The lack of unique logins, manual logoffs and concurrent logins is putting confidential information in the legal sector at risk, new research has revealed. A report by security software provider IS Decisions found that despite requirements by regulatory bodies, only 28% are prevented from concurrent logins on multiple machines, which not only puts information at risk but also narrows the options for investigation should something go wrong. A third (34%) of legal employees in the UK do not have a unique user login for their employer’s network. Furthermore 24% do not require a login for access at all, despite this basic information security process being a requirement of any security standard, including Lexcel and ISO 27001.
The report, ‘Legal and Law Enforcement: Information Access Compliance’, covers a number of issues that can have a direct effect on information security in the legal sector. Pertinent information such as case files, identity profiles and confidential statements can potentially and unknowingly become compromised if there isn’t a reliable access management procedure and system in place.
The report also details how the legal sector is deploying security training, for both on-boarding new employees and those who have settled into their jobs. Almost a third (31%) did not receive any security training when they were employed and less than half (43%) the number of existing employees received IT security training. According to the report 69% have access to information such as case files and crime data but half shared that they do not have an automatic logoff procedure in place.
This is despite the security policies included in the set of objectives of ISO 27001, the international standard that specifies best practice for information security management.
The figures in the report around access, logins and information security training shows the need, first, to implement a good access management system, and secondly to train staff to raise awareness and build accountability.
François Amigorena, CEO of IS Decisions commented, “The information that passes through legal professionals’ hands can be incredibly sensitive, and naturally attorney-client privilege must be taken into account. It is important to have a reliable system in place to manage and track access to this information and it doesn’t have to be a complicated process. This can be easily achieved with the right combination of implementing access control policies, applying user identity verification and improving user activity auditing.”
See ‘Legal and Law Enforcement: Information Access Compliance’ for more information on how to make your organisation secure and compliant for Lexcel, The Data Protection Act and ISO 27001 regulations.