‘Don’t trust anyone. Question everything. There’s no such thing as a free lunch.’

As the operations manager at a leading commercial set, Jacky Chase knows a thing or two about keeping cybercriminals at bay.

‘You would have to be living the life of a hermit to not realise that cyber fraud is on the increase,’ says Jacky, of London’s Essex Court Chambers.

Two weeks after Jacky uttered these words, the Information Commissioner’s Office announced a £98,000 fine for a criminal defence firm struck by a ransomware attack.

But cybersecurity has been the talk of the legal industry for some time ­– not least last year, says Jacky, when two chambers were reported to have been targeted.

Many solicitors’ firms reacted by drawing up questionnaires and sending them to chambers, she explains, in an attempt to gain reassurances that data was being stored securely.

Some of the questionnaires were between 80-100 questions long, which posed a massive challenge for those chambers without IT staff.

‘Whereas many of the large law firms have whole IT departments with five, six or seven members of staff, all specialists in their area, most chambers either have no-one, with everything being outsourced, or one or two internal people.’

As a result, for Essex Court Chambers and many others, answering the questionnaires took up ‘an inordinate amount of time and effort’, Jacky says.

Jacky Chase, Operations Manager at Essex Court Chambers

And it didn’t help that some of the questions were particularly complex.

‘Some of the terminology in the questionnaires was so technical that I didn’t understand the questions,’ Jacky recalls.

Now, however, Jacky believes a solution has been found – in the form of a simpler, standardised questionnaire.

The new form, containing a total of 24 questions, has been created by a cybersecurity working group set up by the Law Society and the Bar Council.

Jacky believes the questionnaire is ‘a vital tool in ensuring your chambers has taken all possible care in protecting its data’.

She adds that it should be easily used by everyone, ‘from a sole practitioner to large chambers’.

For those who fail to take cybersecurity seriously, there is potentially much at stake – Jacky describes the consequences as ‘huge’.

‘First of all, your obligation under GDPR is to keep your client’s data safe,’ says Jacky. 

‘If you were to lose your client’s data, the fines – if it was decided it was your fault – could be endless.

‘The fines have got lots of noughts on the end. But, even more than that, your business’s reputation [gets damaged].

‘You’re in competition with all the other chambers and if your clients don’t feel their data is safe with you, they’ll go somewhere else.’

Although cybersecurity threats go beyond hackers, cybercriminals are certainly among the most menacing – and, it seems, the most mysterious.

‘I don’t think that most hackers are looking for anything in particular,’ says Jacky, who senses a ‘scattergun’ approach.

She says: ‘They’re not actually interested in the data. What they’re interested in is saying, “If I’ve got your data, I can charge you a lot of money to release that data. Not only do you not want that data going anywhere else; you need that data”.’

Giving staff proper training is one of the best ways that an organisation can stop its data getting lost or falling into the wrong hands.

‘The key thing is to make sure your people are aware of what cybersecurity is, why it’s important and why there are things that they should do and should not do,’ says Jacky, who believes training should be mandatory for everyone.

‘People are your weakest point. It’s someone clicking a link on an email [and getting hacked]. You see examples of it all the time.’

Social media is another dangerous territory, says Jacky, with scammers known to use platforms including Instagram.

‘Anywhere that you can impersonate someone could be [host to] cyber fraud,’ says Jacky. ‘If you can’t physically see someone, how do you know that they are who they say they are? Don’t trust anyone. Question everything. There’s no such thing as a free lunch.’

But cybersecurity is not only about protecting yourself against hackers and fraudsters.

‘It’s also about other things that can happen to your data,’ says Jacky. ‘It could be a flood, it could be a fire, it could be a power outage, it could be as simple as someone pressing the wrong key on the keyboard.’

Yet no matter how someone ends up losing their data, Jacky would ‘hope that somewhere there would be a back-up that you could use’.

‘It’s about keeping that data secure even if something outside your control happens,’ she says.

In terms of top tips on cybersecurity, Jacky suggests that the basics go a long way. 

‘It’s making sure that people are using encryption, that people are using good passwords.’

More detailed steps will be laid out in the new questionnaire – set for release on 25 March – and advice is also available from the National Cyber Security Centre (NCSC), whose 10 Steps to Cyber Security forms the basis of the questionnaire.

‘Keeping your data secure is simply about knowing what data you hold, where it is kept and making sure you control access to it,’ says Jacky.

Recommending people to go through the questionnaire at least twice a year, she adds: ‘We can all think we’re secure until the day something happens.’

The questionnaire will be launched at the ‘Risk and Compliance Annual Conference 2022’ in the Law Society’s membership building at Chancery Lane, London on 25 March. Update 25 March: the cybersecurity questionnaire is available here