Comment: Insider threat risks – the usual suspects
The latest of our comments on security, François Amigorena, CEO of IS Decisions looks at the findings of a recent report on information access compliance and where the holes typically appear within a firm’s security practice.
When it comes to information security, the weakest point in any organisation is usually its employees. And given legal sector employees arguably have access to a broader array of sensitive information than any other industry, it’s a real cause for concern in the sector. That is why this industry has some of the most stringent regulations with regards to user security.
However, research among 500 US and UK legal sector employees reveals many legal organisations still have huge gaps in their security protocols. Holes in everything from the on-boarding process and training new employees to basic network access restrictions have revealed themselves in the recent report, ‘Legal and Law Enforcement: Information Access Compliance’ by IS Decisions.
If you consider security to be ‘multidimensional’, you want to be able to minimise risk in as many of those dimensions as possible.
The report details how this sector is deploying security training, both as part of the process of on-boarding new employees and those who have settled into their jobs. Security training is a requirement of the Law Society’s Lexcel standard, and the global security gold standard of ISO 27001. But despite this almost a third (31%) did not receive any security training when they were employed and less than half (43%) the number of existing employees received IT security training.
Despite the quite basic requirements of what organisations must do to achieve compliance, almost a third (29%) are not aware that their practice has a documented security policy at all. According to the report 69% have access to information such as case files and crime data but half shared that they do not have an automatic logoff procedure in place.
The lack of awareness among employees on policies extends to procedures in the event of a breach. More than half do not know who to report a breach to — lengthening the crucial time period in which an IT administrator can find and mitigate any damage. A low 29% of employees are aware of the penalties the organisation would impose for data theft or leakages.
Lack of unique logins
Providing unique user logins is the foundation of secure network user access. It’s a basic requirement, yet a third (34%) of legal employees in the UK do not have a unique user login for their employer’s network. Furthermore 24% do not require a login for access at all despite this basic information security process being a necessity for any security standard, including Lexcel and ISO 27001.
Not only does unique user identification allow you to restrict network and data access on a ‘need to know’ basis, it is also essential in tracking and monitoring. If a breach does occur, you cannot detect how it occurred without being able to identify individuals and their network access activity.
Where users have a unique login, there is still significant openness to the risks of human fallibility. A particular area of concern is how these logins are used – if a user is never required or forced to logoff, the benefits of having a login profile at all are minimal. And we know that even when told users rarely take the time to login and logoff every time they leave their desk.
This is why automatic timed forced logoff procedure is important, halting network access after a set period of inactivity to reduce the risk of individuals getting access where they shouldn’t. Despite this being a relatively simple procedure to put in place, 44% are required to manually log off the network – the likely reality being that many do not.
No location or time restrictions on network access
By restricting user access to the times they need (standard business hours, for example) and the departments, offices or workstations required, you are reducing vulnerable surface area for potential breach. This sensible approach is not all too common with 28% restricting access by location and just 18% restricting according to time.
Concurrent logins supported
One of the reasons that unique logins are such a strict requirement is the need to be able to attribute actions to individuals, and the ability to do this is a requirement of Lexcel as well as the Data Protection Act. But if users are allowed to login to more than one machine at a time, then ability to attribute actions is significantly decreased. It opens up the possibility of more than one user using the same login profile. Only 28% of legal sector employees are prevented from using their credentials to login to more than one machine at once.
Do you know if you are taking these risks?
Humans, as we know, are fallible. So technology is necessary to fill the gaps that fallibility leaves, as even with a well educated and alert workforce we know that it is still human nature to let our guards drop. However, to really know where your organisation is lacking in compliance, you need to know what that compliance is and what areas it covers.
We have gone through all the areas of user access security that relate not only to compliance in law, but general good security practice. Use the IS Decisions legal user security checklist to find out whether you are compliant with not only the DPA and Lexel but also FISMA and ISO 27001.