Insider data breaches are a 'major concern' for a staggering 96% of IT leaders in the legal sector, according to a recent study.

The survey, conducted by human layer security company Egress, found that 77% of IT leaders think employees have put data at risk accidentally in the past 12 months, and worryingly, 78% think workers have done it intentionally.

Responses from legal sector employees shows they are twice as likely as those from other sectors to admit both intentionally and accidentally breaking company policy when sharing data. Fifty-seven per cent said they had intentionally broken company policy compared with 29% average across all sectors, and 56% said they had done so accidentally, compared with 27% on average.

IT leaders from the legal sector are more pessimistic than average about the risk of future breaches. 44% say it is likely employees will put data at risk in the coming year – eight percentage points above average.

The research uncovered a concerning reliance on traditional technologies to prevent insider breaches. Just over half of legal sector IT leaders said they are using anti-virus software to combat phishing attacks and only 43% are using email encryption. There is also a worrying reliance on self-reporting of incidents, with 61% of IT leaders saying that the most likely way of detecting an insider data breach is via employees notifying them.

Egress CEO Tony Pepper, said: “Given the sensitivity of the information they handle, the legal industry is one of the most at-risk sectors from both accidental and intentional insider data breaches. While they acknowledge the sustained risk, bizarrely IT leaders have not adopted new strategies or technologies to mitigate the threat. They are also relying far too heavily on their staff to self-report incidents, something our analysis suggests is totally ineffective. In essence, they are adopting a risk posture in which at least 44% of employees putting data at risk is deemed acceptable.

“The severe penalties for data breaches mean IT leaders must action better risk management strategies, using advanced tools to prevent insider incidents. They also need better visibility of risk vectors; relying on employees to report incidents is not an acceptable data protection strategy.”