96% of legal IT leaders say insider data breaches a 'major concern'
Written by Peter Walker
A new study has found that 96 per cent of IT leaders in the legal sector say insider breach risk is a significant concern.
Cyber security specialist Egress' second annual survey was conducted in January among more than 500 IT leaders and 5,000 employees across the UK, US and Benelux regions - among these were 106 IT leaders and 1,001 employees in legal sector companies.
It found that 77 per cent thought employees have put data at risk accidentally in the past 12 months and 78 per cent reckoned employees have put data at risk intentionally. When asked about the implications of these breaches, 36 per cent said financial damage would be the area of greatest impact.
Responses from legal sector employees showed they were twice as likely as those from other sectors to admit both intentionally and accidentally breaking company policy when sharing data - 57 per cent said they had intentionally broken company policy compared with 29 per cent average across all sectors, with 56 per cent saying they had done so accidentally, compared with 27 per cent on average.
IT leaders from the legal sector were more pessimistic than average about the risk of future breaches, with 44 per cent saying it is likely employees will put data at risk in the coming year – eight percentage points above average.
The research uncovered a reliance on traditional technologies to prevent insider breaches. Just over half of legal sector IT leaders said they were using anti-virus software to combat phishing attacks and only 43 per cent are using email encryption. There was also a reliance on self-reporting of incidents, with 61 per cent of IT leaders saying that the most likely way of detecting an insider data breach was via employees notifying them.
Egress chief executive Tony Pepper commented: “Given the sensitivity of the information they handle, the legal industry is one of the most at-risk sectors from both accidental and intentional insider data breaches."
The survey also showed that employee misconceptions over data ownership have a negative impact on information security. Of the 57 per cent who said they or a colleague had intentionally shared data against company policy in the past year, 58 per cent said they did so when they took data with them to a new job, while 21 per cent said they had taken a risk when sharing data because they weren’t provided with the right security tools.
This approach to data protection may be explained by employees’ views on data ownership and responsibility, with 56 per cent of the legal industry employees surveyed saying they did not believe that data belongs exclusively to the organisation and only 11 per cent recognised that everyone has responsibility for keeping data safe.
Pepper added: “Employees want to own the data they create and work on, but don’t want the responsibility for keeping it safe - this is a toxic combination for data protection efforts."