*/
With 2021 firmly in the rearview mirror, and optimists carefully listening for the first chaffinch song of spring, it is easy to forget that within the last 12 months one chambers sought an injunction against ‘persons unknown’ from disseminating information obtained in a ransomware attack, and the Bar Council described cyberattacks as a ‘wake-up call’.
Last year was significant for cyber threats to the Bar. Working from home continued as a result of the pandemic, impacting upon overall security concerns. High-profile attacks on prominent chambers and law firms put the legal profession at the forefront of cyber news.
Past warnings should still be fresh in people’s minds. The Bar Council suggested chambers ‘check the security of their information networks’ and ensure that ‘their critical business interruption plans are up to date and effective’.
But if these are the warnings of the past, what are the worries for the future? It may be ‘so 2021’ to be subject to a ransomware attack but unfortunately, unless chambers is aware of the potential future threats, it may also be an issue in 2022, 2023 and so on. Indeed, in March news broke that a criminal defence firm was fined £98,000 by the Information Commissioner’s Office (ICO) following a ransomware attack.
Previous advice in Counsel on the essential protection from cyberattack, and the best ways to respond, remains valid and appropriate in most circumstances. However, the following are five areas to consider going into 2022:
Domestic internet service providers are now boasting that wi-fi connections can support 100 devices. If this is an indication of the continued growth of the Internet of Things (IoT) in a home, then consider a set with dozens of tenants, clerks and support staff. It is not merely each having their own laptops, mobile phones, tablets, smart-watches and bluetooth-connected headphones. The chances are that if chambers buys any new equipment, whether an essential work device like a printer or a new fridge-freezer, it is highly likely that this could potentially access the chambers’ network.
These IoT devices often contain the minimum cyber-security protection required in order to maximise the efficiency of the primary function and minimise the cost of the device. And chambers should not underestimate the proliferation of IoT devices and the threat that these pose. Security cameras, smart TVs and internet-connected appliances were used by the Mirai Botnet to attack websites in a denial-of-service attack. If you have remote access to something in chambers, then an IoT device is being used. This could either be a tool for a hacker or an access point into your network.
The best advice: understand what IoT devices are being used in chambers, and ensure that security functions within the device are engaged. The default setting for many IoT devices is to allow access without restriction. This facilitates the initial connection to a network and increases the speed of the device. But this then generates a point of weakness within the network. Once you have completed the initial set-up, apply the highest security level available. You must also regularly update software for the device to ensure that historic bugs cannot be utilised to gain access to the device and consequently into your systems.
It is unsurprising that as the risk environment for cyberattacks becomes more precarious, the premiums associated with cyber insurance increase. It is not merely the increased headline cost of the premium which could impact upon chambers. Many insurance companies are now requiring additional security measures in order to keep premiums at their lowest level. Like a home insurer requiring windows and doors to be equipped with locks that meet a certain standard, going into 2022, cyber-insurers will now likely require, as standard, multi-factorial authentication (MFA) to access crucial chambers’ systems. Chambers may also be required to provide assurances that proper policies and procedures are in place to deal with ‘disaster recovery’.
The Bar Council IT Panel provides a wide range of guidance on the breadth of IT issues likely to impact barristers individually and chambers collectively. Just because you have read the guidance once does not necessarily mean that you are applying best practice. Chambers’ policies and procedures should be regularly updated and cross-referenced against the updates provided by the IT Panel.
If the renewal of chambers’ insurance does not requires a sudden move to MFA and a reconsideration of policies and procedures, then government regulation may impact upon cyber security considerations in 2022. Three key strategies from the ICO came to a conclusion in 2021: Information rights strategic plan 2017-2021; Technology Strategy 2018-2021; and International Strategy 2017-2021. Further, ICO Openness by Design comes to a conclusion this year. In the context of increased US regulation following the SolarWinds intrusion and the Colonial Pipeline ransomware attack, it is highly likely that the ICO will publish strategies targeting cyber security to protect personal data.
Self-employed barristers are all individually registered with the ICO, meaning that each is personally responsible for implementing any new strategic vision. ICO policies do not tend to be prescriptive. However, barristers will need to have at least some awareness of any new duty in processing personal data. Again, the Bar Council will seek to publish guidance on any ICO initiative which significantly impacts upon people’s practice but it is incumbent upon those at the Bar to be mindful that potential changes may be coming this year.
Supply chain concerns do not just affect retail or construction firms. If you use email, you are subject to a software supply chain. And going into 2022 it will be the software supply chain, rather than individual companies, which will be targeted by ransomware attacks. A successful ransomware attack on a technology company or internet service provider can impact upon hundreds if not thousands of companies, with the corresponding benefit to the hackers also increasing.
Chambers may not have the expertise in-house to monitor email security, Microsoft’s operating systems and/or cloud collaboration tools. These should be raised as a point of concern with any external IT provider.
‘Spear-phishing attacks’, however, when cybercriminals personalise emails to fit a smaller group of individuals so as to appear more authentic, are an area that barristers should be considering. Any suspicious emails should immediately be raised within chambers using an appropriate method. This might include having a single contact who notifies chambers when concerns arise, or having an alert function within chambers management software. Never forward on a suspicious email. Notify the appropriate person, who can identify whether attacks have been sent to multiple members of chambers.
Spear-phishing and traditional phishing attacks are successful because they target the weakest point within any chambers’ network: people.
Within companies, security teams are being encouraged to reach out and engage employees to ensure that people are aware of the most recent threats. A similar approach should be adopted in chambers. Articles or guidance relevant to cyber security should be circulated, and people encouraged to engage with the concerns that are coming in the future.
Sam Thomas is a barrister at 2BR. He is the co-author of Cyber Security: Law and Practice (LexisNexis: 2019) and Blockchain and Cryptocurrency: International Legal and Regulatory Challenges (Bloomsbury: 2019). Sam sits on the Bar Council IT Panel and is Vice Chair of the Association of Regulatory and Disciplinary Lawyers. Sam’s practice encompasses advocacy and advice in cyber compliance and regulatory law, for which he was recognised by Chambers & Partners and the Legal 500, 2021-2023.
With 2021 firmly in the rearview mirror, and optimists carefully listening for the first chaffinch song of spring, it is easy to forget that within the last 12 months one chambers sought an injunction against ‘persons unknown’ from disseminating information obtained in a ransomware attack, and the Bar Council described cyberattacks as a ‘wake-up call’.
Last year was significant for cyber threats to the Bar. Working from home continued as a result of the pandemic, impacting upon overall security concerns. High-profile attacks on prominent chambers and law firms put the legal profession at the forefront of cyber news.
Past warnings should still be fresh in people’s minds. The Bar Council suggested chambers ‘check the security of their information networks’ and ensure that ‘their critical business interruption plans are up to date and effective’.
But if these are the warnings of the past, what are the worries for the future? It may be ‘so 2021’ to be subject to a ransomware attack but unfortunately, unless chambers is aware of the potential future threats, it may also be an issue in 2022, 2023 and so on. Indeed, in March news broke that a criminal defence firm was fined £98,000 by the Information Commissioner’s Office (ICO) following a ransomware attack.
Previous advice in Counsel on the essential protection from cyberattack, and the best ways to respond, remains valid and appropriate in most circumstances. However, the following are five areas to consider going into 2022:
Domestic internet service providers are now boasting that wi-fi connections can support 100 devices. If this is an indication of the continued growth of the Internet of Things (IoT) in a home, then consider a set with dozens of tenants, clerks and support staff. It is not merely each having their own laptops, mobile phones, tablets, smart-watches and bluetooth-connected headphones. The chances are that if chambers buys any new equipment, whether an essential work device like a printer or a new fridge-freezer, it is highly likely that this could potentially access the chambers’ network.
These IoT devices often contain the minimum cyber-security protection required in order to maximise the efficiency of the primary function and minimise the cost of the device. And chambers should not underestimate the proliferation of IoT devices and the threat that these pose. Security cameras, smart TVs and internet-connected appliances were used by the Mirai Botnet to attack websites in a denial-of-service attack. If you have remote access to something in chambers, then an IoT device is being used. This could either be a tool for a hacker or an access point into your network.
The best advice: understand what IoT devices are being used in chambers, and ensure that security functions within the device are engaged. The default setting for many IoT devices is to allow access without restriction. This facilitates the initial connection to a network and increases the speed of the device. But this then generates a point of weakness within the network. Once you have completed the initial set-up, apply the highest security level available. You must also regularly update software for the device to ensure that historic bugs cannot be utilised to gain access to the device and consequently into your systems.
It is unsurprising that as the risk environment for cyberattacks becomes more precarious, the premiums associated with cyber insurance increase. It is not merely the increased headline cost of the premium which could impact upon chambers. Many insurance companies are now requiring additional security measures in order to keep premiums at their lowest level. Like a home insurer requiring windows and doors to be equipped with locks that meet a certain standard, going into 2022, cyber-insurers will now likely require, as standard, multi-factorial authentication (MFA) to access crucial chambers’ systems. Chambers may also be required to provide assurances that proper policies and procedures are in place to deal with ‘disaster recovery’.
The Bar Council IT Panel provides a wide range of guidance on the breadth of IT issues likely to impact barristers individually and chambers collectively. Just because you have read the guidance once does not necessarily mean that you are applying best practice. Chambers’ policies and procedures should be regularly updated and cross-referenced against the updates provided by the IT Panel.
If the renewal of chambers’ insurance does not requires a sudden move to MFA and a reconsideration of policies and procedures, then government regulation may impact upon cyber security considerations in 2022. Three key strategies from the ICO came to a conclusion in 2021: Information rights strategic plan 2017-2021; Technology Strategy 2018-2021; and International Strategy 2017-2021. Further, ICO Openness by Design comes to a conclusion this year. In the context of increased US regulation following the SolarWinds intrusion and the Colonial Pipeline ransomware attack, it is highly likely that the ICO will publish strategies targeting cyber security to protect personal data.
Self-employed barristers are all individually registered with the ICO, meaning that each is personally responsible for implementing any new strategic vision. ICO policies do not tend to be prescriptive. However, barristers will need to have at least some awareness of any new duty in processing personal data. Again, the Bar Council will seek to publish guidance on any ICO initiative which significantly impacts upon people’s practice but it is incumbent upon those at the Bar to be mindful that potential changes may be coming this year.
Supply chain concerns do not just affect retail or construction firms. If you use email, you are subject to a software supply chain. And going into 2022 it will be the software supply chain, rather than individual companies, which will be targeted by ransomware attacks. A successful ransomware attack on a technology company or internet service provider can impact upon hundreds if not thousands of companies, with the corresponding benefit to the hackers also increasing.
Chambers may not have the expertise in-house to monitor email security, Microsoft’s operating systems and/or cloud collaboration tools. These should be raised as a point of concern with any external IT provider.
‘Spear-phishing attacks’, however, when cybercriminals personalise emails to fit a smaller group of individuals so as to appear more authentic, are an area that barristers should be considering. Any suspicious emails should immediately be raised within chambers using an appropriate method. This might include having a single contact who notifies chambers when concerns arise, or having an alert function within chambers management software. Never forward on a suspicious email. Notify the appropriate person, who can identify whether attacks have been sent to multiple members of chambers.
Spear-phishing and traditional phishing attacks are successful because they target the weakest point within any chambers’ network: people.
Within companies, security teams are being encouraged to reach out and engage employees to ensure that people are aware of the most recent threats. A similar approach should be adopted in chambers. Articles or guidance relevant to cyber security should be circulated, and people encouraged to engage with the concerns that are coming in the future.
The beginning of the legal year offers the opportunity for a renewed commitment to justice and the rule of law both at home and abroad
By Louise Crush of Westgate Wealth Management sets out the key steps to your dream property
A centre of excellence for youth justice, the Youth Justice Legal Centre provides specialist training, an advice line and a membership programme
By Kem Kemal of Henry Dannell
By Ashley Friday of AlphaBiolabs
Providing bespoke mortgage and protection solutions for barristers
Joanna Hardy-Susskind speaks to those walking away from the criminal Bar
Imposing a professional obligation to act in a way that advances equality, diversity and inclusion is the wrong way to achieve this ambition, says Nick Vineall KC
From a traumatic formative education to exceptional criminal silk – Laurie-Anne Power KC talks about her path to the Bar, pursuit of equality and speaking out against discrimination (not just during Black History Month)
Yasmin Ilhan explains the Law Commission’s proposals for a quicker, easier and more effective contempt of court regime
James Onalaja concludes his two-part opinion series
