How are legal and law enforcement agencies implementing security training and enforcing security processes?
As we have mentioned, arguably the weakest point in any organisation’s security defences is its employees. People are by their nature human and mistakes happen with regards to IT security. In fact many external breaches occur irrespective of how strong the perimeter defences, firewalls and anti-virus tools are, because of employees who suffer a lapse in judgement or who are oblivious to good IT security practices.
One of the keys to minimising the ‘human’ risk is to ensure that employees receive regular IT security training and to enforce and communicate airtight security policies and procedures. You should never rely on technology alone to protect data.
Addressing the human side of security
Some of the high-profile attacks on organisations in 2014 and 2015, such as those as Sony Entertainment and JP Morgan, occurred as a result of compromised employee credentials, so companies are placing more and more importance on security training. Indeed, section 3 of ‘Lexcel England and Wales v6 Standard for legal practices’ specifically states that practices must conduct “training for personnel on information security.”
But despite the importance of training, far too many legal practices are putting data at risk by ignoring training at various stages of employment — and are therefore non-compliant. 69% of employees at legal practices in the UK and 71% in the US did not receive IT security training when they first joined the company. In addition, more than half (55%) in the UK and 48% in the US say that their organisation does not provide any security training whatsoever.
Enforcing security policies and procedures
Policies and procedures are the third part in the trinity of effective IT security along with training and technology. The legal industry in the US and the UK faces plenty of clear requirements around what to do in terms of policy and procedure — perhaps more so than in other industries. Lexcel, ISO 27001 and FISMA leave no stone unturned.
Section 3 of “Lexcel England and Wales v6” states that legal organisations must have separate documented policies for information management and security, email, internet access and social media. Section 5 states that legal practices must include a compliance plan as part of their risk management plan. Practices must also have a procedure for regular, independent file reviews of either the management of the file or its substantive legal content, or both.
In the US, one of NIST’s steps to FISMA compliance is to refine controls using a risk assessment procedure and document the controls in the system security plan.
ISO 27001 and 27002 go into more granular detail than any other standard or government law on what companies must do with regards to their IT security polices and procedures. Organisations must conduct a risk assessment and define a security policy. Within that security policy, organisations must define and allocate all information security responsibilities — and the contractual agreements with employees and contractors should state their and the organisation’s responsibilities for information security. All employees and contractors must apply information security in accordance with the policies and procedures of the organisation. Organisations must also establish, document and regularly review an access control policy based on the business’s information security requirements.
Many in the legal sector need to do more on security policies and procedures
Despite the granular detail and clear guidance on what organisations must do to achieve compliance, many are failing miserably to put in place effective policies and procedures. Just 71% UK employees in the legal world and 76% in the US are aware that their practice has a documented security policy at all, and 67% in the UK and 54% in the US are unaware if their organisation produces regular security audit reports. Furthermore, only 62% of UK and 69% of US practices enforce basic security like secure passwords, and 57% of UK and 43% of US practices do not clearly define roles and responsibilities with regards to IT security.
The lack of awareness among employees on policies extends to procedures in the event of a breach. More than half do not know who to report a breach to — lengthening the crucial time period in which an IT administrator can find and mitigate any damage. And as for internal breaches, just 29% of British employees are aware of the penalties the organisation would impose for data theft or leakages compared with 42% of US employees — despite clear guidance from ISO 27001 that states organisations must enforce and communicate a formal disciplinary process for those who have committed a breach.