You are here

Human error tops hacking as the biggest cause of law firm data security breaches

Majority of security failures in the UK last year were caused by carelessness, ICO data shows

7 May 2015

Add comment

By Manju Manglani, Editor (@ManjuManglani)

There were 72 reported instances of data security failures by UK law firms last year, according to a Freedom of Information request to the Information Commissioner's Office (ICO).

Strikingly, the majority of the data security breaches were due to human error rather than hacking.

"Staff are often the weakest link in a risk control culture, either through a lack of training and education or through a desire to cut through what they see as overcomplicated processes that get in the way of their day jobs," commented RSM Tenon's Sheila Pancholi and David Morris in 'Data leaks: How to test your firm's data protection systems'.

The most common source of law firm security breaches last year was private data being sent to the wrong recipient by post, fax or email. These types of errors accounted for nearly a third of the incidents reported to the ICO.

Close behind was the loss or theft of confidential documents in hard copy format, with 21 incidents reported of this nature.

Failure to secure data stored on mobile devices was also highlighted as a cause of data protection issues. Unencrypted information being stored on devices that were not controlled by the firm accounted for 11 breaches last year.

However, malicious hacking of law firm security protocols accounted for only one reported breach. This is despite rising concerns over increases in targeted cyber attacks.

Managing the risks

With lawyers working remotely on mobile devices now a fact of working life, many firms have put in place bring-your-own-device and/or choose-your-own-device data security policies.

However, such policies are not always effective in managing the range of risks caused by mobile working.

A big challenge for IT teams is lawyers finding workarounds to restrictive security protocols on their devices, inadvertently putting their clients at risk.

"Is it possible to 'copy and paste' or to use 'open in' to transfer files from secure managed applications to insecure applications?" asked Stephen Brown, IT director at Higgs & Sons, in 'Hidden breaches: Safeguarding client data on lawyers' mobile devices'.

Security measures such as two-factor authentication to access the firm's servers can prevent some of the easier security breaches.

Said Brown: "What if a user has given 'password1' as the password for his cloud? Can you confidently answer 'where has the data from the phone or tablet gone and who could access it'?"

However, security protocols can only safeguard the firm so far when it comes to human error.

"Certain digital dictation apps allow lawyers to take pictures and attach them to a submission to a firm secretary or outsourced transcription service. What happens if a photo of confidential information is accidentally attached?"

Last year, the ICO revealed details of the most common digital security vulnerabilities, many of which resulted in monetary penalties.

"Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics," said Simon Rice, the ICO's group manager for technology.

Law firms would be well advised to regularly test their data protection systems to ensure they are fully protecting sensitive client data.

However, a testing programme is "a supplement to the control environment and not a replacement for a properly thought-out strategy and set of controls," as Pancholi and Morris have warned.



Categorised in:

Risk & Compliance Technology HR