According to a survey of 100 professionals working in legal departments and law firms in the UK, 57 per cent believe that email constitutes the greatest security risk to their business.
The survey, by logistics firm DX, also revealed that over half of legal professionals know of at least one incident in the last 12 months when an email had been sent to the wrong person, and 80 per cent of these emails had been sent to at least one external recipient.
Jonathan Armstrong, partner at Cordery, told IT Security Guru that he was not too surprised by the findings, as risks to the profession have changed over the last ten years or so, especially as emails can be sent at all hours of the day and night and may lead to this happening more and more.
He said: “The caution I have though is that just because a risk is obvious, it does not mean it’s the biggest risk. I think lawyers underestimate the external threat and it is wise for any practice to do a proper risk assessment which would include mistakes from staff, but also miscreants looking for client, project or deal data.”
Kevin Epstein, VP of Information, security and risk at Proofpoint, said that in the last few years, email has been a leading threat vector for targeted attacks, as a primary mechanism for delivery of URLs and documents.
“Just as emergency room doctors are more exposed to diseases by nature of their position, legal professionals are de facto more exposed to targeted threats given the volume of external information that they must access as a matter of daily business,” he said.
Asked if there could be some better solutions that could protect them, Epstein said that there is, but attachment blocking is infeasible as it would disrupt business.
He said: “You could be very protected from targeted threats by not using email at all, insisting all documents be sent by fax or read by phone, but you wouldn’t remain competitive in the modern workplace.
“Similarly, scanning for signatures is not a reliable form of protection because malware is polymorphic, it can change signature on every download. Also awareness is certainly necessary, but it’s not a foolproof remedy.
“Modern email security solutions rely on systems that use statistical information or ‘Big Data’ to observe patterns in email transmission, and then engage in ‘Predictive Defense’, emulating the recipient’s behaviour to follow the URL or open the attachment. It needs to understand what would happen to the recipient before they’re exposed to the email, on their device at work, at home or on the road.”
