Most lawyers believe that passwords alone offer enough data security

Quarter of law firms admit to losing confidential data

Lawyers regularly download sensitive data onto unprotected personal devices

vnunet.com, 28 Oct 2008

Nearly a quarter of UK law firms have admitted to losing confidential data, according to a recent survey by Credant Technologies.

The data protection firm's survey of 100 law firms across the country found 24 per cent of respondents admitted to misplacing at least one mobile device containing confidential documents, putting case notes, contracts and client details at risk.

Just 13 per cent of those who said they had lost a device believed the data was protected as the device was secured and the information encrypted. On the other hand, almost four out of 10 (37 per cent) of the lawyers surveyed believed that if they did lose their mobile device the data would be easily accessible to a hacker.

While a third of respondents said they encrypt their data now, over 90 per cent believe a password alone is sufficient to protect the data. However, according to ex-hacker turned IT security consultant Robert Schifreen passwords are not up to the job of protecting sensitive information on a mobile device.

"You can download cracking software from Google that can break the average password in less than 30 minutes," he said. "These findings show just how naive the legal profession is when it comes to data security and I suspect other professions are just as bad, if not worse. The only answer is, if you store sensitive data you must encrypt it."

The study found that one of the biggest security gaps stemmed from the fact that one in five lawyers use their own personal mobile phones, notebooks and USB drives to store client and corporate information.

"It's worrying to note that so many unprotected devices have gone missing over the past few years, but personally I'm more concerned by how many personal mobile devices are being used by lawyers that clearly bypass any security procedures set up by the legal firm," said Michael Callahan, vice president of Global Marketing at Credant.

"This creates an uncontrollable environment for the IT security staff as they simply can't keep track of which devices they've secured and which they haven't. "

Callahan recommended that all organisations "implement a data protection policy that ensures all handheld, laptop and removable media are encrypted, managed and controlled centrally, which then enables the IT guys to be able to suspend access to the information if it is misplaced or stolen".