Who is Holding the Keys in Your Law Office? – Vetting Employee Access to IT Systems

According to US-CERT, more than 40% of data breaches originate from within organizations. In an era where company data is stored digitally, your internal security needs to be a key focus of your overall information security strategy.

In the legal services industry, keeping your data secure is critical.

A robust security policy for 2018 and beyond must include an employee vetting program. Knowing your employees better can help you to mitigate risk and potentially eliminate what is considered by many to be the weakest link in data security.

Both Pre-Screening and Ongoing Screening Practices Can Protect Your Data and Legal Business

Recent studies have found that up to 55% of organizations have been victim to data breaches and security incidents initiated by negligent or outright malicious employee behavior. Pre-screening is an effective way to eliminate bad actors before they have the opportunity to cause damage to your business and your clients.

For pre-screening to be effective, it needs to be comprehensive. Several factors can increase the likelihood of employees acting maliciously.

Warning signs for employers in the legal industry include:

  • Employees with existing bad debt, high debt ratio, or a history of poor credit.
  • Employees who have made false claims about their education or professional experience.
  • Employees who have been terminated from previous positions for security related concerns.
  • Employees who have a criminal history.

General background checks should be carried out on anybody who applies for a position within your organization. In the legal industry, reputations are important, and some legal firms are guilty of overlooking the vetting process when hiring employees or taking on partners who have good professional records.

Regardless of reputation, even seemingly trustworthy and reputable characters have the potential to misuse confidential company data. A poor financial situation, drug abuse, alcohol abuse, and family problems can all increase the risk of critical data breaches.

It’s quite simple; the more you know about employees and partners, the safer your business and your data will be. Background checks should be comprehensive and performed without prejudice, regardless of an individual’s standing in the legal community.

Screening Shouldn’t Stop Once the Hiring Process is Completed

Pre-screening helps to protect your business in the early stages of an employment relationship, but your commitment to data security does not stop there. Many perpetrators of fraud and other security breaches are first time offenders. In some cases, the factors that lead to illegal or negligent activity do not develop until later in the employment relationship.

Ongoing screening further reduces risk. Divorces, financial hardship, and highly stressful life events (such as personal loss) can all lead to fraudulent or negligent behavior. A developing substance or alcohol problem can also lead to behavioral changes in otherwise high performing and trustworthy employees.

Employees with long tenure typically have higher level access to confidential data and computer systems. Ongoing vetting should be performed as an employee rises within your organization.

It’s also important to understand that previous cases of fraud or negligence may have gone unreported. Ongoing screening ensures that you can identify the bad actors who have slipped through the system.

The Stakes are Higher in Legal Organizations

Companies involved in legal services, whether practicing law firms or support firms, typically have more access to confidential and highly sensitive data. Commitment to security and maintaining the integrity of your data may be mandated by law, depending on the jurisdiction you operate in.

The simple fact is that your business cannot afford to ignore information security and the risk that employees pose. Pre-screening and regular screening is an essential activity that should be immediately implemented into your security policy.