What are legal and law enforcement agencies doing to secure network access and the data within?
Following the human elements of on-boarding employees and raising security awareness through training, technology has an extremely important role in taking user security further in mitigating risk.
Technology is necessary to fill the gaps, as even with a well educated and alert workforce we know that it is still human nature to let our guards drop.
Technology can assist in implementing restrictions to the sensitive data on your network, and there are multiple levels at which this must (or should) be addressed.
Unique user logins
We’ve talked about having unique user logins as a minimum requirement. As far as technology goes, it is the foundation of a good user security approach as it enables all other elements from restrictions to monitoring.
Subsequently is is a requirement of all of the regulations covered in this guide.
However, despite unique user logins being such a basic requirement, 34% of law sector employees in the UK and 28% in the US do not have a unique user login. Worse still, 24% in the UK and 23% in the US are not required to login to their employers network at all, suggesting access is fully open and not being tracked.
More worryingly, it seems that some workers in the legal sector are sharing their logins with the approval of their employers. 19% in the UK and 21% in the US told us they are permitted to share logins with their colleagues.
Logoff and on procedure
Of course even where users have a unique login, there is still significant openness to the risks of human fallibility. A particular area of concern is how these logins are used – if a user is never required or forced to logoff, the benefits of having a login profile at all are minimal. And we know that even when told users rarely take the time to login and logoff every time they leave their desk.
This is why automatic timed forced logoff procedure is important, halting network access after a set period of inactivity to reduce the risk of individuals getting access where they shouldn’t.
Despite this being a relatively simple procedure to put in place, less than half of employees in either the UK or US legal sector are automatically logged off their employer’s network after a set period (40% in UK and 49% in US). 44% in the UK and 51% in the US are required to manually log off the network – the likely reality being that many do not.
Location and time restrictions
If you consider security to be ‘multidimensional’, you want to be able to minimise risk in as many of those dimensions as possible. Which is why limiting access by time and location is a very effective way of achieving what is known as ‘reduced vulnerable surface area of attack’.
By restricting user access to the times they need (standard business hours, for example) and the departments, offices or workstations required, you are reducing this vulnerable surface area.
This sensible approach is not all too common in the legal sector however, with 28% of organisations in the UK and 36% in the US restricting access by location and just 18% in the UK and 27% in the US restricting according to time.
Concurrent logins and attribution
One of the reasons that unique logins are such a strict requirement is the need to be able to attribute actions to individuals. The ability to do this is a requirement of Lexcel, FISMA, the DPA and ISO 27001/2.
Firstly, a minority of our research base in the legal sector felt that their actions on their employer’s network could be attributable to them – just 38% in the UK and 48% in the US. Whether this is actually the case or not (administrators may have a closer eye on users than they are aware of) it is still bad practice – if actions are attributable, user awareness of this is key to combatting any malicious, ignorant or accidental wrongdoing.
Another aspect of attribution is the issue of concurrent logins. If users are allowed to login to more than one machine at a time, then ability to attribute actions is significantly decreased. Which logged in machine is the user actually using? But only 28% of law sector employees in the UK and 39% in the US are prevented from using their credentials to login to more than one machine at once.
Monitoring network access
Of course the next step following the management and restriction of user access is to monitor that access. Half of US legal sector workers and 42% of those in the UK are aware that their employers are monitoring network access. The real figures may be higher than this, but employee awareness will lead to better behaviour, so it is always best to be transparent about what’s being monitored.