This second annual survey looks at the causes, frequency and implications of internal security breach incidents, and the perspectives of IT leaders and employees about data risk, responsibility and ownership. Conducted by independent research organisation, Opinion Matters in January 2020, more than 500 IT leaders and 5,000 employees were surveyed across the UK, US and Benelux regions. Among these were 106 IT leaders and 1,001 employees in legal sector companies.
Responses from legal sector employees shows they are twice as likely as those from other sectors to admit both intentionally and accidentally breaking company policy when sharing data. 57% said they had intentionally broken company policy compared with 29% average across all sectors, and 56% said they had done so accidentally, compared with 27% on average.
IT leaders from the legal sector are more pessimistic than average about the risk of future breaches. 44% say it is likely employees will put data at risk in the coming year – eight percentage points above average.
The research uncovered a concerning reliance on traditional technologies to prevent insider breaches. Just over half of legal sector IT leaders said they are using anti-virus software to combat phishing attacks and only 43% are using email encryption. There is also a worrying reliance on self-reporting of incidents, with 61% of IT leaders saying that the most likely way of detecting an insider data breach is via employees notifying them.
Egress CEO Tony Pepper believes the findings show how IT leaders are resigned to the inevitability of insider breaches and don’t have adequate risk management processes and technology in place. “Given the sensitivity of the information they handle, the legal industry is one of the most at-risk sectors from both accidental and intentional insider data breaches. While they acknowledge the sustained risk, bizarrely IT leaders have not adopted new strategies or technologies to mitigate the threat. They are also relying far too heavily on their staff to self-report incidents, something our analysis suggests is totally ineffective. In essence, they are adopting a risk posture in which at least 44% of employees putting data at risk is deemed acceptable.
“The severe penalties for data breaches mean IT leaders must action better risk management strategies, using advanced tools to prevent insider incidents. They also need better visibility of risk vectors; relying on employees to report incidents is not an acceptable data protection strategy.”
Misdirected and phishing emails are the top cause of accidental insider data breaches in legal companies
55% of legal sector employees who had accidentally leaked data said they had done so because of a phishing email. 31% said they caused a breach by sending information to the wrong person, for example by email. This is underlined by the fact that 61% said they had received an outlook recall message or a message asking them to disregard a previous email sent in error. All these figures exceed research averages.
Tony Pepper adds; “Incidents of people accidentally sending data to incorrect recipients have existed for as long as they’ve had access to email. As a fundamental communication tool, organisations have weighed the advantages of efficiency against data security considerations, and frequently compromise on the latter. However, we are in an unprecedented time of technological development, where tools built using contextual machine learning can combat common issues, such as misdirected emails, the wrong attachments being added to communications, auto-complete mistakes, and employees not using encryption tools correctly. Organisations need to tune into these advances to truly be able to make email safe.”
Erroneous employee views on data ownership in the legal sector
The survey also showed that employee misconceptions over data ownership have a negative impact on information security. Of the 57% who said they or a colleague had intentionally shared data against company policy in the past year, more than half (58%) said they did so when they took data with them to a new job, while one in five (21%) said they had taken a risk when sharing data because they weren’t provided with the right security tools.
This reckless approach to data protection may be explained by employees’ views on data ownership and responsibility. 56% of the legal industry employees surveyed don’t believe that data belongs exclusively to the organisation and only 11% recognise that everyone has responsibility for keeping data safe.
Tony Pepper comments: “Employees want to own the data they create and work on, but don’t want the responsibility for keeping it safe. This is a toxic combination for data protection efforts. When you add their propensity to take data with them when they change jobs and willingness to take risks when sharing data, the scale of the challenge faced by security professionals is alarming.”
Given recent events, there will be an unprecedented number of legal employees working from home who might be looking for ways to send large multimedia files or are suddenly having to share more data via email. Proactively identifying and remediating risks to these changes in working behaviour will help ensure tighter security and compliance.