Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Prepare for the next wave of email attacks at Fwd: Thinking on Nov 2 | Save Your Seat →

Data Loss Prevention in Legal

Data loss prevention (DLP) is a top priority for security leaders across industries, especially in the highly-regulated legal sector.

But, because legacy DLP solutions are reactive instead of proactive, most IT teams don’t have clear visibility of data movement or employee behavior. That means preventing data loss and avoiding breaches can be an uphill battle.

Our latest research can help.

30,000-foot view: DLP in the legal sector

Whether it be a partner, a paralegal, or a secretary, employees working in the legal sector handle an incredible amount of sensitive information, from medical and financial data to merger and acquisition (M&A) data. 

To protect clients, earn their trust, and stay compliant, firms take DLP seriously. But, insider threats are still a big problem.

Last year, three-fourths (75%) of all security incidents in the legal sector reported to regulators were caused by insiders, both negligent and malicious. The vast majority of incidents, though, were caused by human error. For example, fat fingering an email to a similarly-named recipient or a failure to redact.

Email: your firm’s leaky pipeline

When it comes to DLP, security leaders have hundreds – if not thousands – of networks and endpoints to monitor and lock down. And, while devices and file sharing applications are on everyone’s radar, when asked what threat vector they’re most concerned about protecting, security leaders said email. 

It makes sense. 

Over 306.4 billion emails were sent and received in 2020 and employees spend 40% of their time on email. Accidents happen. 

But a simple mistake can cause big problems, especially with strict data privacy laws like the GDPR and American Bar Association Rule 1.6. Of course, individual clients may have their own regulatory requests, too.

Unfortunately, accidents happen a lot more frequently than security leaders estimate.

Just the tip of the iceberg

According to Tessian platform data, at least 800 emails are sent to the wrong person in companies with 1,000 employees each year. That’s more than two every day

This number may be even higher in the legal sector, though, with 55% of legal and professional services employees admitting to having sent an email to the wrong person before. 

Depending on the case and the seniority of the employee, these emails could contain witness statements, medical records, market-sensitive information, or sensitive HR data.

Meanwhile, security leaders estimate just 480 are sent every year. That means visibility is a big problem, that self-reporting mistakes isn’t a viable solution, and that legacy DLP solutions aren’t effectively stopping data loss.

Driven to distraction at work and at home

So, why do employees make mistakes at work that compromise security? According to employees, the top three reasons are: stress, fatigue, and distraction.

And, while many firms are slowly transitioning back to the office, others are adopting permanent remote and hybrid working environments. Unfortunately, as documents and files continue being shared and accessed from different locations, potential security risks increase.

This is especially the case since 15% of employees working in the legal sector don’t think their company has the policies and procedures in place to allow them to work safely both remotely and in the office. Worse still, 44% of employees working in the legal and professional services industries say they’re less likely to follow safe data practices when working remotely.

It’s not always “just an accident”

Security leaders know that the vast majority of employees are well-intentioned and want to build a security culture based on trust. While, more often than not, a partner will only break company policies or circumvent rule-based solutions to get their jobs done, some may have more malicious intentions.  

34% legal and professional services employees admit to downloading, saving, or sending work-related documents to personal accounts before leaving or after being dismissed from a job. 

And according to Tessian platform data, at least 27,500 non-compliant, unauthorized emails are sent every year in organizations with 1,000 employees. Security leaders estimated just 720.

What is an Unauthorized Email?
The Risks of Sending Data to Your Personal Email
An unauthorized email is an email sent to a personal email account or a third-party that contains sensitive information. While this isn’t always malicious, it is generally against security policies and could be a sign of intentional data exfiltration.
The biggest concern? Revenue.

Our research shows that, across industries, security leaders are most worried about losing customers and their trust and lost data in the aftermath of a breach.

But, if you break that data down even further and isolate security leaders working in legal and professional services specifically, you can see a stark difference. Instead of losing customer trust and lost data, they’re more than three times as likely to say that their top concern is revenue loss.

It makes sense. A breach sends a bad signal to existing and potential clients, which can impact the firm’s bottom line. 

Mark Parr, Global Director of IT at HFW said it best, “You’re only going to win more work if you’re reputable. And you’re only going to be reputable if you demonstrate you have a strong information security framework”.

How to build a strong information security framework

Enough about the problem. Let’s talk about solutions.

When asked about the most effective way to keep data secure, 32% of security leaders said following company policies/procedures. 23% said physical security. 22% said security awareness training. And 21% said software/tools.

But, we all know one single solution isn’t enough. Why? Because employees don’t always follow policies and procedures (especially if they make their job harder to do), security awareness training alone can’t change behavior long-term, and rule-based DLP is a blunt instrument that impedes employee productivity and creates too much noise for thinly-stretched security teams. 

It takes a village to prevent data loss and the best data protection programs take a nuanced and holistic approach by combining all of the above.

A different approach to DLP

Law firms like Dentons, DAC Beachcroft, Clifford Chance, and Clyde & Co trust Tessian to keep their critical client and employee data safe. Across two solutions, Tessian automatically detects and prevents misdirected emails, mistattached files, and unauthorized emails and puts data at security leaders’ fingertips.  No rules required. 

Better still, Tessian helps improve employees’ security reflexes long-term with in-the-moment warnings that reinforce security policies while nudging them towards safer behavior over time. And, with employee risk scores that update automatically, security leaders get a bird’s eye view of their most risky and at-risk employees.

It’s the only solution that offers protection, training, and risk analytics all in one platform, giving security leaders a clear picture of their organization’s risk and the tools needed to reduce that risk.

Download the Full Report
The State of Data Loss Prevention in Legal 2021
To read more about DLP in the legal sector, and to learn how easy it is to track and protect sensitive data with Tessian, download the report now.
In addition to using Tessian platform data, we commissioned OnePoll to survey 2,000 working professionals: 1,000 in the US and 1,000 in the UK; additionally OnePoll surveyed 250 IT leaders in the US.

Survey respondents varied in age from 18-51+, occupied various roles across departments and industries, and worked within organizations ranging in size from 2-1,000+.

We also interviewed several IT, security, and compliance professionals with diverse backgrounds, all of whom provided insights that helped frame this report.
Publically available third-party research was also used, with all sources listed in the downloadable PDF.

Midpoints and averages were used when calculating some figures and percentages may not always add up to 100% due to rounding.