Temporary access

Legal practices have a process in place to manage temporary access to sensitive information

Changing Roles

Legal practices do not review and adapt access rights to files and folders when employees move roles within the organisation

Exit Process

Legal practices do not immediately revoke network access rights when an employee leaves the company

* Research in the legal sector in the US and UK (250 in each)

What are legal and law enforcement agencies doing when employees change or leave jobs?

As discussed earlier, employees should only be able to access the information they need to do their job, so those who move roles within an organisation can be a risk if you do not review their network and file access rights. Their access rights should be adjusted appropriately as their role changes. As for employees who leave your company altogether, revoking access from the minute the person walks out of the door is an absolute necessity. Nobody wants to risk a former employee accessing the company network (particularly given ex-employees have less incentive to keep sensitive data secure).

What the compliance requirements are

Section 4 of Lexcel England and Wales v6 Standard for legal practices states that practices must have a procedure that details steps to follow when a member of personnel ceases to be an employee, including the “handover of work, exit interviews, the return of property belonging to the practice.”

ISO 27001 states that organisations must define and enforce information security responsibilities and duties that remain valid after termination or change of employment. And when an employee leaves, organisations must conduct a formal user de-registration process.

What the research shows

Alarmingly, 52% of UK and 48% of US legal practices do not review and adapt access rights to files and folders when employees move roles within the organisation. By doing nothing, employees have more access to data and networks than they need — and therefore you widen the window of opportunity for a potential attack, not to mention the fact that you’re non-compliant.

Even more worryingly still, 54% of UK and 39% of US legal practices do not immediately revoke network access rights when an employee leaves the company. Access from former employees is an extremely dangerous prospect because systems do not alert network activity because it believes the access to be genuine and authorised, meaning that an employee could go months on your systems before you detect them.