#Privacy: Majority of legal sector IT leaders say insider data breaches are a big concern

A recent study has revealed that legal sector employees are twice as likely to breach company policy when data sharing than employees in other sectors. 

Today, Egress published the legal sector analysis of its second global Insider Data Breach Survey, whereby focus was on the causes, frequency and implications of internal security breaches incidents, in addition to the perspectives of IT leaders and employees about risk, ownership and responsibility. 

The survey revealed that an overwhelming 96% of IT leaders in the sector state that insider breach risk is a major concern. 

Shockingly, 77% of IT leaders think employees have put data at risk accidentally, whilst 78% think employees intentionally put data at risk. 

When asked about the implications of these breaches, 36% stated that financial damage would be the area of greatest impact. 

They survey found that legal sector employees are twice as likely as those from other sectors to admit to both intentionally and accidentally breaking company policy when sharing data, to which over half (57%) admitted to intentionally breaking company policy in comparison with the 29% average across all sectors. 

In the findings, it is clear that IT leaders from the legal sector are more pessimistic than average about the risk of future breaches with 44% claiming it is likely that employees will put data at risk in the coming year. 

The research uncovered a concerning reliance on traditional technologies to prevent insider breaches. Just over half of legal sector IT leaders said they are using anti-virus software to combat phishing attacks and only 43% are using email encryption. There is also a worrying reliance on self-reporting of incidents, with 61% of IT leaders saying that the most likely way of detecting an insider data breach is via employees notifying them.

“Given the sensitivity of the information they handle, the legal industry is one of the most at-risk sectors from both accidental and intentional insider data breaches,” said Egress CEO Tony Pepper. 

“While they acknowledge the sustained risk, bizarrely IT leaders have not adopted new strategies or technologies to mitigate the threat. They are also relying far too heavily on their staff to self-report incidents, something our analysis suggests is totally ineffective. In essence, they are adopting a risk posture in which at least 44% of employees putting data at risk is deemed acceptable.

“The severe penalties for data breaches mean IT leaders must action better risk management strategies, using advanced tools to prevent insider incidents. They also need better visibility of risk vectors; relying on employees to report incidents is not an acceptable data protection strategy.”

The top causes of accidental insider data breaches in legal companies were misdirected and phishing emails, to which 55% of legal sector employees admitted accidentally leaking data because of a phishing email. Another 31% stated they caused a breach by sending information to the wrong person.

Tony Pepper adds: “Incidents of people accidentally sending data to incorrect recipients have existed for as long as they’ve had access to email. As a fundamental communication tool, organisations have weighed the advantages of efficiency against data security considerations, and frequently compromise on the latter.”

“However, we are in an unprecedented time of technological development, where tools built using contextual machine learning can combat common issues, such as misdirected emails, the wrong attachments being added to communications, auto-complete mistakes, and employees not using encryption tools correctly. Organisations need to tune into these advances to truly be able to make email safe.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/