For almost four decades, Panama’s Mossack Fonseca law firm has specialised in commercial law, trust service and investor advisory, and was known for its discretion to global elites. However, its recent leak of more than 11 million documents – the biggest data leak in history – only reiterates that law firms can never be too careful when it comes to safeguarding their clients’ information.
The details of how the leak took place has yet to be uncovered, with one of the firm’s founders stating he believes it to have been the work of ‘hackers’, and we don’t wish to speculate too much while the focus is more on what it reveals and less on how. However, we do know the weakest link in any organisation’s security is normally its employees, and that even in the case of a ‘hack’ the source is often compromised credentials. This story is testament to the fact that legal professionals often have access to a broader array of sensitive information than other sectors, yet our research has shown that there are often significant gaps in legal organisations’ internal security processes.
Our report, ‘Legal and Law Enforcement: Information Access Compliance’ highlights these gaps using research among 500 legal professionals in the US and UK, showing lapses in areas ranging from on-boarding and training new employees to network access. Here are some of the usual suspects that can lead to potential leaks.
The report details how this sector is deploying security training, both as part of the process of on-boarding new employees and those who have settled into their jobs. Security training is a requirement of the Law Society’s Lexcel standard, and of ISO 27001, the global security gold standard. But despite this almost a third (31%) did not receive any security training when they were first employed and less than half (43%) the number of existing employees have received any IT security training.
Lack of unique logins
Providing unique user logins is the foundation of secure network user access. It’s a basic requirement of network access management, yet a third (34%) of legal employees in the UK do not have a unique user login for their employer’s network. Furthermore 24% do not require a login for access at all despite this basic information security process being a necessity for any security standard, including Lexcel and ISO 27001. Not only does unique user identification allow you to restrict network and data access on a ‘need to know’ basis as is required by the Data Protection Act, it is also essential in tracking and monitoring.
No location or time restrictions on network access
By restricting user access to the times they need (standard business hours, for example) and the departments, offices or workstations required, you are reducing what is called ‘vulnerable surface area’ for potential breach. The principle being the more restrictions you can put in place, without getting in the way of the user, the less likely a breach is to take place. This sensible approach is not all too common with 28% restricting access by location and just 18% restricting according to time.
Concurrent logins supported
One of the reasons that unique logins are such a strict requirement is the need to be able to attribute actions to individuals, and the ability to do this is a requirement of Lexcel as well as the Data Protection Act. But if users are allowed to login to more than one machine at a time, then ability to attribute actions is significantly decreased. It opens up the possibility of more than one user using the same login profile. Only 28% of legal sector employees are prevented from using their credentials to login to more than one machine at once.
If you want to find out whether you are compliant with the DPA, Lexcel, FISMA and ISO 27001, our legal user security checklist can help you.