Compared to healthcare and financial services, law firms and associated services have recorded fewer cyber-attacks. Less data and the proximity with law enforcement were perceived to be deterrents. However, practitioners say the sector is severely prone to insider breaches.
A study among IT leaders and employees from the Benelux region, as well as the US and UK -- including security executives in legal services -- says the threat of insider breaches are real, said the Insider Data Breach Survey 2020 by Egress.
More than a fourth (27 percent) of respondents in the legal sector say they or a colleague has accidentally shared or leaked company information externally. This is a huge leap from Egress’ previous year’s survey, where only eight percent admitted personal responsibility.
Similarly, 29 percent of respondents in the legal sector said they or a colleague have intentionally shared or leaked company information externally. The figure was just eight percent in the previous year.
The probability of data leak worsens when we add the threat of phishing.
“Given the wealth of sensitive information they handle, the legal industry is one of the most at-risk sectors from cyber-criminals looking to target Law firm employees through phishing campaigns or man-in-the-middle attacks,” Egress CEO Tony Pepper told SC Media UK.
“Just think about the sensitive data legal professionals have access to through activities like mergers and acquisitions, or the money that is at risk as part of a conveyancing scam. As our report shows, 55 percent of legal sector employees who had accidentally leaked data said they had done so because of a phishing email.”
While the risk is real, IT leaders in the legal sector are yet to adopt new strategies or technologies to mitigate the threat, says the report. Just over half of the respondents said they use anti-virus software to combat phishing attacks.
Any notion that the sector is well-secured faces correction in the wake of employees being forced to work from home due to the Covid-19 pandemic, said Pepper.
“Given recent events, there will be an unprecedented number of legal employees working from home who might be looking for ways to send large multimedia files or are suddenly having to share more data via email. It therefore won’t be surprising to see the number of data breach incidents increase - and I think law firms need to be prepared for that,” he noted.
“These incidents will likely be more commonly caused by people making mistakes or having to find new, and potentially unsecure ways of sharing data as part of this new reality we’re living right now. But we also know that attackers are trying to take advantage of an environment of heightened anxiety and disrupted work settings to trick people into making mistakes.”
Training employees about the possible threats becomes important here. The ‘Phishing by Industry Benchmarking Report’ by KnowBe4 published today shows that an average of 37.9 percent of untrained end-users will likely fall for a phishing or social engineering scam.
“An effective security awareness training strategy, where goals are regularly assessed and organisational strategy is put in place, can help to accelerate results for all organisations,” KnowBe4 security awareness advocate Javvad Malik told SC Media UK.
“Any organisation can strengthen security through end-user training in as little as three months. The 37.9 percent can be brought down by over half at 14.1 percent in only 90 days by deploying new-school security awareness training. The one-year-plus results show that with continuous testing and training, the final Phish-Prone percentage can be minimised to 4.7 percent on average,” he explained.
People are the new perimeter when it comes to data security, as their decisions and behaviours put data at risk every day. This has never been truer than when an organisation has most, if not all, of its staff working remotely, noted Pepper.
“The “everyday” security threats that organisations face haven’t gone away – if anything, they’re probably more important than ever. As we see the country work from home at such a large scale, it’s critical that organisations are able to equip their staff with technology that enables them to work productively and securely.”
Routine tasks such as sending emails or sharing large files can become much more difficult when one is not in the office, leading to more mistakes and more potential breach incidents.
“For organisations, this is a problem they’re going to have to solve across a disparate employee base, so I would urge them to look for easy-to-use security software and automate security decisions wherever possible,” Pepper added.