IT company CREDANT Technologies interviewed 100 UK small to medium sized law firms and revealed that lawyers were about as “clueless” as other professionals, when it came to respecting client confidentiality.
Over 90% of lawyers surveyed believed their data was protected because they secured it with a password, however, a third protected information with encryption, and 4% did not use any security.
In addition to this, 37% of respondents believed that if they lost their mobile it would be insecure as a hacker or identity thief could access the data, while only 13% had lost a mobile but were confident it could not be breached or used against them because they had encrypted the data.
Typically, the documents most vulnerable to exposure included case-notes, contracts and client details. Lawyers tended to store a variety of highly sensitive information on their mobile, including business emails, work and client contact details, client records, contracts, case files and even security passwords and access codes.
Ex-hacker and IT security consultant Robert Schifreen believes passwords are no longer adequate for data security. “You can download cracking software from google that can break the average password in less than 30 minutes; the only answer is, if you store sensitive data, you must encrypt it,” he said.
Michael Callahan of Credant suggested that firms can improve data protection by ensuring all handheld, laptop, desktop and other removable media are encrypted, managed and controlled. This would enable IT departments to suspend access to information if a device is misplaced or stolen.
Tips to ensure IT security
* Encrypt data on all devices if it’s sensitive
* Find solutions that can detect devices trying to connect to the enterprise and synchronise data
* Ensure the encryption solution is transparent to end-users and doesn’t interfere with any operational activities
* IT departments should never leave data security up to the end user, rather control and manage it centrally
* Corporate governance requires firms to have security and prove it, so use a solution that includes a central management console to ensure every machine is protected and can be tracked