*/
Sam Thomas sums up the three biggest cyber challenges for counsel and chambers in 2025 – and one beacon of hope
Predicting the future is hard. Last year UK bookmakers made approximately £1.78 billion on the basis that people tend to get it wrong. And that is people getting it wrong within the limited confines of a circumstance when there has to be a result. Trying to predict the future without limitation is even harder. Nostradamus tried predicting the future in stanzas of four lines but, to date, his third antichrist ‘Mabus’ has not revealed themselves.
And then in the world of technology, which is evolving so rapidly, the future becomes even less certain. In the 1975 film A Boy and His Dog, director and screenwriter L.Q. Jones predicted that in 2024, in a world ravaged by nuclear war, people could utilise genetic engineering to grant their pet dogs the power of telepathy; therefore, allowing them greater protection in a post-apocalyptic world. While Jones’s predictions for last year were not entirely accurate, I hope that my predictions for the biggest cyber threats in 2025 are closer to being correct. So here are the three biggest cyber challenges for counsel this year (and one beacon of hope).
Regulatory change should not be considered as a ‘threat’ but with the second Directive on Security of Network and Information Systems (NIS2) in force from 17 October 2024, and the Digital Operational Resilience Act (DORA) coming into force on 17 January 2025, certain sectors, including relevant financial entities and ICT third-party service providers, will begin 2025 ensuring that their regulatory compliance is up-to-scratch.
In general terms, chambers will not be affected by the new requirements contained within NIS2 and DORA, and those barristers who practise in critical infrastructure, personal privacy rights and/or data protection will have had these enforcement dates in their mind for at least six months (if not longer).
However, NIS2 and DORA signal a step towards increasing regulatory oversight after a period in which government appetite for regulation was less. The Cyber Security and Resilience Bill, which was introduced by the Labour government at the state opening of Parliament illustrates, within a legislative framework, the move away from cyber security to cyber resilience. The days of stopping the threat are in the past. The future will be acknowledging that threats will manifest and that chambers are prepared when they arise.
The concept of cyber criminals using AI to facilitate cyber attacks will not be new to 2025. Cyber criminals are already using AI to enhance phishing emails, find vulnerabilities and exploit code. However, the increased sophistication will come from attackers utilising multiple attack vectors to infiltrate a target. A quarter of a century into the new millennium, hackers are not sending a single spam email to thousands of potential targets. Rather, a single target is being approached in multiple ways.
AI-enhanced phishing emails may be the first shot but these will be followed up by (false) warning emails apparently from internal IT administrators. A read receipt in relation to the second email could trigger a text message to the individual. It is even conceivable that the text message could reflect the time taken for the second email to be read, congratulating the recipient for their conscientious adherence to cyber security. In real terms, the person is being socially engineered to access and download malware which will allow the hacker access to the wider network. Counsel must be vigilant and cautions, and seek to verify correspondence if there is a concern, even if it appears to be legitimate.
Generative AI could be used to write emails in a style which is entirely consistent to those within a company, with signatures, disclaimers and even photos which are the same or similar to legitimate correspondence and contacts. Further, accessing AI itself may be a possible access point for cyber criminals. While ChatGPT is well known and (it is hoped) OpenAI can be trusted, the flow of information into and from AI is opaque with very few, if any, users understanding the extent to which information input to the AI could be abused.
Unknown online AI should be treated with caution, and it may be that the AI sector needs to become more transparent in 2025 with the provenance and use of the data. Those using AI tools should read the Bar Council Guidance on Generative AI.
One of the reasons cyber attacks will become increasingly sophisticated is because of the actors perpetrating the attacks. We may not quite be living in a post-apocalyptic world, and Mabus is not currently directing an Army of Darkness, but the global political situation cannot be described as secure or stable. Retaliation for the UK supporting one group or another is not just conceivable it is likely. And cyber-retaliation can be undertaken without escalating military intervention.
In the past, state-sponsored hacking groups have generally been concentrating on commercial espionage, accessing intellectual property, designs or confidential information for future development or use. However, 2025 may see cyber warfare become more prevalent. Rather than stealing patents and leaving a system with only a minimal trace why not now take the valuable information and encrypt or delete files on exit. Public or political condemnation will have very little impact, and attacks on ‘suppliers’ such as IT hosts or administrative services could influence entire sectors. Ensure that you are not the weak point in any supply chain by completing the Bar Council and Law Society Cyber Questionnaire.
While it may all seem like doom and gloom, steps taken in 2024 will likely take effect in 2025, and may lead to fewer successful attacks – particularly in the legal sector. According to chartered accountants, Lubbock Fine, in 2022/23 there were 538 successful cyber attacks on the legal sector. This increased by 77% in 2023/24 to 954 attacks. The result is an increased spend by legal entities on cyber resilience and an increased awareness of cyber threats.
In 2024, the concept of ‘zero trust security models’ were (hopefully) heard throughout chambers: ‘never trust, always verify’. Teaching resources including online lectures and videos explained simple methods of verification such as using telephone calls to verify emails. In a similar vein, multifactorial authentication was becoming standard. These steps will have a positive impact upon security going into the future.
In 2025, this may go further still into continuous threat exposure management (CTEM). Chambers’ IT security providers could consider shifting towards newer risk assessment models that measure cyber resilience against best practice guidelines. CTEM will see some organisations introduce automated processes to identify the vulnerabilities relating to their IT systems, prioritise importance, and ‘mobilise’ mitigation efforts to limit the risk of disruption from anticipated threats. In effect, automated live monitoring of cyber threats with instant responses.
In the meantime, while waiting for CTEM, ensure that you are able to meet future threats in a resilient way:
Don’t be the weak link in the supply chain. The future may be hard to predict but could be very bright.
Sam Thomas is a barrister at 2BR. He is the co-author of Cyber Security: Law and Practice (LexisNexis: 2019) and Blockchain and Cryptocurrency: International Legal and Regulatory Challenges (Bloomsbury: 2019). Sam sits on the Bar Council IT Panel and is Chair of the Association of Regulatory and Disciplinary Lawyers. Sam’s practice encompasses advocacy and advice in cyber compliance and regulatory law, for which he was recognised by Chambers & Partners and the Legal 500, 2021-2024.
Predicting the future is hard. Last year UK bookmakers made approximately £1.78 billion on the basis that people tend to get it wrong. And that is people getting it wrong within the limited confines of a circumstance when there has to be a result. Trying to predict the future without limitation is even harder. Nostradamus tried predicting the future in stanzas of four lines but, to date, his third antichrist ‘Mabus’ has not revealed themselves.
And then in the world of technology, which is evolving so rapidly, the future becomes even less certain. In the 1975 film A Boy and His Dog, director and screenwriter L.Q. Jones predicted that in 2024, in a world ravaged by nuclear war, people could utilise genetic engineering to grant their pet dogs the power of telepathy; therefore, allowing them greater protection in a post-apocalyptic world. While Jones’s predictions for last year were not entirely accurate, I hope that my predictions for the biggest cyber threats in 2025 are closer to being correct. So here are the three biggest cyber challenges for counsel this year (and one beacon of hope).
Regulatory change should not be considered as a ‘threat’ but with the second Directive on Security of Network and Information Systems (NIS2) in force from 17 October 2024, and the Digital Operational Resilience Act (DORA) coming into force on 17 January 2025, certain sectors, including relevant financial entities and ICT third-party service providers, will begin 2025 ensuring that their regulatory compliance is up-to-scratch.
In general terms, chambers will not be affected by the new requirements contained within NIS2 and DORA, and those barristers who practise in critical infrastructure, personal privacy rights and/or data protection will have had these enforcement dates in their mind for at least six months (if not longer).
However, NIS2 and DORA signal a step towards increasing regulatory oversight after a period in which government appetite for regulation was less. The Cyber Security and Resilience Bill, which was introduced by the Labour government at the state opening of Parliament illustrates, within a legislative framework, the move away from cyber security to cyber resilience. The days of stopping the threat are in the past. The future will be acknowledging that threats will manifest and that chambers are prepared when they arise.
The concept of cyber criminals using AI to facilitate cyber attacks will not be new to 2025. Cyber criminals are already using AI to enhance phishing emails, find vulnerabilities and exploit code. However, the increased sophistication will come from attackers utilising multiple attack vectors to infiltrate a target. A quarter of a century into the new millennium, hackers are not sending a single spam email to thousands of potential targets. Rather, a single target is being approached in multiple ways.
AI-enhanced phishing emails may be the first shot but these will be followed up by (false) warning emails apparently from internal IT administrators. A read receipt in relation to the second email could trigger a text message to the individual. It is even conceivable that the text message could reflect the time taken for the second email to be read, congratulating the recipient for their conscientious adherence to cyber security. In real terms, the person is being socially engineered to access and download malware which will allow the hacker access to the wider network. Counsel must be vigilant and cautions, and seek to verify correspondence if there is a concern, even if it appears to be legitimate.
Generative AI could be used to write emails in a style which is entirely consistent to those within a company, with signatures, disclaimers and even photos which are the same or similar to legitimate correspondence and contacts. Further, accessing AI itself may be a possible access point for cyber criminals. While ChatGPT is well known and (it is hoped) OpenAI can be trusted, the flow of information into and from AI is opaque with very few, if any, users understanding the extent to which information input to the AI could be abused.
Unknown online AI should be treated with caution, and it may be that the AI sector needs to become more transparent in 2025 with the provenance and use of the data. Those using AI tools should read the Bar Council Guidance on Generative AI.
One of the reasons cyber attacks will become increasingly sophisticated is because of the actors perpetrating the attacks. We may not quite be living in a post-apocalyptic world, and Mabus is not currently directing an Army of Darkness, but the global political situation cannot be described as secure or stable. Retaliation for the UK supporting one group or another is not just conceivable it is likely. And cyber-retaliation can be undertaken without escalating military intervention.
In the past, state-sponsored hacking groups have generally been concentrating on commercial espionage, accessing intellectual property, designs or confidential information for future development or use. However, 2025 may see cyber warfare become more prevalent. Rather than stealing patents and leaving a system with only a minimal trace why not now take the valuable information and encrypt or delete files on exit. Public or political condemnation will have very little impact, and attacks on ‘suppliers’ such as IT hosts or administrative services could influence entire sectors. Ensure that you are not the weak point in any supply chain by completing the Bar Council and Law Society Cyber Questionnaire.
While it may all seem like doom and gloom, steps taken in 2024 will likely take effect in 2025, and may lead to fewer successful attacks – particularly in the legal sector. According to chartered accountants, Lubbock Fine, in 2022/23 there were 538 successful cyber attacks on the legal sector. This increased by 77% in 2023/24 to 954 attacks. The result is an increased spend by legal entities on cyber resilience and an increased awareness of cyber threats.
In 2024, the concept of ‘zero trust security models’ were (hopefully) heard throughout chambers: ‘never trust, always verify’. Teaching resources including online lectures and videos explained simple methods of verification such as using telephone calls to verify emails. In a similar vein, multifactorial authentication was becoming standard. These steps will have a positive impact upon security going into the future.
In 2025, this may go further still into continuous threat exposure management (CTEM). Chambers’ IT security providers could consider shifting towards newer risk assessment models that measure cyber resilience against best practice guidelines. CTEM will see some organisations introduce automated processes to identify the vulnerabilities relating to their IT systems, prioritise importance, and ‘mobilise’ mitigation efforts to limit the risk of disruption from anticipated threats. In effect, automated live monitoring of cyber threats with instant responses.
In the meantime, while waiting for CTEM, ensure that you are able to meet future threats in a resilient way:
Don’t be the weak link in the supply chain. The future may be hard to predict but could be very bright.
Sam Thomas sums up the three biggest cyber challenges for counsel and chambers in 2025 – and one beacon of hope
Barbara Mills KC, the new Chair of the Bar, outlines some key themes and priorities
Casey Randall explores what makes AlphaBiolabs the industry leader for court-admissible DNA testing
By Louise Crush of Westgate Wealth Management
A family lawyer has won a £500 donation for her preferred charity, an education centre for women from disadvantaged backgrounds, thanks to drug, alcohol and DNA testing laboratory AlphaBiolabs’ Giving Back campaign
Louise Crush of Westgate Wealth Management highlights some of the ways you can cut your IHT bill
Rachel Davenport breaks down everything you need to know about AlphaBiolabs’ industry-leading laboratory testing services for legal matters
What's it like being a legal trainee at the Crown Prosecution Service? Amy describes what drew her to the role, the skills required and a typical day in the life
Barbara Mills KC wants to raise the profile of the family Bar. She also wants to improve wellbeing and enhance equality, diversity and inclusion in the profession. She talks to Joshua Rozenberg KC (hon) about her plans for the year ahead
Are Birmingham’s Intensive Supervision Courts successfully turning women offenders’ lives around? Chloe Ashley talks to District Judge Michelle Smith
Professor Dominic Regan and Seán Jones KC identify good value bottles across the price spectrum – from festive fizz to reliable reds
Governments who play fast and loose with the law get into real trouble, says the new Attorney General. The Rt Hon Lord Hermer KC talks to Anthony Inglese CB about what drew this boy from Cardiff to the Bar, bringing the barrister ethos to the front bench, and how he will be measuring success
