The number of recent ransomware attacks on barristers’ chambers is a reminder that you’re not immune from cyberattack. In 2018 the UK National Cyber Security Centre found that 60% of law firms had experienced an information security incident in the preceding year and issued a report highlighting how the legal sector is targeted by cybercriminals. You’re under attack because you hold commercially valuable and sensitive client information, and perhaps material that attracts ‘hacktivists’ with a political or ideological agenda. You’re also perceived to be a relatively soft target because too often the sector has treated cybersecurity as an IT concern, rather than as the strategic risk management issue it in fact is.

Cyberattacks pose a massive risk to chambers. At the very least there’s the cost of lost productivity when systems are down and data lost or corrupted. There could be the costs of extortion, eg ransomware victims can find themselves paying for a decryption code only to have criminals ask for more money to release it, and then come back for more against the threat that stolen data will be put in the public domain.

If stolen confidential data does get into the public domain, chambers will be in breach of both Bar and Law Society standards, could be liable to pay a heavy fine for breaching GDPR; plus cybersecurity insurance could be invalidated. It will also likely cause devastating reputational damage. Chambers are well-advised therefore to ensure they’re taking reasonable steps to protect themselves from cyberattacks.

How to mount reasonable cyber defences

A good place to start would be to conduct a quick cybersecurity audit. At what level is cybersecurity handled? Who sets the agenda? The most senior decision-makers in your chambers ought to be apprised of actions taken on cybersecurity at least quarterly. They ought to have signed off on an incident response plan that is regularly reviewed and regularly conduct testing of chambers’ cyber-defences.

Do you operate some relatively straightforward security practices, such as a fully documented and regularly tested back-up regime, protected against ransomware attacks via isolation or by other means? Do you use multi-factor authentication to protect access and validate user credentials? Do you regularly review privileged access and have standards in place on security protocols such as the length of passwords and how often they’re changed? Do you run device management solutions that monitor end user devices and ensure they meet minimum security standards?

Do you regularly train staff and barristers on the importance of cybersecurity? This is critical because ‘human error’ accounts for the vast majority of data breaches. People need an awareness of how cybercriminals operate and their so-called ‘social engineering’ techniques eg ‘scareware’ where victims are scared into providing system access or sensitive information. Or phishing emails that create a sense of time pressure, curiosity or fear to get victims to reveal sensitive information, click on a link to a malicious site, or an attachment containing malware. After training’s done, chambers ought to conduct behaviour tests to make sure people continue to keep their defences high. Of course, the attack vector is larger for cybercriminals when people work from home. It’s difficult to control the devices they’re using. It’s harder to secure the network. It’s also harder to know when a member of staff is becoming acutely disaffected.

Where and how is your IT system hosted?

Is it in-house, in which case is all software, including anti-virus and anti-malware software, up to date and do you operate additional protections: eg solutions that use AI to scan emails for anomalous content or pick up when an email is addressed to an out-of-context recipient to prevent users simply sending information to the wrong person? Or do you use a reputable public cloud solution that takes care of data encryption and ensures safe storage and back-up but doesn’t offer any tailored advice or guidance or in-house protections? This is a strong option but probably doesn’t go far enough out of the box.

A third option is to work with a managed services provider that can supply a fully considered solution covering software and technology. Such organizations have experts who do cybersecurity for a living, with the sectoral knowledge and resources to continually keep up-to-date with evolving threats and best practice. This could make the difference between avoiding a devastating cyberattack, and being obliterated by one. 

Why Advanced? Our chambers management solution, MLC is the solution of choice for forward-thinking chambers, and the data security measures we enforce are unparalleled for chambers management software. Speak to one of our experts about your chamber’s technology and security by booking a free health check with us.