Why the legal sector is risking confidential information

The lack of unique logins, manual logoffs and concurrent logins is putting confidential information in the legal sector at risk, new research has revealed.

A report by IS Decisions found that despite requirements by regulatory bodies, only 39% are prevented from concurrent logins on multiple machines, which not only puts information at risk but also narrows the options for investigation should something go wrong.

Furthermore, 28% of legal employees in the US do not have a unique user login for their employer’s network and 23% do not require a login for access at all despite this basic information security process being a requirement of any security standard, including FISMA (The Federal Information Security Management Act) and ISO 27001.

The report covers a number of issues that can have a direct effect on information security in the legal sector. Pertinent information such as case files, identity profiles and confidential statements can potentially and unknowingly become compromised if there isn’t a reliable access management procedure and system in place.

The report also details how the legal sector is deploying security training, for both on-boarding new employees and those who have settled into their jobs. Almost a third (29%) did not receive any security training when they were employed and less than half (48%) the number of existing employees received IT security training. 78% have access to information such as case files and crime data but half shared that they do not have an automatic logoff procedure in place.

This is despite the security policies included in the set of objectives of ISO 27001, the international standard that specifies best practice for information security management.

The figures in the report around access, logins as well as information security training shows the need to firstly, implement a good access management system and secondly train staff to raise awareness and build accountability.

“The information that passes through legal professionals hands can be incredibly sensitive, and naturally attorney-client privilege must be taken into account. It is important to have a reliable system in place to manage and track access to this information and it doesn’t have to be a complicated process. This can be easily achieved with the right combination of implementing access control policies, applying user identity verification and improving user activity auditing,” said Francois Amigorena, CEO of IS Decisions.