Insider threats are a major challenge for the Legal Sector

While the race to defend organisations in every sector of the economy against increasingly sophisticated cybercriminals accelerates, it’s important not to focus solely on external threats. The legal sector is having to face up to a different but arguably equally difficult problem: insider threats.

Every industry has always had this problem to a varying degree, but surprisingly given the very nature of their business, law firms have been the victims of insider threats for years. Far from being contained in the digital age, the problem may have become even worse. Law firms must minimise insider threats while trusting and empowering employees to access data to do their jobs.

A report from the Information Commissioner’s Office (ICO) states that 68% of data breaches in UK law firms in Q3 2021 were committed by insiders. That’s over twice as many as by external actors, showing that the sector still has a huge challenge to overcome.

Three types of insider threats

Insider threats fit into three main categories: neglect / human error, exploitation by external parties and malicious intent.

Everyone makes mistakes from time to time but the consequences vary greatly depending on the error and the situation. Confidential files landing in the wrong hands, employees clicking on phishing emails or technical teams misconfiguring hardware or software can all produce unwanted results. All of these scenarios have already led to much bigger issues in the legal sector. The ICO’s report on data security incident trends reveals that 52% of data breaches are caused by people sharing information with the wrong person, 25% are attributed to phishing attacks and 10% are due to losing data.

Entrusted to secure huge volumes of confidential corporate, government and personal data, law firms’ own staff are a prime target for criminals wishing to trick them into handing over information, or inadvertently providing access to it. Clever phishing or spear-phishing attacks (aimed at one individual) have proven successful time and time again, often without the employee knowing what they have done.

Malicious intent is hard to prove

Although believed to be the source of the smallest percentage of data breaches, the third kind of insider threat is perhaps the most damaging of all and the hardest to detect. Disgruntled and malicious employees, former employees and contractors have been known to do far greater damage when they’ve actually intended it at the outset. With the right access, or by persuading a colleague to grant it to them, employees can easily obtain confidential data to sell to their firm’s rivals, their client’s competitors or criminals looking to make a profit. Employees can often easily evade detection if they know their firm’s security procedures and weaknesses, and many have never been discovered.

The massive move to homeworking during the COVID-19 pandemic exacerbated the problem and significantly increased the percentage of threats caused by employees. Even before the pandemic, it wasn’t uncommon in the legal sector for employees to take company data with them when they moved jobs. Remote working has made this easier to do. Law firms have the perpetual challenge of balancing data access to employees on the one hand with restricting access when necessary on the other.

The ICO believes that law firms could and should do more to stop breaches from happening and it’s prepared to hand out substantial financial penalties for misdemeanours. This year it has already fined one law firm almost £100,000 for multiple data breaches that led to its client’s court data being shared on the dark web.

How to mitigate the risks of insider threats in a hybrid world

While there are many challenges facing the legal sector, it’s not alone in struggling to mitigate risks and control the flow of the data it’s responsible for, all for while continuing to serve clients.

Despite cybercriminals becoming more sophisticated, the majority of breaches today are successful because threat actors take advantage of human errors. These range from people sending data to the wrong recipients, clicking on phishing emails by mistake or misconfiguring hardware or software.

Fortunately, there are plenty of tried and trusted steps that can be taken today to achieve the desired outcome. By combining human intelligence and creativity with the latest cyber security tools, and by adopting good cyber hygiene practices, many gaps and weaknesses in security can be closed quickly.

Adopting the zero-trust approach is a great place to start. Stringent but simple measures to always verify individuals and devices, apply multi-factor authentication across the board, and record all digital activity will significantly tighten up security. Technology can also be used to monitor employee behaviour for unusual patterns and permit or restrict access where necessary. Data access should be restricted to a need-to-know basis and data transfer recorded and, when dubious, flagged for further investigation. All this can be performed routinely whether team members are working in an office or remotely. As in all industries, cyber security and cyber hygiene training should be mandatory for all employees as soon as they join the firm, regardless of seniority.

Learn more about cyber security for the legal sector

If you would like to find out how Quorum Cyber can help you, please visit the dedicated Legal Sector page on our website.