*/
Malware is on the rise and there’s a whole cybercrime industry – said to be worth $1bn globally – eager to hold your data to ransom. You could be struck at home, in transit or chambers and the legal sector reported a sharp jump in incidents last year. Sandip Patel QC briefs readers on the key dangers
2017 brought unrelenting growth in cybercrime including ransomware, phishing, hacking, social engineering and targeted campaigns, some state-sponsored. The World Economic Forum (WEF) has ranked cybercrime in the top three risks the world will face in 2018. According to its statistics, 357 million malware variants were released in 2016 alone and banking trojans (designed to steal account login details) on sale for just $500. Ransomware, said to be worth $1bn globally, continues to dominate the malware landscape and has grown by 56% according to McAfee Lab’s 2018 Threats Prediction Report. An IBM X-Force study has reported that 70% of victims pay the ransom (Ransomware: How Consumers and Businesses Value Their Data).
The high profile WannaCry virus spread to almost 100 countries on its first day, affecting the NHS and other organisations running unsupported software. One firm, which estimated the virus cost them £20m in terms of new equipment and lost business, resorted to paper and pencils to keep operating. The virus left a trail of devastation unprecedented in its reach and impact, having attacked 200,000 computers in 150 countries.
The NotPetya virus targeted Ukrainian businesses using compromised tax software. The malware spread to major global businesses, including FedEx, British advertising agency WPP, Russian oil and gas giant Rosneft, and Danish shipping firm Maersk. In September, FedEx attributed a $300m loss to the attack. The company’s subsidiary TNT Express had to suspend business.
The list of prominent data breach victims is long and will surely lengthen in 2018. It includes Target, Yahoo update (revised upwards from 1 to 3 billion users) and Equifax whose massive data breach involved 143 million customers. Uber covered up a data loss of 57 million accounts in 2016. A report from the UK’s National Cyber Security Centre breaks down the brands which have been most successfully protected from criminals for each month (see below).
Proliferation of the Internet of Things (IoT) means attacks will rise owing to the increased use of home devices accessible over the internet. The top three botnets on the Dark Web attack one million devices a month. The Mirai botnet cyber-attack in 2017 was the largest attack of its kind. The malware in question scanned for insecure routers, cameras, DVRs, and other IoT devices still using their default passwords and added them into a botnet network, which was then used to launch Denial of Services (DoS) attacks on websites and internet infrastructure. In December 2017 three young men in the USA pleaded guilty to being behind the attack.
The huge rise in use of cloud services across the world has also led to a major increase in attacks on IoT devices, of which 8.4 billion are in use today. At present, the annual cost of responding to cyberattacks is £11.7m per company and is expected to rise to US$8trn in the next five years, says the WEF’s Global Risks Report 2018.
The UK currently ranks second behind the US for data breaches. The Information Commissioner’s Office’s (ICO) latest statistics on data security incidents show a 19% increase from Q2 to Q3 2017, with 815 incidents reported between October and December 2017 – a 41% rise on the same period in 2016. No sector is immune.
In the central government sector, there was a shocking 178% increase in reported incidents on Q2, up from 9 to 25. In the education sector, there was a 68% increase, from 57 reported incidents in Q2 to 96 in Q3. In the health sector, a 22% increase. In the legal sector, there was a sharp jump in reported incidents in 2017, some 311, from 216 in 2016.
Don Randall MBE, OSP Cyber Academy and the Bank of England’s former chief information security officer, told the Law Gazette that law firms were unaware of their susceptibility: ‘Lawyers hold an immense amount of sensitive and valuable data. What used to be held in secure filing cabinets is now held in online case management systems. When you consider that organisations such as government agencies and even the Pentagon are hacked, it is only a question of time before a major breach occurs in the legal profession.’
The National Cyber Security Centre (NCSC), part of GCHQ, is at the heart of the government’s strategy for combatting cybercrime. In February 2018, the NCSC published positive results of its Active Cyber Defence (ACD) programme launched in 2017. Its key findings are as follows:
Scam domains promoted by phishing emails that had been removed included onlinehmrc-gov.uk, refunds-dvla.co.uk and nationalcrime-agency.com. The ten most spoofed government brands in the year were the HMRC (most targeted with 16,064 fake websites taken down), the DVLA, the Student Loans Company and the Crown Prosecution Service. Amongst the organisations best defending themselves from spoof attempts thanks to implementing ACD are local authorities such as Northumberland County Council (59,405 attempts in August), Cardiff Council (31,728 in December) and Denbighshire County Council (25,627 in May).
GDPR (short for the General Data Protection Regulation) is the EU’s new data protection and privacy law. It takes effect on 25 May, and will be one of the most important pieces of legislation brought into force in 2018. It runs to 87 pages, contains 99 articles and is the most complex regulation the EU has ever produced. Any organisation – barristers and chambers represent just as strong a potential risk to the security and privacy of data and systems as any other organisation – that processes EU citizens’ data should assess how GDPR applies to their organisation and implement a plan to prepare for the new law.
GDPR marks a paradigm shift in data management and poses unique challenges. GDPR is not affected by Brexit. To this end, there is a Data Protection Bill (‘the Bill’), which was introduced in Parliament on 13 September 2017 and is currently making its way through both houses. DPB will replace the Data Protection Act 1998 with a new law that provides a comprehensive and modern framework for data protection, stronger sanctions for malpractice, and new standards for protecting general giving people more control over use of their data, and providing them with new rights to move or delete personal data. The Bill’s main elements are as follows:
General data processing:
Law enforcement processing:
National security processing:
Regulation and enforcement:
In October 2017, the Bar Council issued a GDPR guide for barristers and chambers. It is important to understand the roles and responsibilities in the data supply chain, particularly in respect of GDPR, as an important first step in assessing and managing the risks to data, systems and ensuring compliance. The main takeaway points are:
Barristers should:
know about GDPR and its governing principles – in particular relating to transparency, accountability and data minimisation;
be aware of the data they hold, the lawful bases to hold it, whether it may be shared and with whom, how data is accurately maintained, stored and responsibly disposed. All recorded in supporting documentation;
comply, and apply GDPR principles to their practice, including a risk assessment of (i) chambers’ work environment, (ii) home work environment, (iii) transportation of data, (iv) IT security and practices, (v) digital and hard copy storage procedures.
Failure to observe satisfactory data safeguards may have severe consequences. In Various Claimants v WM Morrison Supermarket Plc [2017] EWHC 3113 (QB), an employer was held liable in damages for the wrongful conduct of an employee who disclosed personal information of around 100,000 colleagues on the internet outside working hours and from the employee’s personal computer. l
Macs essentially look after themselves. To enable a firewall in Windows 10: (1) Open the ‘Control Panel’ (type ‘Control Panel’ into search box on the right of the Windows Start icon); (2) In the Control Panel select ‘System and Security’ then ‘Windows Firewall’; (3) Ensure that both the private and public network firewalls are turned on. Also tick ‘Notify me when Windows Firewall blocks a new app’. Once you have selected both, click ‘OK’.
Choose the most secure settings for devices and software. Always check the settings of new software and devices. Use strong passwords and change default ones. For important accounts, such as banking and IT administration, use two-factor authentication, also known as 2FA eg when a code sent to your smartphone must be entered in addition to a password. Never save payment information for future online purchases.
To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them. Check what privileges your accounts have – accounts with administrative privileges should only be used to perform administrative tasks. Standard accounts should be used for general work. Ensure that staff don’t browse the web or check emails from an account with admin privileges; an attacker with unauthorised access to an administrative account can cause more damage than one accessing a standard user account. Never enter confidential information on sites that do not have ‘https’ in the beginning of their URLs. Never use free hotspots for online banking or online shopping.
Use anti-virus and anti-malware software. Only download apps for mobile phones and tablets from manufacturer-approved stores. Turn on the firewall. Keep your computer up to date. Don’t be tricked into downloading malware. Read all security warnings, license agreements, and privacy statements. Never click ‘Agree’ or ‘OK’ to close a window you suspect might be spyware. Instead, click the red ‘x’ in the corner of the window or press Alt + F4 on your keyboard to close a window. Be wary of popular ‘free’ music and movie file-sharing programs, and make sure that you understand all the software packaged with those programs.
In Windows 10, security updates are downloaded and installed automatically. However, check Start > Settings > Update & security > Windows Update > Check for Updates. iOS: Settings > General > Software Update > Download and Install. Android: Settings > About Phone > System Updates. MacOS: click on the Apple icon at the top of your screen and hit Software Update.
Contributor Sandip Patel QC is Chairperson of the Cybercrime Practitioners Association
2017 brought unrelenting growth in cybercrime including ransomware, phishing, hacking, social engineering and targeted campaigns, some state-sponsored. The World Economic Forum (WEF) has ranked cybercrime in the top three risks the world will face in 2018. According to its statistics, 357 million malware variants were released in 2016 alone and banking trojans (designed to steal account login details) on sale for just $500. Ransomware, said to be worth $1bn globally, continues to dominate the malware landscape and has grown by 56% according to McAfee Lab’s 2018 Threats Prediction Report. An IBM X-Force study has reported that 70% of victims pay the ransom (Ransomware: How Consumers and Businesses Value Their Data).
The high profile WannaCry virus spread to almost 100 countries on its first day, affecting the NHS and other organisations running unsupported software. One firm, which estimated the virus cost them £20m in terms of new equipment and lost business, resorted to paper and pencils to keep operating. The virus left a trail of devastation unprecedented in its reach and impact, having attacked 200,000 computers in 150 countries.
The NotPetya virus targeted Ukrainian businesses using compromised tax software. The malware spread to major global businesses, including FedEx, British advertising agency WPP, Russian oil and gas giant Rosneft, and Danish shipping firm Maersk. In September, FedEx attributed a $300m loss to the attack. The company’s subsidiary TNT Express had to suspend business.
The list of prominent data breach victims is long and will surely lengthen in 2018. It includes Target, Yahoo update (revised upwards from 1 to 3 billion users) and Equifax whose massive data breach involved 143 million customers. Uber covered up a data loss of 57 million accounts in 2016. A report from the UK’s National Cyber Security Centre breaks down the brands which have been most successfully protected from criminals for each month (see below).
Proliferation of the Internet of Things (IoT) means attacks will rise owing to the increased use of home devices accessible over the internet. The top three botnets on the Dark Web attack one million devices a month. The Mirai botnet cyber-attack in 2017 was the largest attack of its kind. The malware in question scanned for insecure routers, cameras, DVRs, and other IoT devices still using their default passwords and added them into a botnet network, which was then used to launch Denial of Services (DoS) attacks on websites and internet infrastructure. In December 2017 three young men in the USA pleaded guilty to being behind the attack.
The huge rise in use of cloud services across the world has also led to a major increase in attacks on IoT devices, of which 8.4 billion are in use today. At present, the annual cost of responding to cyberattacks is £11.7m per company and is expected to rise to US$8trn in the next five years, says the WEF’s Global Risks Report 2018.
The UK currently ranks second behind the US for data breaches. The Information Commissioner’s Office’s (ICO) latest statistics on data security incidents show a 19% increase from Q2 to Q3 2017, with 815 incidents reported between October and December 2017 – a 41% rise on the same period in 2016. No sector is immune.
In the central government sector, there was a shocking 178% increase in reported incidents on Q2, up from 9 to 25. In the education sector, there was a 68% increase, from 57 reported incidents in Q2 to 96 in Q3. In the health sector, a 22% increase. In the legal sector, there was a sharp jump in reported incidents in 2017, some 311, from 216 in 2016.
Don Randall MBE, OSP Cyber Academy and the Bank of England’s former chief information security officer, told the Law Gazette that law firms were unaware of their susceptibility: ‘Lawyers hold an immense amount of sensitive and valuable data. What used to be held in secure filing cabinets is now held in online case management systems. When you consider that organisations such as government agencies and even the Pentagon are hacked, it is only a question of time before a major breach occurs in the legal profession.’
The National Cyber Security Centre (NCSC), part of GCHQ, is at the heart of the government’s strategy for combatting cybercrime. In February 2018, the NCSC published positive results of its Active Cyber Defence (ACD) programme launched in 2017. Its key findings are as follows:
Scam domains promoted by phishing emails that had been removed included onlinehmrc-gov.uk, refunds-dvla.co.uk and nationalcrime-agency.com. The ten most spoofed government brands in the year were the HMRC (most targeted with 16,064 fake websites taken down), the DVLA, the Student Loans Company and the Crown Prosecution Service. Amongst the organisations best defending themselves from spoof attempts thanks to implementing ACD are local authorities such as Northumberland County Council (59,405 attempts in August), Cardiff Council (31,728 in December) and Denbighshire County Council (25,627 in May).
GDPR (short for the General Data Protection Regulation) is the EU’s new data protection and privacy law. It takes effect on 25 May, and will be one of the most important pieces of legislation brought into force in 2018. It runs to 87 pages, contains 99 articles and is the most complex regulation the EU has ever produced. Any organisation – barristers and chambers represent just as strong a potential risk to the security and privacy of data and systems as any other organisation – that processes EU citizens’ data should assess how GDPR applies to their organisation and implement a plan to prepare for the new law.
GDPR marks a paradigm shift in data management and poses unique challenges. GDPR is not affected by Brexit. To this end, there is a Data Protection Bill (‘the Bill’), which was introduced in Parliament on 13 September 2017 and is currently making its way through both houses. DPB will replace the Data Protection Act 1998 with a new law that provides a comprehensive and modern framework for data protection, stronger sanctions for malpractice, and new standards for protecting general giving people more control over use of their data, and providing them with new rights to move or delete personal data. The Bill’s main elements are as follows:
General data processing:
Law enforcement processing:
National security processing:
Regulation and enforcement:
In October 2017, the Bar Council issued a GDPR guide for barristers and chambers. It is important to understand the roles and responsibilities in the data supply chain, particularly in respect of GDPR, as an important first step in assessing and managing the risks to data, systems and ensuring compliance. The main takeaway points are:
Barristers should:
know about GDPR and its governing principles – in particular relating to transparency, accountability and data minimisation;
be aware of the data they hold, the lawful bases to hold it, whether it may be shared and with whom, how data is accurately maintained, stored and responsibly disposed. All recorded in supporting documentation;
comply, and apply GDPR principles to their practice, including a risk assessment of (i) chambers’ work environment, (ii) home work environment, (iii) transportation of data, (iv) IT security and practices, (v) digital and hard copy storage procedures.
Failure to observe satisfactory data safeguards may have severe consequences. In Various Claimants v WM Morrison Supermarket Plc [2017] EWHC 3113 (QB), an employer was held liable in damages for the wrongful conduct of an employee who disclosed personal information of around 100,000 colleagues on the internet outside working hours and from the employee’s personal computer. l
Macs essentially look after themselves. To enable a firewall in Windows 10: (1) Open the ‘Control Panel’ (type ‘Control Panel’ into search box on the right of the Windows Start icon); (2) In the Control Panel select ‘System and Security’ then ‘Windows Firewall’; (3) Ensure that both the private and public network firewalls are turned on. Also tick ‘Notify me when Windows Firewall blocks a new app’. Once you have selected both, click ‘OK’.
Choose the most secure settings for devices and software. Always check the settings of new software and devices. Use strong passwords and change default ones. For important accounts, such as banking and IT administration, use two-factor authentication, also known as 2FA eg when a code sent to your smartphone must be entered in addition to a password. Never save payment information for future online purchases.
To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them. Check what privileges your accounts have – accounts with administrative privileges should only be used to perform administrative tasks. Standard accounts should be used for general work. Ensure that staff don’t browse the web or check emails from an account with admin privileges; an attacker with unauthorised access to an administrative account can cause more damage than one accessing a standard user account. Never enter confidential information on sites that do not have ‘https’ in the beginning of their URLs. Never use free hotspots for online banking or online shopping.
Use anti-virus and anti-malware software. Only download apps for mobile phones and tablets from manufacturer-approved stores. Turn on the firewall. Keep your computer up to date. Don’t be tricked into downloading malware. Read all security warnings, license agreements, and privacy statements. Never click ‘Agree’ or ‘OK’ to close a window you suspect might be spyware. Instead, click the red ‘x’ in the corner of the window or press Alt + F4 on your keyboard to close a window. Be wary of popular ‘free’ music and movie file-sharing programs, and make sure that you understand all the software packaged with those programs.
In Windows 10, security updates are downloaded and installed automatically. However, check Start > Settings > Update & security > Windows Update > Check for Updates. iOS: Settings > General > Software Update > Download and Install. Android: Settings > About Phone > System Updates. MacOS: click on the Apple icon at the top of your screen and hit Software Update.
Contributor Sandip Patel QC is Chairperson of the Cybercrime Practitioners Association
Malware is on the rise and there’s a whole cybercrime industry – said to be worth $1bn globally – eager to hold your data to ransom. You could be struck at home, in transit or chambers and the legal sector reported a sharp jump in incidents last year. Sandip Patel QC briefs readers on the key dangers
The beginning of the legal year offers the opportunity for a renewed commitment to justice and the rule of law both at home and abroad
By Louise Crush of Westgate Wealth Management sets out the key steps to your dream property
A centre of excellence for youth justice, the Youth Justice Legal Centre provides specialist training, an advice line and a membership programme
By Kem Kemal of Henry Dannell
By Ashley Friday of AlphaBiolabs
Providing bespoke mortgage and protection solutions for barristers
Joanna Hardy-Susskind speaks to those walking away from the criminal Bar
From a traumatic formative education to exceptional criminal silk – Laurie-Anne Power KC talks about her path to the Bar, pursuit of equality and speaking out against discrimination (not just during Black History Month)
Yasmin Ilhan explains the Law Commission’s proposals for a quicker, easier and more effective contempt of court regime
Irresponsible use of AI can lead to serious and embarrassing consequences. Sam Thomas briefs barristers on the five key risks and how to avoid them
James Onalaja concludes his two-part opinion series