By Tim Sadler, CEO and co-founder of Tessian
Would you be shocked to learn that more than half of legal professionals have sent at least one email to the wrong person? This is a big, and largely underestimated problem, particularly in law and professional services. Consider how many email exchanges contain witness statements, for example, or medical records, market-sensitive information, the details of M&A activity, and sensitive HR or employee data.
In the wrong hands, this data can disrupt court cases, impact victims or suspects, jeopardise deals, and have significant repercussions for the law firm at fault. Especially when data privacy laws like GDPR and the American Bar Association Rule 1.6 loom strictly over legal professionals.
Organisations in the legal sector are by no means neglecting data security practices, but security leaders are fighting a growing battle against the leading cause of all data privacy incidents – human error.
Our recent report, ‘Data Loss Prevention in Legal’, revealed a number of insights into data practices in the highly regulated legal sector. For example, in 2020, over 306.4 billion emails were sent and received and employees spend 40% of their time on email. Accidents, such as fat fingering an email to a similarly named recipient, are therefore bound to happen.
Fortunately, security leaders are aware of the significance of this issue, with nearly half (47%) citing email as the threat vector they’re most concerned about protecting. But unfortunately, these security leaders are underestimating just how widespread the problem is…
Security leaders estimated just 480 wrong emails are sent every year in organisations with more than 1,000 employees, but the actual figure is nearly twice that amount, at 800.
Why remote work hasn’t helped the problem
Remote work has exacerbated the data loss prevention problem. Not only have we become more reliant on email to stay connected with colleagues during the pandemic, but staff have had to deal with other factors that impede their concentration at work.
Stress, fatigue and distraction peaked over the past year, as many employees juggled a hectic home life, personal difficulties and the stresses associated with lockdown, all while continuing to hit deadlines and maintain performance at work. Let’s be honest, cybersecurity was also rarely front of mind for many.
What’s more, the use of unsecured personal devices, unprotected WiFi networks and the lack of security on endpoints, such as smart devices and printers, also significantly contributed to surging threat levels.
Perhaps most shockingly, 44% of employees working in the legal sector admitted that they’re less likely to follow safe data practices when working remotely. This is because many workers feel they can get away with ‘cyber security workarounds’ when working from home, which may shave a few seconds off their working day, but come at the cost of potentially exposing extremely sensitive information.
However, internal data leaks or breaches are not always ‘just an accident’ or the result of lazy but well-intentioned employees – some may have more malicious intentions.
In fact, 34% of legal and professional services employees admitted to downloading, saving, or sending work-related documents to personal accounts before leaving or after being dismissed from a job.
And according to Tessian platform data, at least 27,500 non-compliant, unauthorised emails are sent every year in organizations with 1,000 employees. Security leaders estimated just 720.
So what can IT leaders in financial services do to tackle the DLP problem?
Revenue loss is a huge concern for legal firms, and Tessian’s research showed that security leaders are more than three times as worried about losing revenue as a direct result of a data breach than they are about losing customers or their trust.
So when asked about the most effective way to keep data secure, 32% of security leaders we surveyed said following company policies/procedures. 23% said physical security, while 22% said security awareness training, and 22% said software and tools.
But, one single solution isn’t enough – employees don’t always follow policies and procedures, and there’s no guarantee that security awareness training alone will change behaviour long-term. Rule-based DLP is also a blunt instrument that impedes employee productivity and creates too much noise for thinly-stretched security teams.
It takes a village to prevent data loss and the best data protection programs take a nuanced and holistic approach by combining all of the above. Software that analyses risk, and uses artificial intelligence to adapt in real time to suspicious activity, based on an employee’s normal behaviour and risk assessment, should be part of your data loss prevention strategy if you are going to mitigate the threats that are slipping past your current email security solutions.
Combine this with training that is tailored to each employee based on their security weaknesses, and delivered consistently, to manage many of the human-error based risks which threaten each data security in your law firm.
Tim in 2012 co-founded Tessian, which uses machine learning to prevent data breaches and security threats caused by human error.