*/
On 1 June 2022, the Solicitors Regulatory Authority (SRA) published a risk outlook report in relation to cyber security threats within solicitors firms. The report identified that 18 firms had notified the SRA of ransomware attacks in 2021, but that this ‘may not give the true picture of the threat, as they represented only those cases where client information was affected.’
The report does not generate much surprise. Earlier this year Ward Hadaway sought a High Court injunction against ‘persons unknown’ following a $6m ransomware attack which only had a ‘limited impact’ on some of their data. Listed firm Ince also sought an urgent injunction this year following a cyberattack, which may or may not have contributed to former Chief Executive Adrian Biles being removed from his post in September 2022. And everyone in the legal profession is susceptible, with a malicious cyberattack on the General Council of the Bar (which includes the Bar Council and the Bar Standards Board) impacting upon Authorisation to Practise and Fast Access to Courts in April 2022.
So what is the advice of the Solicitors Regulation Authority (SRA)? The report identified that legal firms’ growing dependence on IT systems was creating more opportunities for cyber criminals. But this is not advice. The days of solicitors wrapping a handwritten brief in ribbon are long gone. And the legal profession, from courts to clerks, is increasingly moving online. What do we do to avoid cyberattack?
One area of vulnerability which the SRA did properly highlight was ‘supply chain’ cyberattacks. A supply chain cyberattack is when a vulnerability in a company or individual’s cyber defences is exploited to attack another actor to whom they supply services. The SRA report highlighted that third-parties or IT providers can also affect firms, noting that attacks last year on service providers and a barristers’ chambers both spread to multiple solicitors firms. Supply chain cyberattacks is a serious and growing area of concern (see ‘Cyber protect for 2022’ Counsel April 2022). If an IT provider is compromised then every one of its clients is also potentially compromised. And with many chambers using the same IT providers, a supply chain cyberattack could rapidly move through the entire profession. The issue is such a hot topic in America that President Joe Biden issued an Executive Order specifically to address supply chain cyberattacks.
Following the President’s lead, here are five practical steps to address potential vulnerabilities.
If you are asking what questionnaire then you need to read ‘Your guide to the information security questionnaire’ (Counsel August 2022). The Information Security Questionnaire for all centralised services provided by chambers (‘the Questionnaire’) was devised by a joint Law Society/Bar Council working group representing the interests of barristers’ chambers and a number of larger law firms in 2021, and was subjected to wider review in various roundtable discussions earlier this year. On 23 March 2022 it was published on the Bar Council’s website and is the prime starting point for reducing the risk of supply chain attacks.
Not only does the Questionnaire assist in identifying vulnerabilities within chambers’ networks and systems, it has been specifically designed with supply chain cyberattacks in mind. Solicitors’ firms who issue the Questionnaire to chambers will have assessed their vulnerabilities to a similar standard, and confirmation of completion of the Questionnaire can reassure firms that these chambers are not the weak point in the supply chain.
The Questionnaire consists of 25 questions broadly divided into ten areas. Some parts are more straightforward than others, with certain sections requiring input from your IT Manager or Service Provider. However, the Questionnaire really is the best place to begin to prevent cyberattacks.
The weakest point in any IT network is the users. It is people that respond to phishing emails, who fail to create secure passwords, and that connect insecure or unencrypted devices to work networks. And barristers chambers provide a unique problem as a collection of self-employed individuals who can be encouraged but not compelled to complete training. The Questionnaire recognises these distinctive circumstances and requires mandatory training for staff, and advises training for tenants.
Training can cover a variety of topics and be delivered through a number of methods; and chambers should be educated on common cyberattacks. However, seeking to change mindsets can be particularly powerful. A Zero Trust Architecture assumes that all network activity is malicious. Only after a connectivity request passes a set of strict policies will it be permitted to access the system. At its most sophisticated and secure a Zero Trust Architecture is powered by a Policy Engineer (PE), who decides on whether network traffic can access the system based upon a set of rules; a Policy Administrator (PA), who communicates the PE’s decision whether pass or fail; and a Policy Enforcement Point (PEP), who then blocks or permits the network request based on the PE’s decision. While this requires three computer literate members of staff, a Zero Trust mindset can be adapted to any level of system.
An Assume Breach mindset expects (and therefore prepares) for a data breach rather than simply hoping that everything will be fine. This promotes the deployment of active cyber defences across the entire network, for example encouraging people to ensure regular security updates are installed.
Supply chain attacks focus on the weakest point in a chain, and the general proliferation of remote working means that from a technical standpoint home offices are likely to be the weak point.
Home office computers, whether desktops or laptops, should be encrypted and have anti-virus software installed. But security awareness needs to extend to smart devices which connect into your computer. Router passwords are now unique as standard; however, printers will often still use generic administrative passwords. These must be changed. IoT (Internet of Things) connected devices will similarly tend to use basic passwords and may be connected to your computer, indirectly, through your router. Again, change the password on IoT devices as soon as you have connected them to your home network.
At work, change the Guest WiFi password regularly, and generate three simple word secure passwords each time. Chambers and firms spend thousands of pounds each year engaging cybersecurity experts to vulnerability test networks and install preventative measures like honeytokens. In that context, not changing the Guest WiFi password is like building a castle and leaving the gate open.
Now you have your own house in order you need to ensure others in the supply chain are secure. The Questionnaire was designed to simplify communication between solicitors and barristers but the content is a useful precedent for questions to be posed to other suppliers. If you are engaging a new supplier who you will communicate with electronically (which today is every supplier) ask whether they have any cyber security certification like Cyber Essentials or Cyber Essentials Plus. Even when a supplier does not initially have certification asking the question will encourage cyber awareness and strengthen the supply chain.
Data controllers are required to report a data breach to the ICO and may be required to report the breach to the data subject (see ‘Handling a data breach’ Counsel May 2021) but consider notifying other people in the supply chain. It may be embarrassing to notify a solicitor that you have been hacked but it is far less embarrassing than that hacker then accessing that solicitor’s network and blackmailing them for millions of pounds because of your data breach. Strengthening the supply chain is the responsibility of everyone in that chain. And communication is key.
On 1 June 2022, the Solicitors Regulatory Authority (SRA) published a risk outlook report in relation to cyber security threats within solicitors firms. The report identified that 18 firms had notified the SRA of ransomware attacks in 2021, but that this ‘may not give the true picture of the threat, as they represented only those cases where client information was affected.’
The report does not generate much surprise. Earlier this year Ward Hadaway sought a High Court injunction against ‘persons unknown’ following a $6m ransomware attack which only had a ‘limited impact’ on some of their data. Listed firm Ince also sought an urgent injunction this year following a cyberattack, which may or may not have contributed to former Chief Executive Adrian Biles being removed from his post in September 2022. And everyone in the legal profession is susceptible, with a malicious cyberattack on the General Council of the Bar (which includes the Bar Council and the Bar Standards Board) impacting upon Authorisation to Practise and Fast Access to Courts in April 2022.
So what is the advice of the Solicitors Regulation Authority (SRA)? The report identified that legal firms’ growing dependence on IT systems was creating more opportunities for cyber criminals. But this is not advice. The days of solicitors wrapping a handwritten brief in ribbon are long gone. And the legal profession, from courts to clerks, is increasingly moving online. What do we do to avoid cyberattack?
One area of vulnerability which the SRA did properly highlight was ‘supply chain’ cyberattacks. A supply chain cyberattack is when a vulnerability in a company or individual’s cyber defences is exploited to attack another actor to whom they supply services. The SRA report highlighted that third-parties or IT providers can also affect firms, noting that attacks last year on service providers and a barristers’ chambers both spread to multiple solicitors firms. Supply chain cyberattacks is a serious and growing area of concern (see ‘Cyber protect for 2022’ Counsel April 2022). If an IT provider is compromised then every one of its clients is also potentially compromised. And with many chambers using the same IT providers, a supply chain cyberattack could rapidly move through the entire profession. The issue is such a hot topic in America that President Joe Biden issued an Executive Order specifically to address supply chain cyberattacks.
Following the President’s lead, here are five practical steps to address potential vulnerabilities.
If you are asking what questionnaire then you need to read ‘Your guide to the information security questionnaire’ (Counsel August 2022). The Information Security Questionnaire for all centralised services provided by chambers (‘the Questionnaire’) was devised by a joint Law Society/Bar Council working group representing the interests of barristers’ chambers and a number of larger law firms in 2021, and was subjected to wider review in various roundtable discussions earlier this year. On 23 March 2022 it was published on the Bar Council’s website and is the prime starting point for reducing the risk of supply chain attacks.
Not only does the Questionnaire assist in identifying vulnerabilities within chambers’ networks and systems, it has been specifically designed with supply chain cyberattacks in mind. Solicitors’ firms who issue the Questionnaire to chambers will have assessed their vulnerabilities to a similar standard, and confirmation of completion of the Questionnaire can reassure firms that these chambers are not the weak point in the supply chain.
The Questionnaire consists of 25 questions broadly divided into ten areas. Some parts are more straightforward than others, with certain sections requiring input from your IT Manager or Service Provider. However, the Questionnaire really is the best place to begin to prevent cyberattacks.
The weakest point in any IT network is the users. It is people that respond to phishing emails, who fail to create secure passwords, and that connect insecure or unencrypted devices to work networks. And barristers chambers provide a unique problem as a collection of self-employed individuals who can be encouraged but not compelled to complete training. The Questionnaire recognises these distinctive circumstances and requires mandatory training for staff, and advises training for tenants.
Training can cover a variety of topics and be delivered through a number of methods; and chambers should be educated on common cyberattacks. However, seeking to change mindsets can be particularly powerful. A Zero Trust Architecture assumes that all network activity is malicious. Only after a connectivity request passes a set of strict policies will it be permitted to access the system. At its most sophisticated and secure a Zero Trust Architecture is powered by a Policy Engineer (PE), who decides on whether network traffic can access the system based upon a set of rules; a Policy Administrator (PA), who communicates the PE’s decision whether pass or fail; and a Policy Enforcement Point (PEP), who then blocks or permits the network request based on the PE’s decision. While this requires three computer literate members of staff, a Zero Trust mindset can be adapted to any level of system.
An Assume Breach mindset expects (and therefore prepares) for a data breach rather than simply hoping that everything will be fine. This promotes the deployment of active cyber defences across the entire network, for example encouraging people to ensure regular security updates are installed.
Supply chain attacks focus on the weakest point in a chain, and the general proliferation of remote working means that from a technical standpoint home offices are likely to be the weak point.
Home office computers, whether desktops or laptops, should be encrypted and have anti-virus software installed. But security awareness needs to extend to smart devices which connect into your computer. Router passwords are now unique as standard; however, printers will often still use generic administrative passwords. These must be changed. IoT (Internet of Things) connected devices will similarly tend to use basic passwords and may be connected to your computer, indirectly, through your router. Again, change the password on IoT devices as soon as you have connected them to your home network.
At work, change the Guest WiFi password regularly, and generate three simple word secure passwords each time. Chambers and firms spend thousands of pounds each year engaging cybersecurity experts to vulnerability test networks and install preventative measures like honeytokens. In that context, not changing the Guest WiFi password is like building a castle and leaving the gate open.
Now you have your own house in order you need to ensure others in the supply chain are secure. The Questionnaire was designed to simplify communication between solicitors and barristers but the content is a useful precedent for questions to be posed to other suppliers. If you are engaging a new supplier who you will communicate with electronically (which today is every supplier) ask whether they have any cyber security certification like Cyber Essentials or Cyber Essentials Plus. Even when a supplier does not initially have certification asking the question will encourage cyber awareness and strengthen the supply chain.
Data controllers are required to report a data breach to the ICO and may be required to report the breach to the data subject (see ‘Handling a data breach’ Counsel May 2021) but consider notifying other people in the supply chain. It may be embarrassing to notify a solicitor that you have been hacked but it is far less embarrassing than that hacker then accessing that solicitor’s network and blackmailing them for millions of pounds because of your data breach. Strengthening the supply chain is the responsibility of everyone in that chain. And communication is key.
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
Giovanni D’Avola explores the issue of over-citation of unreported cases and the ‘added value’ elements of a law report
Louise Crush explores the key points and opportunities for tax efficiency
Westgate Wealth Management Ltd is a Partner Practice of FTSE 100 company St. James’s Place – one of the top UK Wealth Management firms. We offer a holistic service of distinct quality, integrity, and excellence with the aim to build a professional and valuable relationship with our clients, helping to provide them with security now, prosperity in the future and the highest standard of service in all of our dealings.
Is now the time to review your financial position, having reached a career milestone? asks Louise Crush
If you were to host a dinner party with 10 guests, and you asked them to explain what financial planning is and how it differs to financial advice, you’d receive 10 different answers. The variety of answers highlights the ongoing need to clarify and promote the value of financial planning.
Most of us like to think we would risk our career in order to meet our ethical obligations, so why have so many lawyers failed to hold the line? asks Flora Page
If your current practice environment is bringing you down, seek a new one. However daunting the change, it will be worth it, says Anon Barrister
Creating advocacy opportunities for juniors is now the expectation but not always easy to put into effect. Tom Mitcheson KC distils developing best practice from the Patents Court initiative already bearing fruit
National courts are now running the bulk of the world’s war crimes cases and corporate prosecutions are part of this growing trend, reports Chris Stephen
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession