[BreachExchange] Are legal firms risking confidential information?

[Audrey McNeil]

http://www.itproportal.com/2016/04/04/are-legal-firms-risking-confidential-information/

When it comes to information security, the weakest point in any
organisation is usually its employees. And given legal sector employees
arguably have access to a broader array of sensitive information than those
in any other industry, it’s a real cause for concern in the sector. That is
why this industry has some of the most stringent regulations with regards
to user security.

However, research among 500 US and UK legal sector employees reveals many
legal organisations still have huge gaps in their security protocols. Holes
in everything from the on-boarding process and training new employees to
basic network access restrictions have revealed themselves in our recent
report, ‘Legal and Law Enforcement: Information Access Compliance’.

Failing to provide information security training when on-boarding new
employees

The ethical standards designed to protect attorney-client privileged
communications and other legally privileged information such as patents,
copyright and trade secrets are well known in law. However, it was
surprising to see that almost a third (31 per cent) of professionals in
legal practices were not given information security training during
on-boarding.

Some of the high-profile attacks on organisations in 2014 and 2015, such as
those at Sony Entertainment and JP Morgan, occurred as a result of
compromised employee credentials, urging companies to place even more
importance on security training. Section 3 of the Law Society’s ‘Lexcel
England and Wales v6 Standard for legal practices’ specifically states that
practices must conduct ‘training for personnel on information security’.

The research shows that far too many law industry organisations are putting
data at risk by ignoring training at various stages of employment — and are
therefore non-compliant. 69 per cent of employees in the UK law sector did
not receive IT security training when they first joined their organisation.
In addition, more than half (55 per cent) say that their organisation does
not provide any security training whatsoever.

Another area that was found to be lacking was pre-employment. Without
background checks on candidates, you don’t have the full picture of who you
are inviting into your organisation, but only 43 per cent of legal sector
employees said that they were aware that their organisation runs background
checks.

Lacking security awareness and training

Despite the relatively granular detail and clear guidance on what
organisations must do to achieve compliance offered in standards like
Lexcel, almost a third (29 per cent) are not aware that their legal
organisation has a documented security policy at all.

The lack of awareness among employees on policies extends to procedures in
the event of a breach. More than half do not know who to report a breach to
— lengthening the crucial time period in which an IT administrator can find
and mitigate any damage. A low 29 per cent of employees are aware of the
penalties the organisation would impose for data theft or leakages.

Little to no control over network access

There is only so much that can be addressed by raising security awareness
and training, as even educated employees make mistakes. This is why it
makes sense to turn to technology to assist in implementing access
restrictions to sensitive data on the network. However, only 62 per cent of
practices enforce basic security measures like secure passwords, and 57 per
cent do not clearly define roles and responsibilities with regards to IT
security.

In fact, 34 per cent do not have a unique user login, essential for
implementing security restrictions on a ‘need to know’ user by user basis,
and a requirement of all user security compliance regulations. Worse still,
24 per cent are not required to login to their employers’ network at all,
suggesting access is fully open and not being tracked. To add to this, it
seems that 19 per cent of employees in the legal sector are sharing their
logins with the approval of their employers, making the organisations
complicit in flouting basic user security.

Simple access procedures that are commonly overlooked

If you consider security to be ‘multidimensional’, you want to be able to
minimise risk in as many of those dimensions as possible. Here are some of
the standard information access procedures that can help and you will note
that they are standard processes that are fairly easy to implement.

Unique logins

Not only does unique user identification allow you to restrict network and
data access on a ‘need to know’ basis, it is also essential in tracking and
monitoring. However, 34 per cent of legal employees do not have a unique
user login for their employer’s network. If a breach does occur, you cannot
detect how it occurred without being able to identify individuals and their
network access activity.

Automatic log off

Where users have a unique login, there is still significant openness to the
risks of human fallibility. A particular area of concern is how these
logins are used – if a user is never required or forced to log off, the
benefits of having a login profile at all are minimal. Halting network
access after a set period of inactivity to reduce the risk of individuals
getting access where they shouldn’t. Despite this being a relatively simple
procedure to put in place, 44 per cent are required to manually log off the
network – the likely reality being that many do not.

Location and time restrictions

By restricting user access to times users actually need access (standard
business hours, for example) and the departments, offices or workstations
required, you are further reducing what is termed ‘vulnerable surface area’
for attack. This sensible approach is not all too common with 28 per cent
restricting access by location and just 18 per cent restricting according
to time.

Concurrent logins

One of the reasons that unique logins are such a strict requirement is the
need to be able to attribute actions to individuals, and the ability to do
this is a requirement of Lexcel and the DPA. But if users are allowed to
login to more than one machine at a time, then ability to attribute actions
is significantly decreased. Only 28 per cent are prevented from using their
credentials to login to more than one machine at once.

Find out where you stand on compliance

The one area that is most often not secure is a complex area to address –
human nature. The fact is that most risk stems not from technology, but
from user error. All it takes is an absent-minded employee sharing a
password or deciding to use the intel to which they shouldn’t have access
to do something illegal.

Technology is necessary to fill the gaps that it can, as even with a well
educated and alert workforce we know that it is still human nature to let
our guards drop. However, to really know where your organisation is lacking
in compliance, you need to know what that compliance is.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160404/f094daae/attachment.html>