*/
With 2021 firmly in the rearview mirror, and optimists carefully listening for the first chaffinch song of spring, it is easy to forget that within the last 12 months one chambers sought an injunction against ‘persons unknown’ from disseminating information obtained in a ransomware attack, and the Bar Council described cyberattacks as a ‘wake-up call’.
Last year was significant for cyber threats to the Bar. Working from home continued as a result of the pandemic, impacting upon overall security concerns. High-profile attacks on prominent chambers and law firms put the legal profession at the forefront of cyber news.
Past warnings should still be fresh in people’s minds. The Bar Council suggested chambers ‘check the security of their information networks’ and ensure that ‘their critical business interruption plans are up to date and effective’.
But if these are the warnings of the past, what are the worries for the future? It may be ‘so 2021’ to be subject to a ransomware attack but unfortunately, unless chambers is aware of the potential future threats, it may also be an issue in 2022, 2023 and so on. Indeed, in March news broke that a criminal defence firm was fined £98,000 by the Information Commissioner’s Office (ICO) following a ransomware attack.
Previous advice in Counsel on the essential protection from cyberattack, and the best ways to respond, remains valid and appropriate in most circumstances. However, the following are five areas to consider going into 2022:
Domestic internet service providers are now boasting that wi-fi connections can support 100 devices. If this is an indication of the continued growth of the Internet of Things (IoT) in a home, then consider a set with dozens of tenants, clerks and support staff. It is not merely each having their own laptops, mobile phones, tablets, smart-watches and bluetooth-connected headphones. The chances are that if chambers buys any new equipment, whether an essential work device like a printer or a new fridge-freezer, it is highly likely that this could potentially access the chambers’ network.
These IoT devices often contain the minimum cyber-security protection required in order to maximise the efficiency of the primary function and minimise the cost of the device. And chambers should not underestimate the proliferation of IoT devices and the threat that these pose. Security cameras, smart TVs and internet-connected appliances were used by the Mirai Botnet to attack websites in a denial-of-service attack. If you have remote access to something in chambers, then an IoT device is being used. This could either be a tool for a hacker or an access point into your network.
The best advice: understand what IoT devices are being used in chambers, and ensure that security functions within the device are engaged. The default setting for many IoT devices is to allow access without restriction. This facilitates the initial connection to a network and increases the speed of the device. But this then generates a point of weakness within the network. Once you have completed the initial set-up, apply the highest security level available. You must also regularly update software for the device to ensure that historic bugs cannot be utilised to gain access to the device and consequently into your systems.
It is unsurprising that as the risk environment for cyberattacks becomes more precarious, the premiums associated with cyber insurance increase. It is not merely the increased headline cost of the premium which could impact upon chambers. Many insurance companies are now requiring additional security measures in order to keep premiums at their lowest level. Like a home insurer requiring windows and doors to be equipped with locks that meet a certain standard, going into 2022, cyber-insurers will now likely require, as standard, multi-factorial authentication (MFA) to access crucial chambers’ systems. Chambers may also be required to provide assurances that proper policies and procedures are in place to deal with ‘disaster recovery’.
The Bar Council IT Panel provides a wide range of guidance on the breadth of IT issues likely to impact barristers individually and chambers collectively. Just because you have read the guidance once does not necessarily mean that you are applying best practice. Chambers’ policies and procedures should be regularly updated and cross-referenced against the updates provided by the IT Panel.
If the renewal of chambers’ insurance does not requires a sudden move to MFA and a reconsideration of policies and procedures, then government regulation may impact upon cyber security considerations in 2022. Three key strategies from the ICO came to a conclusion in 2021: Information rights strategic plan 2017-2021; Technology Strategy 2018-2021; and International Strategy 2017-2021. Further, ICO Openness by Design comes to a conclusion this year. In the context of increased US regulation following the SolarWinds intrusion and the Colonial Pipeline ransomware attack, it is highly likely that the ICO will publish strategies targeting cyber security to protect personal data.
Self-employed barristers are all individually registered with the ICO, meaning that each is personally responsible for implementing any new strategic vision. ICO policies do not tend to be prescriptive. However, barristers will need to have at least some awareness of any new duty in processing personal data. Again, the Bar Council will seek to publish guidance on any ICO initiative which significantly impacts upon people’s practice but it is incumbent upon those at the Bar to be mindful that potential changes may be coming this year.
Supply chain concerns do not just affect retail or construction firms. If you use email, you are subject to a software supply chain. And going into 2022 it will be the software supply chain, rather than individual companies, which will be targeted by ransomware attacks. A successful ransomware attack on a technology company or internet service provider can impact upon hundreds if not thousands of companies, with the corresponding benefit to the hackers also increasing.
Chambers may not have the expertise in-house to monitor email security, Microsoft’s operating systems and/or cloud collaboration tools. These should be raised as a point of concern with any external IT provider.
‘Spear-phishing attacks’, however, when cybercriminals personalise emails to fit a smaller group of individuals so as to appear more authentic, are an area that barristers should be considering. Any suspicious emails should immediately be raised within chambers using an appropriate method. This might include having a single contact who notifies chambers when concerns arise, or having an alert function within chambers management software. Never forward on a suspicious email. Notify the appropriate person, who can identify whether attacks have been sent to multiple members of chambers.
Spear-phishing and traditional phishing attacks are successful because they target the weakest point within any chambers’ network: people.
Within companies, security teams are being encouraged to reach out and engage employees to ensure that people are aware of the most recent threats. A similar approach should be adopted in chambers. Articles or guidance relevant to cyber security should be circulated, and people encouraged to engage with the concerns that are coming in the future.
With 2021 firmly in the rearview mirror, and optimists carefully listening for the first chaffinch song of spring, it is easy to forget that within the last 12 months one chambers sought an injunction against ‘persons unknown’ from disseminating information obtained in a ransomware attack, and the Bar Council described cyberattacks as a ‘wake-up call’.
Last year was significant for cyber threats to the Bar. Working from home continued as a result of the pandemic, impacting upon overall security concerns. High-profile attacks on prominent chambers and law firms put the legal profession at the forefront of cyber news.
Past warnings should still be fresh in people’s minds. The Bar Council suggested chambers ‘check the security of their information networks’ and ensure that ‘their critical business interruption plans are up to date and effective’.
But if these are the warnings of the past, what are the worries for the future? It may be ‘so 2021’ to be subject to a ransomware attack but unfortunately, unless chambers is aware of the potential future threats, it may also be an issue in 2022, 2023 and so on. Indeed, in March news broke that a criminal defence firm was fined £98,000 by the Information Commissioner’s Office (ICO) following a ransomware attack.
Previous advice in Counsel on the essential protection from cyberattack, and the best ways to respond, remains valid and appropriate in most circumstances. However, the following are five areas to consider going into 2022:
Domestic internet service providers are now boasting that wi-fi connections can support 100 devices. If this is an indication of the continued growth of the Internet of Things (IoT) in a home, then consider a set with dozens of tenants, clerks and support staff. It is not merely each having their own laptops, mobile phones, tablets, smart-watches and bluetooth-connected headphones. The chances are that if chambers buys any new equipment, whether an essential work device like a printer or a new fridge-freezer, it is highly likely that this could potentially access the chambers’ network.
These IoT devices often contain the minimum cyber-security protection required in order to maximise the efficiency of the primary function and minimise the cost of the device. And chambers should not underestimate the proliferation of IoT devices and the threat that these pose. Security cameras, smart TVs and internet-connected appliances were used by the Mirai Botnet to attack websites in a denial-of-service attack. If you have remote access to something in chambers, then an IoT device is being used. This could either be a tool for a hacker or an access point into your network.
The best advice: understand what IoT devices are being used in chambers, and ensure that security functions within the device are engaged. The default setting for many IoT devices is to allow access without restriction. This facilitates the initial connection to a network and increases the speed of the device. But this then generates a point of weakness within the network. Once you have completed the initial set-up, apply the highest security level available. You must also regularly update software for the device to ensure that historic bugs cannot be utilised to gain access to the device and consequently into your systems.
It is unsurprising that as the risk environment for cyberattacks becomes more precarious, the premiums associated with cyber insurance increase. It is not merely the increased headline cost of the premium which could impact upon chambers. Many insurance companies are now requiring additional security measures in order to keep premiums at their lowest level. Like a home insurer requiring windows and doors to be equipped with locks that meet a certain standard, going into 2022, cyber-insurers will now likely require, as standard, multi-factorial authentication (MFA) to access crucial chambers’ systems. Chambers may also be required to provide assurances that proper policies and procedures are in place to deal with ‘disaster recovery’.
The Bar Council IT Panel provides a wide range of guidance on the breadth of IT issues likely to impact barristers individually and chambers collectively. Just because you have read the guidance once does not necessarily mean that you are applying best practice. Chambers’ policies and procedures should be regularly updated and cross-referenced against the updates provided by the IT Panel.
If the renewal of chambers’ insurance does not requires a sudden move to MFA and a reconsideration of policies and procedures, then government regulation may impact upon cyber security considerations in 2022. Three key strategies from the ICO came to a conclusion in 2021: Information rights strategic plan 2017-2021; Technology Strategy 2018-2021; and International Strategy 2017-2021. Further, ICO Openness by Design comes to a conclusion this year. In the context of increased US regulation following the SolarWinds intrusion and the Colonial Pipeline ransomware attack, it is highly likely that the ICO will publish strategies targeting cyber security to protect personal data.
Self-employed barristers are all individually registered with the ICO, meaning that each is personally responsible for implementing any new strategic vision. ICO policies do not tend to be prescriptive. However, barristers will need to have at least some awareness of any new duty in processing personal data. Again, the Bar Council will seek to publish guidance on any ICO initiative which significantly impacts upon people’s practice but it is incumbent upon those at the Bar to be mindful that potential changes may be coming this year.
Supply chain concerns do not just affect retail or construction firms. If you use email, you are subject to a software supply chain. And going into 2022 it will be the software supply chain, rather than individual companies, which will be targeted by ransomware attacks. A successful ransomware attack on a technology company or internet service provider can impact upon hundreds if not thousands of companies, with the corresponding benefit to the hackers also increasing.
Chambers may not have the expertise in-house to monitor email security, Microsoft’s operating systems and/or cloud collaboration tools. These should be raised as a point of concern with any external IT provider.
‘Spear-phishing attacks’, however, when cybercriminals personalise emails to fit a smaller group of individuals so as to appear more authentic, are an area that barristers should be considering. Any suspicious emails should immediately be raised within chambers using an appropriate method. This might include having a single contact who notifies chambers when concerns arise, or having an alert function within chambers management software. Never forward on a suspicious email. Notify the appropriate person, who can identify whether attacks have been sent to multiple members of chambers.
Spear-phishing and traditional phishing attacks are successful because they target the weakest point within any chambers’ network: people.
Within companies, security teams are being encouraged to reach out and engage employees to ensure that people are aware of the most recent threats. A similar approach should be adopted in chambers. Articles or guidance relevant to cyber security should be circulated, and people encouraged to engage with the concerns that are coming in the future.
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
Giovanni D’Avola explores the issue of over-citation of unreported cases and the ‘added value’ elements of a law report
Louise Crush explores the key points and opportunities for tax efficiency
Westgate Wealth Management Ltd is a Partner Practice of FTSE 100 company St. James’s Place – one of the top UK Wealth Management firms. We offer a holistic service of distinct quality, integrity, and excellence with the aim to build a professional and valuable relationship with our clients, helping to provide them with security now, prosperity in the future and the highest standard of service in all of our dealings.
Is now the time to review your financial position, having reached a career milestone? asks Louise Crush
If you were to host a dinner party with 10 guests, and you asked them to explain what financial planning is and how it differs to financial advice, you’d receive 10 different answers. The variety of answers highlights the ongoing need to clarify and promote the value of financial planning.
On the 50th anniversary of the pub bombings, even now it is still unresolved. Chris Mullin, the journalist and former MP who led the campaign leading to the release of the Birmingham Six, looks back at events
One year on and the Court of Appeal fails to quash convictions after receiving evidence of racism in the jury room, and there are still no revisions to the Equal Treatment Bench Book , says Keir Monteith KC
Most of us like to think we would risk our career in order to meet our ethical obligations, so why have so many lawyers failed to hold the line? asks Flora Page
If your current practice environment is bringing you down, seek a new one. However daunting the change, it will be worth it, says Anon Barrister
A cultural life and times