With 2021 firmly in the rearview mirror, and optimists carefully listening for the first chaffinch song of spring, it is easy to forget that within the last 12 months one chambers sought an injunction against ‘persons unknown’ from disseminating information obtained in a ransomware attack, and the Bar Council described cyberattacks as a ‘wake-up call’.

Last year was significant for cyber threats to the Bar. Working from home continued as a result of the pandemic, impacting upon overall security concerns. High-profile attacks on prominent chambers and law firms put the legal profession at the forefront of cyber news.

Past warnings should still be fresh in people’s minds. The Bar Council suggested chambers ‘check the security of their information networks’ and ensure that ‘their critical business interruption plans are up to date and effective’.

But if these are the warnings of the past, what are the worries for the future? It may be ‘so 2021’ to be subject to a ransomware attack but unfortunately, unless chambers is aware of the potential future threats, it may also be an issue in 2022, 2023 and so on. Indeed, in March news broke that a criminal defence firm was fined £98,000 by the Information Commissioner’s Office (ICO) following a ransomware attack.

Previous advice in Counsel on the essential protection from cyberattack, and the best ways to respond, remains valid and appropriate in most circumstances. However, the following are five areas to consider going into 2022:

1. More smart devices means more risks

Domestic internet service providers are now boasting that wi-fi connections can support 100 devices. If this is an indication of the continued growth of the Internet of Things (IoT) in a home, then consider a set with dozens of tenants, clerks and support staff. It is not merely each having their own laptops, mobile phones, tablets, smart-watches and bluetooth-connected headphones. The chances are that if chambers buys any new equipment, whether an essential work device like a printer or a new fridge-freezer, it is highly likely that this could potentially access the chambers’ network.

These IoT devices often contain the minimum cyber-security protection required in order to maximise the efficiency of the primary function and minimise the cost of the device. And chambers should not underestimate the proliferation of IoT devices and the threat that these pose. Security cameras, smart TVs and internet-connected appliances were used by the Mirai Botnet to attack websites in a denial-of-service attack. If you have remote access to something in chambers, then an IoT device is being used. This could either be a tool for a hacker or an access point into your network.

The best advice: understand what IoT devices are being used in chambers, and ensure that security functions within the device are engaged. The default setting for many IoT devices is to allow access without restriction. This facilitates the initial connection to a network and increases the speed of the device. But this then generates a point of weakness within the network. Once you have completed the initial set-up, apply the highest security level available. You must also regularly update software for the device to ensure that historic bugs cannot be utilised to gain access to the device and consequently into your systems.

2. Cyber insurance will be essential but expensive

It is unsurprising that as the risk environment for cyberattacks becomes more precarious, the premiums associated with cyber insurance increase. It is not merely the increased headline cost of the premium which could impact upon chambers. Many insurance companies are now requiring additional security measures in order to keep premiums at their lowest level. Like a home insurer requiring windows and doors to be equipped with locks that meet a certain standard, going into 2022, cyber-insurers will now likely require, as standard, multi-factorial authentication (MFA) to access crucial chambers’ systems. Chambers may also be required to provide assurances that proper policies and procedures are in place to deal with ‘disaster recovery’.

The Bar Council IT Panel provides a wide range of guidance on the breadth of IT issues likely to impact barristers individually and chambers collectively. Just because you have read the guidance once does not necessarily mean that you are applying best practice. Chambers’ policies and procedures should be regularly updated and cross-referenced against the updates provided by the IT Panel.

3. Insurers may be first; regulation may follow

If the renewal of chambers’ insurance does not requires a sudden move to MFA and a reconsideration of policies and procedures, then government regulation may impact upon cyber security considerations in 2022. Three key strategies from the ICO came to a conclusion in 2021: Information rights strategic plan 2017-2021; Technology Strategy 2018-2021; and International Strategy 2017-2021. Further, ICO Openness by Design comes to a conclusion this year. In the context of increased US regulation following the SolarWinds intrusion and the Colonial Pipeline ransomware attack, it is highly likely that the ICO will publish strategies targeting cyber security to protect personal data.

Self-employed barristers are all individually registered with the ICO, meaning that each is personally responsible for implementing any new strategic vision. ICO policies do not tend to be prescriptive. However, barristers will need to have at least some awareness of any new duty in processing personal data. Again, the Bar Council will seek to publish guidance on any ICO initiative which significantly impacts upon people’s practice but it is incumbent upon those at the Bar to be mindful that potential changes may be coming this year.

4. ‘Supply chain’ cyberattacks will be a problem

Supply chain concerns do not just affect retail or construction firms. If you use email, you are subject to a software supply chain. And going into 2022 it will be the software supply chain, rather than individual companies, which will be targeted by ransomware attacks. A successful ransomware attack on a technology company or internet service provider can impact upon hundreds if not thousands of companies, with the corresponding benefit to the hackers also increasing.

Chambers may not have the expertise in-house to monitor email security, Microsoft’s operating systems and/or cloud collaboration tools. These should be raised as a point of concern with any external IT provider.

‘Spear-phishing attacks’, however, when cybercriminals personalise emails to fit a smaller group of individuals so as to appear more authentic, are an area that barristers should be considering. Any suspicious emails should immediately be raised within chambers using an appropriate method. This might include having a single contact who notifies chambers when concerns arise, or having an alert function within chambers management software. Never forward on a suspicious email. Notify the appropriate person, who can identify whether attacks have been sent to multiple members of chambers.

5. People will remain the ultimate weakness

Spear-phishing and traditional phishing attacks are successful because they target the weakest point within any chambers’ network: people.

Within companies, security teams are being encouraged to reach out and engage employees to ensure that people are aware of the most recent threats. A similar approach should be adopted in chambers. Articles or guidance relevant to cyber security should be circulated, and people encouraged to engage with the concerns that are coming in the future.

How protected is your chambers? Take the test
Hot on the heels of a criminal defence firm being fined £98,000 after a ransomware attack, a new tool is about to be launched to help protect clients’ data. The questionnaire has been created by a cybersecurity working group set up by the Law Society and the Bar Council.
Jacky Chase of Essex Court Chambers believes this will be ‘a vital tool in ensuring your chambers has taken all possible care in protecting its data’. It should be easily used by everyone, ‘from a sole practitioner to large chambers’.
For those who fail to take cybersecurity seriously, there is potentially much at stake – on www.counselmagazine.co.uk, Jacky talks to Andrew McQuarrie about the consequences, which she describes as ‘huge’: ‘People are your weakest point. It’s someone clicking a link on an email [and getting hacked]. You see examples of it all the time.’
Giving staff proper training is one of the best ways that an organisation can stop its data getting lost or falling into the wrong hands, she says.
More detailed steps are laid out in the questionnaire. Advice is also available from the National Cyber Security Centre, whose ‘10 Steps to Cyber Security’ forms the basis of the questionnaire.
Read the full interview here.