be lacking was pre-employment. Without background checks on candidates, you don’t have the full picture of who you are inviting into your organisation, but only 43 per cent of legal sector employees said that they were aware that their organisation runs background checks.

Lacking security awareness and training

Despite the relatively granular detail and clear guidance on what organisations must do to achieve compliance offered in standards like Lexcel, almost a third (29 per cent) are not aware that their legal organisation has a documented security policy at all.

The lack of awareness among employees on policies extends to procedures in the event of a breach. More than half do not know who to report a breach to — lengthening the crucial time period in which an IT administrator can find and mitigate any damage. A low 29 per cent of employees are aware of the penalties the organisation would impose for data theft or leakages.

Little to no control over network access

There is only so much that can be addressed by raising security awareness and training, as even educated employees make mistakes. This is why it makes sense to turn to technology to assist in implementing access restrictions to sensitive data on the network. However, only 62 per cent of practices enforce basic security measures like secure passwords, and 57 per cent do not clearly define roles and responsibilities with regards to IT security.

In fact, 34 per cent do not have a unique user login, essential for implementing security restrictions on a ‘need to know’ user by user basis, and a requirement of all user security compliance regulations. Worse still, 24 per cent are not required to login to their employers’ network at all, suggesting access is fully open and not being tracked. To add to this, it seems that 19 per cent of employees in the legal sector are sharing their logins with the approval of their employers, making the organisations complicit in flouting basic user security.

Simple access procedures that are commonly overlooked

If you consider security to be ‘multidimensional’, you want to be able to minimise risk in as many of those dimensions as possible. Here are some of the standard information access procedures that can help and you will note that they are standard processes that are fairly easy to implement.

Unique logins

Not only does unique user identification allow you to restrict network and data access on a ‘need to know’ basis, it is also essential in tracking and monitoring. However, 34 per cent of legal employees do not have a unique user login for their employer’s network. If a breach does occur, you cannot detect how it occurred without being able to identify individuals and their network access activity.

Automatic log off

Where users have a unique login, there is still significant openness to the risks of human fallibility. A particular area of concern is how these logins are used – if a user is never required or forced to log off, the benefits of having a login profile at all are minimal. Halting network access after a set period of inactivity to reduce the risk of individuals getting access where they shouldn’t. Despite this being a relatively simple procedure to put in place, 44 per cent are required to manually log off the network – the likely reality being that many do not.

Location and time restrictions

By restricting user access to times users actually need access (standard business hours, for example) and the departments, offices or workstations required, you are further reducing what is termed ‘vulnerable surface area’ for attack. This sensible approach is not all too common with 28 per cent restricting access by location and just 18 per cent restricting according to time.

Concurrent logins

One of the reasons that unique logins are such a strict requirement is the need to be able to attribute actions to individuals, and the ability to do this is a requirement of Lexcel and the DPA. But if users are allowed to login to more than one machine at a time, then ability to attribute actions is significantly decreased. Only 28 per cent are prevented from using their credentials to login to more than one machine at once.

Find out where you stand on compliance

The one area that is most often not secure is a complex area to address – human nature. The fact is that most risk stems not from technology, but from user error. All it takes is an absent-minded employee sharing a password or deciding to use the intel to which they shouldn’t have access to do something illegal.

Technology is necessary to fill the gaps that it can, as even with a well educated and alert workforce we know that it is still human nature to let our guards drop. However, to really know where your organisation is lacking in compliance, you need to know what that compliance is.

François Amigorena, CEO of IS Decisions