*/
The number of recent ransomware attacks on barristers’ chambers is a reminder that you’re not immune from cyberattack. In 2018 the UK National Cyber Security Centre found that 60% of law firms had experienced an information security incident in the preceding year and issued a report highlighting how the legal sector is targeted by cybercriminals. You’re under attack because you hold commercially valuable and sensitive client information, and perhaps material that attracts ‘hacktivists’ with a political or ideological agenda. You’re also perceived to be a relatively soft target because too often the sector has treated cybersecurity as an IT concern, rather than as the strategic risk management issue it in fact is.
Cyberattacks pose a massive risk to chambers. At the very least there’s the cost of lost productivity when systems are down and data lost or corrupted. There could be the costs of extortion, eg ransomware victims can find themselves paying for a decryption code only to have criminals ask for more money to release it, and then come back for more against the threat that stolen data will be put in the public domain.
If stolen confidential data does get into the public domain, chambers will be in breach of both Bar and Law Society standards, could be liable to pay a heavy fine for breaching GDPR; plus cybersecurity insurance could be invalidated. It will also likely cause devastating reputational damage. Chambers are well-advised therefore to ensure they’re taking reasonable steps to protect themselves from cyberattacks.
A good place to start would be to conduct a quick cybersecurity audit. At what level is cybersecurity handled? Who sets the agenda? The most senior decision-makers in your chambers ought to be apprised of actions taken on cybersecurity at least quarterly. They ought to have signed off on an incident response plan that is regularly reviewed and regularly conduct testing of chambers’ cyber-defences.
Do you operate some relatively straightforward security practices, such as a fully documented and regularly tested back-up regime, protected against ransomware attacks via isolation or by other means? Do you use multi-factor authentication to protect access and validate user credentials? Do you regularly review privileged access and have standards in place on security protocols such as the length of passwords and how often they’re changed? Do you run device management solutions that monitor end user devices and ensure they meet minimum security standards?
Do you regularly train staff and barristers on the importance of cybersecurity? This is critical because ‘human error’ accounts for the vast majority of data breaches. People need an awareness of how cybercriminals operate and their so-called ‘social engineering’ techniques eg ‘scareware’ where victims are scared into providing system access or sensitive information. Or phishing emails that create a sense of time pressure, curiosity or fear to get victims to reveal sensitive information, click on a link to a malicious site, or an attachment containing malware. After training’s done, chambers ought to conduct behaviour tests to make sure people continue to keep their defences high. Of course, the attack vector is larger for cybercriminals when people work from home. It’s difficult to control the devices they’re using. It’s harder to secure the network. It’s also harder to know when a member of staff is becoming acutely disaffected.
Is it in-house, in which case is all software, including anti-virus and anti-malware software, up to date and do you operate additional protections: eg solutions that use AI to scan emails for anomalous content or pick up when an email is addressed to an out-of-context recipient to prevent users simply sending information to the wrong person? Or do you use a reputable public cloud solution that takes care of data encryption and ensures safe storage and back-up but doesn’t offer any tailored advice or guidance or in-house protections? This is a strong option but probably doesn’t go far enough out of the box.
A third option is to work with a managed services provider that can supply a fully considered solution covering software and technology. Such organizations have experts who do cybersecurity for a living, with the sectoral knowledge and resources to continually keep up-to-date with evolving threats and best practice. This could make the difference between avoiding a devastating cyberattack, and being obliterated by one.
Why Advanced? Our chambers management solution, MLC is the solution of choice for forward-thinking chambers, and the data security measures we enforce are unparalleled for chambers management software. Speak to one of our experts about your chamber’s technology and security by booking a free health check with us.
The number of recent ransomware attacks on barristers’ chambers is a reminder that you’re not immune from cyberattack. In 2018 the UK National Cyber Security Centre found that 60% of law firms had experienced an information security incident in the preceding year and issued a report highlighting how the legal sector is targeted by cybercriminals. You’re under attack because you hold commercially valuable and sensitive client information, and perhaps material that attracts ‘hacktivists’ with a political or ideological agenda. You’re also perceived to be a relatively soft target because too often the sector has treated cybersecurity as an IT concern, rather than as the strategic risk management issue it in fact is.
Cyberattacks pose a massive risk to chambers. At the very least there’s the cost of lost productivity when systems are down and data lost or corrupted. There could be the costs of extortion, eg ransomware victims can find themselves paying for a decryption code only to have criminals ask for more money to release it, and then come back for more against the threat that stolen data will be put in the public domain.
If stolen confidential data does get into the public domain, chambers will be in breach of both Bar and Law Society standards, could be liable to pay a heavy fine for breaching GDPR; plus cybersecurity insurance could be invalidated. It will also likely cause devastating reputational damage. Chambers are well-advised therefore to ensure they’re taking reasonable steps to protect themselves from cyberattacks.
A good place to start would be to conduct a quick cybersecurity audit. At what level is cybersecurity handled? Who sets the agenda? The most senior decision-makers in your chambers ought to be apprised of actions taken on cybersecurity at least quarterly. They ought to have signed off on an incident response plan that is regularly reviewed and regularly conduct testing of chambers’ cyber-defences.
Do you operate some relatively straightforward security practices, such as a fully documented and regularly tested back-up regime, protected against ransomware attacks via isolation or by other means? Do you use multi-factor authentication to protect access and validate user credentials? Do you regularly review privileged access and have standards in place on security protocols such as the length of passwords and how often they’re changed? Do you run device management solutions that monitor end user devices and ensure they meet minimum security standards?
Do you regularly train staff and barristers on the importance of cybersecurity? This is critical because ‘human error’ accounts for the vast majority of data breaches. People need an awareness of how cybercriminals operate and their so-called ‘social engineering’ techniques eg ‘scareware’ where victims are scared into providing system access or sensitive information. Or phishing emails that create a sense of time pressure, curiosity or fear to get victims to reveal sensitive information, click on a link to a malicious site, or an attachment containing malware. After training’s done, chambers ought to conduct behaviour tests to make sure people continue to keep their defences high. Of course, the attack vector is larger for cybercriminals when people work from home. It’s difficult to control the devices they’re using. It’s harder to secure the network. It’s also harder to know when a member of staff is becoming acutely disaffected.
Is it in-house, in which case is all software, including anti-virus and anti-malware software, up to date and do you operate additional protections: eg solutions that use AI to scan emails for anomalous content or pick up when an email is addressed to an out-of-context recipient to prevent users simply sending information to the wrong person? Or do you use a reputable public cloud solution that takes care of data encryption and ensures safe storage and back-up but doesn’t offer any tailored advice or guidance or in-house protections? This is a strong option but probably doesn’t go far enough out of the box.
A third option is to work with a managed services provider that can supply a fully considered solution covering software and technology. Such organizations have experts who do cybersecurity for a living, with the sectoral knowledge and resources to continually keep up-to-date with evolving threats and best practice. This could make the difference between avoiding a devastating cyberattack, and being obliterated by one.
Why Advanced? Our chambers management solution, MLC is the solution of choice for forward-thinking chambers, and the data security measures we enforce are unparalleled for chambers management software. Speak to one of our experts about your chamber’s technology and security by booking a free health check with us.
Chair of the Bar Sam Townend KC highlights some of the key achievements at the Bar Council this year
Louise Crush of Westgate Wealth Management highlights some of the ways you can cut your IHT bill
Rachel Davenport breaks down everything you need to know about AlphaBiolabs’ industry-leading laboratory testing services for legal matters
By Louise Crush of Westgate Wealth Management sets out the key steps to your dream property
A centre of excellence for youth justice, the Youth Justice Legal Centre provides specialist training, an advice line and a membership programme
By Kem Kemal of Henry Dannell
Mark Neale, Director General of the Bar Standards Board, offers an update on the Equality Rules consultation
Joanna Hardy-Susskind speaks to those walking away from the criminal Bar
Imposing a professional obligation to act in a way that advances equality, diversity and inclusion is the wrong way to achieve this ambition, says Nick Vineall KC
Tom Cosgrove KC looks at the government’s radical planning reform and the opportunities and challenges ahead for practitioners
By Ashley Friday of AlphaBiolabs