Comment: The case for ‘zero trust’ internal security in law
by François Amigorena, CEO, IS Decisions
You might think that lawyers, being well versed on the issues of sensitivity of data and information and adherent to a strong code of ethics, would be among the best-behaved professions when it comes to sticking to security process. Or, you might be aware that this is slightly optimistic thinking, and that in fact employees in the legal industry are not quite as security conscious as we might hope. But most would be shocked to know the extent of the truth. Which is, that the legal industry is flat out the worst of all industries when it comes to internal security and the behaviour of its employees in respect to keeping data and systems safe from threat.
In a recent research report IS Decisions published looking at how behaviours and attitudes to workplace security differ across demographics, job titles and industries, law was consistently a worst performer. Some of the findings included:
• The legal sector is the worst for password sharing, with almost a third (32%) of employees having shared their work related login with one or more of their colleagues, 9% above the pan-industry average.
• Over a third (34%) are frustrated with their employer’s security policy, with 15% actively attempting to find ways to circumvent it, both figures which are significantly higher than the average.
• Law has a much higher percentage than any other industry for ex-employees continuing to have access to their former employer’s systems or data, with a majority of 57%. Further to this, a larger portion than any other industry has actually accessed it, with this figure at a shocking 19%.
So why is it that the bad security behaviour is so rife in the industry? It is fair to say that law has some uniquely complex challenges when it comes to security.
The challenges of security in a law firm
Law firms have access to widely diverse sets of sensitive client information and data, which naturally needs to be locked down. Yet that has to be paired against the manner in which lawyers work. The modern law firm is heavily reliant on technology, with lawyers expecting to be able to get hold of the information they need, quickly, where they need it. They could as easily be a their desk as from an airport, a client office or at home.
So perhaps more than any other industry, law is battling with the difficult to reconcile challenges of requiring strong data security and a demanding mobile workforce.
This leads to the clue hinted at in the second finding; frustration. The employees in the legal industry are not only the worst behaved security-wise, they are the most frustrated by the security systems they have to work with. Which, perhaps unsurprisingly, is what leads them to attempt to circumvent the policies in place.
Why are lawyers the worst internal security offenders?
The next question is if workers in the law sector are purposefully attempting to circumvent security policies, are they doing this because they don’t appreciate or understand why the policies are in place? Or are they fully understanding, and flagrantly disregarding them in order to have an easier life?
This is harder to answer, but we can go back to the original assumption, that lawyers are more likely to be aware of the importance of keeping sensitive data secure. And in fact, when asked about whether behaviour like password sharing constituted a security risk to their employer, employees in law were more likely to be affirmative (51%, compared to a 48% average). So they have a better idea of the dangers, but go ahead anyway.
Which means that the softer ‘focus on user education’ message that can often be applied to internal security is not quite so effective in law. No doubt it will apply to an extent, but the fact is there is clearly a faction that are happy to behave badly despite being aware of what that behaviour risks.
How the ‘zero trust’ security model addresses the problem
So what can tempt lawyers to address their behaviour? Our research had a few insights here too. More than any other sector (39%, compared to a 29% average), those in law told us that having their own network access restricted if they handed over their login in details to a colleague would make them less likely to share passwords. They also responded well to other restrictions, such as to department, workstation or device.
This suggests that, perhaps counter-intuitively, law firms do not need less security restrictions in order to reduce employee frustration, they need more to shut down the bad behaviour. Even the employees themselves are telling us that; as if they are saying “restrict us, or we will continue to misbehave”.
Education and empowerment through restriction
A ‘zero trust’ approach to internal security does not have to be a negative one. Using technology to funnel your users into working within your security policies, with little or no room for manoeuvre, is a kind of education in itself. And it has particular resonance with law firms.
Where the traditional security model views everything on the inside of the network as ‘trusted’, and everything off the network as ‘not trusted’, leaving it open to internal misuse, zero trust does not make that distinction. Which is particularly important in an age where trends such as cloud and mobile significantly blur the lines of what is on and off the network.
Any network has authorized employees (authenticated users) who have access and rights, carrying out the kind of bad or careless behaviour that often leads to security breaches. The zero trust model promotes ‘never trust, always verify’ as its principle and recognizes the need to better manage access for all authenticated users.
In this way, an organization has the ability to determine in a very granular way, what are the legitimate access needs of each employee, and efficiently enforce that decision.
By setting controls so that access is restricted by user, number of simultaneous sessions, department, workstation, device, even time of day, you are focusing on ensuring that every user has sufficient access rights to fully perform their tasks without frustration, but no more.
The mobile worker does not have to have their network access impeded in this way, as they are given access to the data they need to have access to, from wherever and whenever they need it. Though you may be setting restrictions to workstation or device, for the purposes of user access and monitoring the security distinction is not at the device level, it is at the user level. What this means is it is easier to spot abnormal user access behaviour, and subseqently stop rogue users accessing the network with compromised or stolen credentials, significantly reducing the danger of bad behaviour such as users sharing passwords.
The best way to educate users on security is by giving them contextual understanding. Tell an employee that ‘sharing passwords is bad’ in a training session, and they are unlikely to retain that information. Give an employee an alert that their login is being used elsewhere when attempting to access the network, and they will begin to understand the implications. Zero trust promotes contextual learning of this kind, disseminating the better behaviour that apparently the law industry sorely needs