Last year, a senior lawyer in a Magic Circle firm confided that the thing that wakes him up in the night is the thought of the state of the IT-security arrangements in place for many of the barristers he instructs.

Very few insurance companies are now prepared to offer cyber insurance to new clients anywhere in the UK legal sector and the premiums are often quadrupling for those existing clients who meet the increasingly stringent criteria.

Every barrister should take a close look at the National Cyber Security Centre’s (NCSC’s) new report Cyber Threat to the Legal Sector, which has comments from the Bar Council and The Law Society in the foreword.

While the Bar Council claims the report ‘enables us all to reflect on the many challenges we face’, it does not, here or elsewhere, tell barristers or chambers what they really must do in order to protect their IT infrastructure and the data (their clients’ data) that they process. The Bar Council’s role is not to tell barristers what to do, and many barristers object when it has tried to. Such reticence is one of the reasons, I suspect, why the Information Security Questionnaire agreed by the Law Society and the Bar Council last year only addresses the ‘centralised services provided by chambers’ rather than asking questions of how barristers themselves secure their data. The preamble to the questionnaire contends that ‘this is because barristers have their own data protection duties and obligations, which they are compelled to observe by their regulator, the Bar Standards Board, and by law.’ Oh, that’s alright then – if a barrister’s obliged to do something, clients don’t need to be so impertinent to ask if they actually do it. The Bar Council’s IT Panel (a fine, dedicated and, like all Bar Council committees, unpaid group) also issues advice but it falls short of telling barristers and chambers what they really must do.

Let’s be absolutely clear about this: everyone – tenant, pupil, associate member, staff member, consultant – who accesses their chambers’ IT network, including email, must demonstrate compliance with the necessary cybersecurity measures.

Of course, many solicitors’ firms go beyond the scope of the Questionnaire and specifically ask chambers, in their own security surveys, whether their barristers comply with the measures required of chambers and its employees. There was once the rumour that some law firms did not want to ask too detailed questions of those they instruct because they didn’t want to know the sorry answer and, with that knowledge, feel rather compelled to seek others to instruct instead. Even if that was true at one point, I think we have moved on from there and are now seeing a growing number of firms refuse to instruct chambers which cannot provide the answers that the firms seek. This in itself should be starting alarm bells to ring around all the Bar, even if the well-reported cyberattacks on a couple of chambers, amazingly, didn’t result immediately in universal action, by every set and every barrister.

Rather than continue to bemoan rather non-specifically the fact that the Bar’s not taking this seriously enough, let’s look at some of the detail to exemplify the nature and scale of the challenge. As they say, ‘this list is not exhaustive’ by any means. First, a quotation from the NCSC report:

‘A small law firm [or set of chambers or individual practitioner] with few resources could be devastated if caught up by (for example) a ransomware attack. They are more vulnerable to attack… Once attacked, a relatively small financial or reputational loss may be disastrous.’

Government bodies (especially security ones) do not typically use words like ‘devastated’ or ‘disastrous’ unless they are felt to be clearly justified. So, when the refusal by one of your chambers’ members to engage in the implementation of appropriate security measures finally results in the financial and reputational devastation of chambers, what does the head of chambers say to its other members or its soon-to-be redundant employees?

Cybercrime is not a sad teenager in his bedroom looking to mess your website around. It’s a growing, multimillion-dollar (or bitcoin) industry, involving the development and cross-selling of malware services and ‘products’ internationally. Rather wonderfully, the NCSC says that ‘cyber crime as a service is now so popular prices are being driven down by competition’.

The odds of becoming a cybercrime victim are increasing and the UK legal sector is a prime target. Probable vulnerabilities will always be the principal targets for identifying the potential for any attack and, not surprisingly, the IT infrastructure of barristers and their chambers is recognised as the most likely weakest link in the legal-services chain, in matters in which counsel is instructed.

I am reluctant to criticise the entirely volunteer Bar Council IT Panel over its published advice, but it needs to be more comprehensive, and several anomalies corrected. Even if a set of chambers just followed everything that was in this guidance, it would still not be cybersecure. Reluctant or ignorant barristers and chambers’ managers have to be told clearly and precisely what they have to put in place to avoid this potential devastation and, surely, it is the function of the Bar’s representative body to do this.

The guidance on Information Security (December 2022) is a fine example of the excessive politesse:

‘You should consider restricting the amount of Confidential Material stored on portable devices to the minimum.’

No! You must restrict it. Storing more than the minimum amount of confidential material on a portable device (actually, any device) is negligent from a security perspective. This ‘should/must’ angle may sound pedantic, but if the Bar Council wants to address properly one of the most serious risks around, it needs to be firm on this, and challenge anyone who might gainsay it.

‘You should take care to select a secure password.’

Really?! (To be fair, the wording is starting to improve – the Mobile Device Security guidance is just a little more forceful – but there’s still a long way to go.)

‘It is a good precaution to use two-factor authentication…’

Actually, multi-factor authentication is now such a basic business requirement it comes right at the start of Cybersecurity 101.

‘A computer used by family members or others may in addition require encryption of specific folders’.

Hard-disk partitioning and folder encryption do not guarantee security. The days of a barrister sharing a family computer must surely be over – it’s just wildly unprofessional; what would your client say if they knew?

I haven’t come across any Bar guidance that relates to setting the admin rights on a computer; if the user’s main account profile on their computer is hacked and this profile has the admin rights to change settings and install software, the hacker now has unlimited control of the device and, thus, its interface with the network; if these admin rights are instead held on another admin profile (with a separate login) rather than the main user one, the risk is reduced. Again, this is a very basic security measure, but almost always ignored.

Although a few chambers are starting to specify a range of options for devices that their members must use, the substantial majority of barristers will buy whatever computers, phones and tablets they wish, replace them (or not) as they wish and install whatever they wish on them. This is a serious security-management problem and is even greater justification for device-management software, such as Microsoft’s In Tune, to be required to be installed on all barristers’ devices; this ensures basic levels of security are always maintained on the device as well as enabling the data on the device to be wiped remotely if it is lost or stolen. The ultimate step, of course, is for chambers to own (and control) all devices and lease them to the members; maybe one day.

We are now seeing a few sets implement the full suite of measures that satisfy Cyber Essentials accreditation across all of chambers and every user, and some are reinforcing this with the additional evaluation under Cyber Essentials Plus. While Cyber Essentials is not the whole answer, it is a good measure, recommended by the NCSC, and still provides the guarantee of a basic level of cyber insurance, something that tends to reassure instructing-solicitors’ firms.

Technology (and well short of the possible AI developments that are being investigated) continues to provide enormous opportunities for the whole legal sector to improve what it offers to clients and how it operates, but its increasing use, of course, makes it increasingly attractive to criminal attack, and the nature of IT infrastructure can turn small, individual vulnerabilities into serious and widespread damage. Everyone – everyone – using the IT facilities of a business must be aware of and meet their obligations; neither quaint ignorance nor stubborn refusal is permissible or forgivable. As one senior practice manager said recently, ‘It’s up to the barrister, but if they don’t comply, they cannot access our network, which means they won’t get any of our work.’

In a nutshell, the Bar desperately needs the Bar Council to be more forthright and comprehensive in its direction on this subject. All of you need to educate yourselves and engage now with the expert consultants who will both help prevent an attack and also help you cope with one if you fall victim – you owe it to your clients, your colleagues and your employees. But, if someone comes to you for professional advice in your specialist area of law and then ignores that advice, you might well think them unwise or, at best, rather cavalier; and when their failure to follow your advice leads to the failure of their business, you may be tempted to mouth, ‘I told you so.’ So, to start with, just read the NCSC report and follow its guidance. Don’t be the weakest link. 

The National Cyber Security Centre’s Cyber Threat Report: UK Legal Sector