Its paper, titled Legal and Law Enforcement: Information Access Compliance, found that, in particular, approaches to login security are extremely poor.
For example, the authors found that 28% of legal employees do not have a unique user login for their employer’s network. Shockingly, 23% do not require a login at all.
“The information that passes through legal professionals hands can be incredibly sensitive, and naturally attorney-client privilege must be taken into account,” said Francois Amigorena, CEO of IS Decisions.
“It is important to have a reliable system in place to manage and track access to this information and it doesn’t have to be a complicated process.
“This can be easily achieved with the right combination of implementing access control policies, applying user identity verification and improving user activity auditing.”
The study also revealed that approximately one third of new employees did not receive any security training when they joined a legal enterprise, while less than half of existing employees have subsequently received such training.
The findings come on the back of a legal security expert warning that cybercriminals are turning their attention to the legal sector.
Speaking earlier this month to Legal Compliance Today, Neil Wood, cyber threat management consultant at Aabyss Computers, said that when it comes to cybersecurity, law firms are akin to “low-hanging fruit”.
He continued: “Law firms are a prime target. A single successful breach can potentially cost tens of thousands of pounds, valuable confidential client data stolen and a practice’s brand can be really damaged.
“The legal sector is a ‘honey pot’ of information, client data and client funds.”