*/
With 2021 firmly in the rearview mirror, and optimists carefully listening for the first chaffinch song of spring, it is easy to forget that within the last 12 months one chambers sought an injunction against ‘persons unknown’ from disseminating information obtained in a ransomware attack, and the Bar Council described cyberattacks as a ‘wake-up call’.
Last year was significant for cyber threats to the Bar. Working from home continued as a result of the pandemic, impacting upon overall security concerns. High-profile attacks on prominent chambers and law firms put the legal profession at the forefront of cyber news.
Past warnings should still be fresh in people’s minds. The Bar Council suggested chambers ‘check the security of their information networks’ and ensure that ‘their critical business interruption plans are up to date and effective’.
But if these are the warnings of the past, what are the worries for the future? It may be ‘so 2021’ to be subject to a ransomware attack but unfortunately, unless chambers is aware of the potential future threats, it may also be an issue in 2022, 2023 and so on. Indeed, in March news broke that a criminal defence firm was fined £98,000 by the Information Commissioner’s Office (ICO) following a ransomware attack.
Previous advice in Counsel on the essential protection from cyberattack, and the best ways to respond, remains valid and appropriate in most circumstances. However, the following are five areas to consider going into 2022:
Domestic internet service providers are now boasting that wi-fi connections can support 100 devices. If this is an indication of the continued growth of the Internet of Things (IoT) in a home, then consider a set with dozens of tenants, clerks and support staff. It is not merely each having their own laptops, mobile phones, tablets, smart-watches and bluetooth-connected headphones. The chances are that if chambers buys any new equipment, whether an essential work device like a printer or a new fridge-freezer, it is highly likely that this could potentially access the chambers’ network.
These IoT devices often contain the minimum cyber-security protection required in order to maximise the efficiency of the primary function and minimise the cost of the device. And chambers should not underestimate the proliferation of IoT devices and the threat that these pose. Security cameras, smart TVs and internet-connected appliances were used by the Mirai Botnet to attack websites in a denial-of-service attack. If you have remote access to something in chambers, then an IoT device is being used. This could either be a tool for a hacker or an access point into your network.
The best advice: understand what IoT devices are being used in chambers, and ensure that security functions within the device are engaged. The default setting for many IoT devices is to allow access without restriction. This facilitates the initial connection to a network and increases the speed of the device. But this then generates a point of weakness within the network. Once you have completed the initial set-up, apply the highest security level available. You must also regularly update software for the device to ensure that historic bugs cannot be utilised to gain access to the device and consequently into your systems.
It is unsurprising that as the risk environment for cyberattacks becomes more precarious, the premiums associated with cyber insurance increase. It is not merely the increased headline cost of the premium which could impact upon chambers. Many insurance companies are now requiring additional security measures in order to keep premiums at their lowest level. Like a home insurer requiring windows and doors to be equipped with locks that meet a certain standard, going into 2022, cyber-insurers will now likely require, as standard, multi-factorial authentication (MFA) to access crucial chambers’ systems. Chambers may also be required to provide assurances that proper policies and procedures are in place to deal with ‘disaster recovery’.
The Bar Council IT Panel provides a wide range of guidance on the breadth of IT issues likely to impact barristers individually and chambers collectively. Just because you have read the guidance once does not necessarily mean that you are applying best practice. Chambers’ policies and procedures should be regularly updated and cross-referenced against the updates provided by the IT Panel.
If the renewal of chambers’ insurance does not requires a sudden move to MFA and a reconsideration of policies and procedures, then government regulation may impact upon cyber security considerations in 2022. Three key strategies from the ICO came to a conclusion in 2021: Information rights strategic plan 2017-2021; Technology Strategy 2018-2021; and International Strategy 2017-2021. Further, ICO Openness by Design comes to a conclusion this year. In the context of increased US regulation following the SolarWinds intrusion and the Colonial Pipeline ransomware attack, it is highly likely that the ICO will publish strategies targeting cyber security to protect personal data.
Self-employed barristers are all individually registered with the ICO, meaning that each is personally responsible for implementing any new strategic vision. ICO policies do not tend to be prescriptive. However, barristers will need to have at least some awareness of any new duty in processing personal data. Again, the Bar Council will seek to publish guidance on any ICO initiative which significantly impacts upon people’s practice but it is incumbent upon those at the Bar to be mindful that potential changes may be coming this year.
Supply chain concerns do not just affect retail or construction firms. If you use email, you are subject to a software supply chain. And going into 2022 it will be the software supply chain, rather than individual companies, which will be targeted by ransomware attacks. A successful ransomware attack on a technology company or internet service provider can impact upon hundreds if not thousands of companies, with the corresponding benefit to the hackers also increasing.
Chambers may not have the expertise in-house to monitor email security, Microsoft’s operating systems and/or cloud collaboration tools. These should be raised as a point of concern with any external IT provider.
‘Spear-phishing attacks’, however, when cybercriminals personalise emails to fit a smaller group of individuals so as to appear more authentic, are an area that barristers should be considering. Any suspicious emails should immediately be raised within chambers using an appropriate method. This might include having a single contact who notifies chambers when concerns arise, or having an alert function within chambers management software. Never forward on a suspicious email. Notify the appropriate person, who can identify whether attacks have been sent to multiple members of chambers.
Spear-phishing and traditional phishing attacks are successful because they target the weakest point within any chambers’ network: people.
Within companies, security teams are being encouraged to reach out and engage employees to ensure that people are aware of the most recent threats. A similar approach should be adopted in chambers. Articles or guidance relevant to cyber security should be circulated, and people encouraged to engage with the concerns that are coming in the future.
Sam Thomas is a barrister at 2BR. He is the co-author of Cyber Security: Law and Practice (LexisNexis: 2019) and Blockchain and Cryptocurrency: International Legal and Regulatory Challenges (Bloomsbury: 2019). Sam sits on the Bar Council IT Panel and is Chair of the Association of Regulatory and Disciplinary Lawyers. Sam’s practice encompasses advocacy and advice in cyber compliance and regulatory law, for which he was recognised by Chambers & Partners and the Legal 500, 2021-2024.
With 2021 firmly in the rearview mirror, and optimists carefully listening for the first chaffinch song of spring, it is easy to forget that within the last 12 months one chambers sought an injunction against ‘persons unknown’ from disseminating information obtained in a ransomware attack, and the Bar Council described cyberattacks as a ‘wake-up call’.
Last year was significant for cyber threats to the Bar. Working from home continued as a result of the pandemic, impacting upon overall security concerns. High-profile attacks on prominent chambers and law firms put the legal profession at the forefront of cyber news.
Past warnings should still be fresh in people’s minds. The Bar Council suggested chambers ‘check the security of their information networks’ and ensure that ‘their critical business interruption plans are up to date and effective’.
But if these are the warnings of the past, what are the worries for the future? It may be ‘so 2021’ to be subject to a ransomware attack but unfortunately, unless chambers is aware of the potential future threats, it may also be an issue in 2022, 2023 and so on. Indeed, in March news broke that a criminal defence firm was fined £98,000 by the Information Commissioner’s Office (ICO) following a ransomware attack.
Previous advice in Counsel on the essential protection from cyberattack, and the best ways to respond, remains valid and appropriate in most circumstances. However, the following are five areas to consider going into 2022:
Domestic internet service providers are now boasting that wi-fi connections can support 100 devices. If this is an indication of the continued growth of the Internet of Things (IoT) in a home, then consider a set with dozens of tenants, clerks and support staff. It is not merely each having their own laptops, mobile phones, tablets, smart-watches and bluetooth-connected headphones. The chances are that if chambers buys any new equipment, whether an essential work device like a printer or a new fridge-freezer, it is highly likely that this could potentially access the chambers’ network.
These IoT devices often contain the minimum cyber-security protection required in order to maximise the efficiency of the primary function and minimise the cost of the device. And chambers should not underestimate the proliferation of IoT devices and the threat that these pose. Security cameras, smart TVs and internet-connected appliances were used by the Mirai Botnet to attack websites in a denial-of-service attack. If you have remote access to something in chambers, then an IoT device is being used. This could either be a tool for a hacker or an access point into your network.
The best advice: understand what IoT devices are being used in chambers, and ensure that security functions within the device are engaged. The default setting for many IoT devices is to allow access without restriction. This facilitates the initial connection to a network and increases the speed of the device. But this then generates a point of weakness within the network. Once you have completed the initial set-up, apply the highest security level available. You must also regularly update software for the device to ensure that historic bugs cannot be utilised to gain access to the device and consequently into your systems.
It is unsurprising that as the risk environment for cyberattacks becomes more precarious, the premiums associated with cyber insurance increase. It is not merely the increased headline cost of the premium which could impact upon chambers. Many insurance companies are now requiring additional security measures in order to keep premiums at their lowest level. Like a home insurer requiring windows and doors to be equipped with locks that meet a certain standard, going into 2022, cyber-insurers will now likely require, as standard, multi-factorial authentication (MFA) to access crucial chambers’ systems. Chambers may also be required to provide assurances that proper policies and procedures are in place to deal with ‘disaster recovery’.
The Bar Council IT Panel provides a wide range of guidance on the breadth of IT issues likely to impact barristers individually and chambers collectively. Just because you have read the guidance once does not necessarily mean that you are applying best practice. Chambers’ policies and procedures should be regularly updated and cross-referenced against the updates provided by the IT Panel.
If the renewal of chambers’ insurance does not requires a sudden move to MFA and a reconsideration of policies and procedures, then government regulation may impact upon cyber security considerations in 2022. Three key strategies from the ICO came to a conclusion in 2021: Information rights strategic plan 2017-2021; Technology Strategy 2018-2021; and International Strategy 2017-2021. Further, ICO Openness by Design comes to a conclusion this year. In the context of increased US regulation following the SolarWinds intrusion and the Colonial Pipeline ransomware attack, it is highly likely that the ICO will publish strategies targeting cyber security to protect personal data.
Self-employed barristers are all individually registered with the ICO, meaning that each is personally responsible for implementing any new strategic vision. ICO policies do not tend to be prescriptive. However, barristers will need to have at least some awareness of any new duty in processing personal data. Again, the Bar Council will seek to publish guidance on any ICO initiative which significantly impacts upon people’s practice but it is incumbent upon those at the Bar to be mindful that potential changes may be coming this year.
Supply chain concerns do not just affect retail or construction firms. If you use email, you are subject to a software supply chain. And going into 2022 it will be the software supply chain, rather than individual companies, which will be targeted by ransomware attacks. A successful ransomware attack on a technology company or internet service provider can impact upon hundreds if not thousands of companies, with the corresponding benefit to the hackers also increasing.
Chambers may not have the expertise in-house to monitor email security, Microsoft’s operating systems and/or cloud collaboration tools. These should be raised as a point of concern with any external IT provider.
‘Spear-phishing attacks’, however, when cybercriminals personalise emails to fit a smaller group of individuals so as to appear more authentic, are an area that barristers should be considering. Any suspicious emails should immediately be raised within chambers using an appropriate method. This might include having a single contact who notifies chambers when concerns arise, or having an alert function within chambers management software. Never forward on a suspicious email. Notify the appropriate person, who can identify whether attacks have been sent to multiple members of chambers.
Spear-phishing and traditional phishing attacks are successful because they target the weakest point within any chambers’ network: people.
Within companies, security teams are being encouraged to reach out and engage employees to ensure that people are aware of the most recent threats. A similar approach should be adopted in chambers. Articles or guidance relevant to cyber security should be circulated, and people encouraged to engage with the concerns that are coming in the future.
Now is the time to tackle inappropriate behaviour at the Bar as well as extend our reach and collaboration with organisations and individuals at home and abroad
A comparison – Dan Monaghan, Head of DWF Chambers, invites two viewpoints
And if not, why not? asks Louise Crush of Westgate Wealth Management
Marie Law, Head of Toxicology at AlphaBiolabs, discusses the many benefits of oral fluid drug testing for child welfare and protection matters
To mark International Women’s Day, Louise Crush of Westgate Wealth Management looks at how financial planning can help bridge the gap
Casey Randall of AlphaBiolabs answers some of the most common questions regarding relationship DNA testing for court
Maria Scotland and Niamh Wilkie report from the Bar Council’s 2024 visit to the United Arab Emirates exploring practice development opportunities for the England and Wales family Bar
Marking Neurodiversity Week 2025, an anonymous barrister shares the revelations and emotions from a mid-career diagnosis with a view to encouraging others to find out more
David Wurtzel analyses the outcome of the 2024 silk competition and how it compares with previous years, revealing some striking trends and home truths for the profession
Save for some high-flyers and those who can become commercial arbitrators, it is generally a question of all or nothing but that does not mean moving from hero to zero, says Andrew Hillier
