Human error the most likely source for data security breaches in law firms

A quarter of people working in the legal sector have disabled the password protection features on work laptops, mobiles, or tablet devices because they found them 'annoying', according to new research.

The study by telecoms and IT firm Daisy Group looked at data security risks in UK businesses. It found that, despite the risk to their employer of criminal proceedings and heavy fines, three-quarters of workers in the legal sector would not report a serious data protection breach to their employer if they thought it would get one of their colleagues into trouble.

In addition, the research discovered that a third of people who did have password protection said they did not change their passwords regularly. And, one in seven admitted their password would be easy to guess.

Also of note was the finding that if requested by a third party to email a client's home address and phone number outside the firm - thereby breaching the Data Protection Act - one in ten people said they would send the details without querying the request, as they did not think anyone would mind.

When asked if data security was an important issue for the firm they worked for, one in seven legal sector workers said they had no idea.

Daisy Group's cloud specialist, Graham Harris, said: 'When it comes to data security, all too often firms focus purely on IT processes and forget about the staff that will be using them.

'As our research identified, human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force. Firms must be proactive and educate their staff about what data security processes and policies there are, why they exist, what the staff member's responsibilities are and reassure them about what to do in the event of a problem.'

New cloud-based technology gives companies more control over smartphones and tablet computers by letting them remotely track and wipe the contents of any lost or stolen devices, thereby ensuring the information remains confidential.

According to one statistic, 180,000 computing and communication devices were lost or stolen in the UK in 2014. However, it is likely the true figure is much higher as not all thefts are reported to the police.

Harris explained: 'It is important to "common sense" test any security system. Procedures that are complicated or disrupt the working environment often result in employees finding ways to circumnavigate them or taking matters in their own hands. Similarly, it is important to plan for human error and problems, such as theft or loss of devices that carry important data, so that when they do occur, they can be dealt with quickly and effectively.'

The EU is currently considering a reform of data protection law which will require organisations to report data protection breaches to the relevant authorities within 24 hours. It is anticipated that the penalties for failure to comply will increase to as much as ‚¬100m. The legislation changes are expected to be in force by the end of 2018.