The report, ‘Legal and Law Enforcement: Information Access Compliance’, found that despite requirements by regulatory bodies, only 28 per cent of employees at law firms and law enforcement agencies in the UK are prevented from concurrent logins on multiple machines. This not only puts information at risk, it also narrows the options for investigation should something go wrong. Furthermore, one third (34 per cent) do not have a unique user login for their employer’s network and 24 per cent do not require a login for access at all, despite this basic information security process being a requirement of any security standard, including Lexcel and ISO 27001.

Security training

The report also details how the legal sector is deploying security training, for both on-boarding new employees and those who have settled into their jobs. It showed that almost one third (31 per cent) did not receive any security training when they were employed and less than half (43 per cent) of existing employees receive IT security training. Furthermore, 69 per cent have access to information such as case files and crime data, but half do not have an automatic logoff procedure in place.

It needn’t be complex

François Amigorena, CEO of IS Decisions, commented: ‘The information that passes through legal professionals' hands can be incredibly sensitive, and naturally attorney-client privilege must be taken into account. It is important to have a reliable system in place to manage and track access to this information and it doesn’t have to be a complicated process. This can be easily achieved with the right combination of implementing access control policies, applying user identity verification and improving user activity auditing.’ Source: IS Decisions