On 1 June 2022, the Solicitors Regulatory Authority (SRA) published a risk outlook report in relation to cyber security threats within solicitors firms. The report identified that 18 firms had notified the SRA of ransomware attacks in 2021, but that this ‘may not give the true picture of the threat, as they represented only those cases where client information was affected.’

The report does not generate much surprise. Earlier this year Ward Hadaway sought a High Court injunction against ‘persons unknown’ following a $6m ransomware attack which only had a ‘limited impact’ on some of their data. Listed firm Ince also sought an urgent injunction this year following a cyberattack, which may or may not have contributed to former Chief Executive Adrian Biles being removed from his post in September 2022. And everyone in the legal profession is susceptible, with a malicious cyberattack on the General Council of the Bar (which includes the Bar Council and the Bar Standards Board) impacting upon Authorisation to Practise and Fast Access to Courts in April 2022.

So what is the advice of the Solicitors Regulation Authority (SRA)? The report identified that legal firms’ growing dependence on IT systems was creating more opportunities for cyber criminals. But this is not advice. The days of solicitors wrapping a handwritten brief in ribbon are long gone. And the legal profession, from courts to clerks, is increasingly moving online. What do we do to avoid cyberattack?

One area of vulnerability which the SRA did properly highlight was ‘supply chain’ cyberattacks. A supply chain cyberattack is when a vulnerability in a company or individual’s cyber defences is exploited to attack another actor to whom they supply services. The SRA report highlighted that third-parties or IT providers can also affect firms, noting that attacks last year on service providers and a barristers’ chambers both spread to multiple solicitors firms. Supply chain cyberattacks is a serious and growing area of concern (see ‘Cyber protect for 2022’ Counsel April 2022). If an IT provider is compromised then every one of its clients is also potentially compromised. And with many chambers using the same IT providers, a supply chain cyberattack could rapidly move through the entire profession. The issue is such a hot topic in America that President Joe Biden issued an Executive Order specifically to address supply chain cyberattacks.

Following the President’s lead, here are five practical steps to address potential vulnerabilities.

1. Complete the questionnaire

If you are asking what questionnaire then you need to read ‘Your guide to the information security questionnaire’ (Counsel August 2022). The Information Security Questionnaire for all centralised services provided by chambers (‘the Questionnaire’) was devised by a joint Law Society/Bar Council working group representing the interests of barristers’ chambers and a number of larger law firms in 2021, and was subjected to wider review in various roundtable discussions earlier this year. On 23 March 2022 it was published on the Bar Council’s website and is the prime starting point for reducing the risk of supply chain attacks.

Not only does the Questionnaire assist in identifying vulnerabilities within chambers’ networks and systems, it has been specifically designed with supply chain cyberattacks in mind. Solicitors’ firms who issue the Questionnaire to chambers will have assessed their vulnerabilities to a similar standard, and confirmation of completion of the Questionnaire can reassure firms that these chambers are not the weak point in the supply chain.

The Questionnaire consists of 25 questions broadly divided into ten areas. Some parts are more straightforward than others, with certain sections requiring input from your IT Manager or Service Provider. However, the Questionnaire really is the best place to begin to prevent cyberattacks.

2. Make training available for everyone

The weakest point in any IT network is the users. It is people that respond to phishing emails, who fail to create secure passwords, and that connect insecure or unencrypted devices to work networks. And barristers chambers provide a unique problem as a collection of self-employed individuals who can be encouraged but not compelled to complete training. The Questionnaire recognises these distinctive circumstances and requires mandatory training for staff, and advises training for tenants.

Training can cover a variety of topics and be delivered through a number of methods; and chambers should be educated on common cyberattacks. However, seeking to change mindsets can be particularly powerful. A Zero Trust Architecture assumes that all network activity is malicious. Only after a connectivity request passes a set of strict policies will it be permitted to access the system. At its most sophisticated and secure a Zero Trust Architecture is powered by a Policy Engineer (PE), who decides on whether network traffic can access the system based upon a set of rules; a Policy Administrator (PA), who communicates the PE’s decision whether pass or fail; and a Policy Enforcement Point (PEP), who then blocks or permits the network request based on the PE’s decision. While this requires three computer literate members of staff, a Zero Trust mindset can be adapted to any level of system.

An Assume Breach mindset expects (and therefore prepares) for a data breach rather than simply hoping that everything will be fine. This promotes the deployment of active cyber defences across the entire network, for example encouraging people to ensure regular security updates are installed.

3. Identify internal weaknesses

Supply chain attacks focus on the weakest point in a chain, and the general proliferation of remote working means that from a technical standpoint home offices are likely to be the weak point.

Home office computers, whether desktops or laptops, should be encrypted and have anti-virus software installed. But security awareness needs to extend to smart devices which connect into your computer. Router passwords are now unique as standard; however, printers will often still use generic administrative passwords. These must be changed. IoT (Internet of Things) connected devices will similarly tend to use basic passwords and may be connected to your computer, indirectly, through your router. Again, change the password on IoT devices as soon as you have connected them to your home network.

At work, change the Guest WiFi password regularly, and generate three simple word secure passwords each time. Chambers and firms spend thousands of pounds each year engaging cybersecurity experts to vulnerability test networks and install preventative measures like honeytokens. In that context, not changing the Guest WiFi password is like building a castle and leaving the gate open.

4. Identify weak suppliers

Now you have your own house in order you need to ensure others in the supply chain are secure. The Questionnaire was designed to simplify communication between solicitors and barristers but the content is a useful precedent for questions to be posed to other suppliers. If you are engaging a new supplier who you will communicate with electronically (which today is every supplier) ask whether they have any cyber security certification like Cyber Essentials or Cyber Essentials Plus. Even when a supplier does not initially have certification asking the question will encourage cyber awareness and strengthen the supply chain.

5. Report any breach

Data controllers are required to report a data breach to the ICO and may be required to report the breach to the data subject (see ‘Handling a data breach’ Counsel May 2021) but consider notifying other people in the supply chain. It may be embarrassing to notify a solicitor that you have been hacked but it is far less embarrassing than that hacker then accessing that solicitor’s network and blackmailing them for millions of pounds because of your data breach. Strengthening the supply chain is the responsibility of everyone in that chain. And communication is key.