The weakest link in any organisation’s security is normally its employees, and given that legal professionals have access to a broader array of sensitive information than other sectors it’s easy to see why this industry has some of the most stringent regulations with regards to information security. In this article François Amigorena, CEO of IS Decisions discusses some the surprising findings from a recent report that examines compliance in the legal sector…
The Law Society’s Lexcel is a set of security standards for solicitors and law firms. It contains several specifications about data access, security training and monitoring. Meanwhile all legal organisations in the UK are required to work within the Data Protection Act (DPA) to ensure information security is enforced. However, many gaps in internal security at legal organisations, from on-boarding and training new employees to network access have revealed themselves in the recent report, ‘Legal and Law Enforcement: Information Access Compliance’ by IS Decisions.
Pertinent information such as case files, identity profiles and confidential statements can potentially and unknowingly become compromised if there isn’t a reliable access management procedure and system in place.
Let’s take a look at some of the key areas where firms are failing at compliance.
Failing to provide information security training when on-boarding new employees
The ethical standards designed to protect attorney-client privileged communications and other legally privileged information such as patents, copyright and trade secrets are well known in law. However, it was surprising to see that almost a third (31%) of professionals in legal practices were not given information security training during on-boarding.
Some of the high-profile attacks on organisations in 2014 and 2015, such as those at Sony Entertainment and JP Morgan, occurred as a result of compromised employee credentials, urging companies to place even more importance on security training. Indeed, section 3 of ‘Lexcel England and Wales v6 Standard for legal practices’ specifically states that practices must conduct “training for personnel on information security.”
The research shows that far too many legal practices are putting data at risk by ignoring training at various stages of employment — and are therefore non-compliant. 69% of employees at legal practices in the UK did not receive IT security training when they first joined the company. In addition, more than half (55%) say that their organisation does not provide any security training whatsoever.
Another area that was found to be lacking was in pre-employment. Without background checks on candidates, you don’t have the full picture of who you are inviting into your organisation, but only 43% of legal sector employees said that they were aware that their organisation runs background checks.
Lacking in security awareness and training
Despite the relatively granular detail and clear guidance on what organisations must do to achieve compliance offered in standards like Lexcel, almost a third (29%) are not aware that their practice has a documented security policy at all.
The lack of awareness among employees on policies extends to procedures in the event of a breach. More than half do not know who to report a breach to — lengthening the crucial time period in which an IT administrator can find and mitigate any damage. A low 29% of employees are aware of the penalties the organisation would impose for data theft or leakages.
Little to no control over network access
There is only so much that can be addressed by raising security awareness and training, as even educated employees make mistakes, which is why it makes sense to turn to technology to assist in implementing access restrictions to sensitive data on the network. However, only 62% of practices enforce basic security measures like secure passwords, and 57% of do not clearly define roles and responsibilities with regards to IT security.
In fact, 34% do not have a unique user login, essential for implementing security restrictions on a ‘need to know’ user by user basis, and a requirement of all user security compliance regulations. Worse still, 24% are not required to login to their employers’ network at all, suggesting access is fully open and not being tracked. To add to this, it seems that 19% in the legal sector are sharing their logins with the approval of their employers, making the organisations complicit in flouting basic user security.
Simple access procedures that are commonly overlooked
If you consider security to be ‘multidimensional’, you want to be able to minimise risk in as many of those dimensions as possible. Here are some of the standard information access procedures that can help and you will note that they are standard processes that are fairly easy to implement.
Unique logins – Not only does unique user identification allow you to restrict network and data access on a ‘need to know’ basis, it is also essential in tracking and monitoring. However, 34% legal employees do not have a unique user login for their employer’s network. If a breach does occur, you cannot detect how it occurred without being able to identify individuals and their network access activity.
Automatic logoff – Where users have a unique login, there is still significant openness to the risks of human fallibility. A particular area of concern is how these logins are used – if a user is never required or forced to logoff, the benefits of having a login profile at all are minimal. Halting network access after a set period of inactivity to reduce the risk of individuals getting access where they shouldn’t. Despite this being a relatively simple procedure to put in place, 44% are required to manually log off the network – the likely reality being that many do not.
Location and time restrictions – By restricting user access to times users actually need access (standard business hours, for example) and the departments, offices or workstations required, you are further reducing what is termed ‘vulnerable surface area’ for attack. This sensible approach is not all too common with 28% restricting access by location and just 18% restricting according to time.
Concurrent logins – one of the reasons that unique logins are such a strict requirement is the need to be able to attribute actions to individuals and the ability to do this is a requirement of Lexcel and the DPA. But if users are allowed to login to more than one machine at a time, then ability to attribute actions is significantly decreased. Only 28% of are prevented from using their credentials to login to more than one machine at once.
Find out where you stand on compliance
The one area that is most often not secure is a complex area to address – human nature. The fact is that most risk stems not from technology, but from user error. All it takes is an absent-minded employee sharing a password or deciding to use the intel to which they shouldn’t have access to do something illegal.
Technology is necessary to fill the gaps that it can, as even with a well educated and alert workforce we know that it is still human nature to let our guards drop. However, to really know where your organisation is lacking in compliance, you need to know what that compliance is.
We’ve gone through all the areas of user access security that relate not only to compliance in law, but general good security practice. Complete the IS Decisions legal security checklist to find out whether you are compliant with not only the DPA and Lexcel but also FISMA and ISO 27001.