Law firms and corporate legal teams hold a vast amount of sensitive client data, so it’s no surprise that cyber-criminals view the legal sector as an attractive target. According to PwC’s Annual Top 100 Law Firm Survey 2021, cyber-attacks were highlighted as the biggest threat to ambitions, with concerns over financial and reputational damage. Indeed, earlier this year, one UK law firm was fined £98,000 after an attacker exfiltrated files and published them on the black market.
While cyber-attacks from the outside should be a concern, new statistics from the Information Commissioner’s Office (ICO) have revealed that the real threat lies closer to home. In fact, the analysis of the ICO data in Q3 of 2021 shows more than two-thirds (68%) of data breaches in the UK legal sector were caused by insiders, as opposed to only a third (32%) caused by outside threats, such as external malicious actors. With data breaches more likely to be caused from within, legal organizations must be proactive when dealing with insider threats. Therefore, they should invest in the latest data security and governance controls to stop potential breaches at the earliest possible stage.
How do Internal Data Breaches Occur?
The ICO data identified that more than half (54%) of data breaches occurred from human error, such as documents being emailed to the wrong person. The data also showed that 10% of internal data breaches occurred from employees losing their work devices or paperwork. A quarter (25%) of data breaches in the legal sector were caused by phishing attacks, highlighting the need for improved internal security controls and education.
The Legal Sector Needs to Act Now
As so many internal data breaches are caused by accidental or malicious user activity, the legal sector needs to remain on high alert for factors contributing to such incidents. Such as:
- The increase in hybrid and flexible working has raised potential internal security risks, as more documents and files are being shared and accessed from different locations and devices.
- The Great Resignation has birthed the ‘Great Exfiltration,’ in which employees leave their jobs and take their company’s data with them, either intentionally or by accident, by forgetting or choosing not to delete files and documents on personal devices.
Shadow IT, the use of hardware or software without the IT or security group’s knowledge, remains a real threat. Across industries, it is estimated that 42% of a company’s apps are the byproduct of shadow IT and are not managed or approved by IT teams. This adds to company data being increasingly dispersed and, therefore, vulnerable. It is paramount that legal firms provide employees with secure and easy-to-use tools that keep them productive rather than forcing them to use personal email and cloud storage services.
How to Defend Against Insider Threats
Ultimately, law firms and corporate legal departments need to take more control over how their files are accessed and what users can do with them. Most importantly, they cannot underestimate the potential severity of insider threats. To reduce the risk of internal data breaches, the legal sector must also educate employees on how to manage data properly and why it needs protection. This could be through interactive workshops or training sessions and would ensure all employees – from paralegals to partners to the C-suite – are on the same page when it comes to understanding data security.
A clear focus on implementing active data loss prevention (DLP) solutions should be part of a legal team’s cybersecurity strategy. Prioritizing DLP helps organizations classify content, create and enforce policies to control user actions, and prevent documents from inadvertently leaving devices. This builds an extra line of defense when it comes to preventing exfiltration and the unauthorized use of data. In short, deploying DLP applications and functions can significantly reduce the potential for internal data breaches. Selecting DLP solutions that are integrated into a firm’s normal operating procedures can also ensure greater acceptance of the controls and a much smaller impact on user workflows. Active DLP and ongoing employee training are two critical steps for minimizing the risk of internal data breaches.
Don’t Ignore What is Under Your Nose
Legal firms and departments of all sizes need to have a robust cybersecurity strategy that can stand against technical and complex cybersecurity threats. If legal organizations become negligent and don’t incorporate defenses against insider threats as part of their strategies, they risk shooting themselves in the foot. Ultimately, this boils down to the legal sector nurturing a no-nonsense approach to data security and implementing strict yet practical working processes. DLP solutions and employee education may offer firms practical ways to limit many of today’s current threats.