*/
On 29 June 2021, The Lawyer reported that 4 New Square Chambers, described by Chambers and Partners as a ‘leading commercial set’, had been the victim of a ransomware attack. The chambers’ website professes a specialism in information technology, illustrating that every set is a potential target for malware regardless of size or expertise. This point was emphasised three days later, on 2 July 2021, when news agencies reported that over 200 American businesses had been subject to a ransomware attack following an incident at a Miami-based IT firm.
So if leading commercial sets and IT firms are vulnerable to attack how should chambers protect themselves from ransomware? The National Cyber Security Centre (NCSC) provides a range of advice and guidance relevant to securing chambers’ systems under their Cyber Essentials programme. Cyber Essentials also provides two forms of certification – Cyber Essentials and Cyber Essentials Plus – which are designed to provide peace of mind that cyber defences are in place to protect against the vast majority of common cyber-attacks.
Whether chambers achieves certification or not, the following five points are vital to ensure that hackers are not simply being invited to walk through an open door:
A firewall is an area between your computer, or computers, and your internet connection in which incoming traffic, whether emails or digital downloads, can be analysed and assessed before being permitted to enter the network.
Firewalls can be placed at various points within a chambers’ network:
Members of chambers should not consider the imposition of firewalls to be a ‘chambers problem’ rather than an issue for each individual. A boundary firewall will generally protect from external threats; however, if a personal laptop has been used, without a firewall, outside of a chambers setting, in particular when accessing public networks or untrusted Wi-Fi connections, then this can represent a risk to the chambers’ network. The NCSC Cyber Essentials Certification requires that all devices are configured to use a firewall.
When you acquire new devices or software check that the security levels are at their highest and not at the default ‘Recommended’. Default configurations are often configured to ensure ease-of-use rather than security. While this may be a benefit for a home computer or tablet that is being used to access music, games or videos, in a professional setting this may not be appropriate.
Passwords must be applied to all devices: computers; laptops; tables and smartphones. Default passwords must be changed, and, whenever possible, ‘strong passwords’ applied.
A strong password will contain upper and lower case letters, numbers, and special characters (@?!), and will contain multiple word combinations. Using multiple word combinations, rather than a single word which includes a special character or number, can be easier to remember, especially when a password needs to be updated regularly, and harder for a hacker to guess. ‘Password1’ which is changed to ‘Password2’ is very insecure, whereas ‘Cartoon-Duck-14-Coffee’ followed by ‘Cartoon-Duck-14-Tea’ is significantly more secure.
Face and touch ID now means that memorising passwords is no longer required but does increase the risk if passwords are insecure.
Where chambers are protecting particular important information, multi-factorial authentication (‘2FA’) should be applied. Microsoft 365 now provides 2FA using smartphones for the second-factorial authentication.
Admin accounts should not be keys to the entire castle. Check what privilege administrators have over a system and reduce access so that the admin accounts only have access to undertake specific administrative tasks.
Any account which requires full access, such as IT professionals or significant employees, must use 2FA authentication to access the account.
Only use software from official sources. The easiest method is to ensure users install software from manufacturer approved stores, which will be screening for malware. For mobile devices, this means sources such as Google Play or the Apple App Store.
NCSC Cyber Essentials Certification requires that administrative privileges are only given to those who need them, and that administrator access is controlled. Further, only necessary applications from official sources should be used.
Ransomware falls within the definition of malware, and can be introduced into a network in a variety of ways: through an infected email attachment; by a user browsing a malicious website; or use of a removable storage device, like a USB stick, carrying malware. Educating members of chambers, and staff, is an excellent way to start defending a network. However, the following technical measures should also be put in place:
Cyber Essentials Certification requires the use of at least one of the anti-malware defences listed above.
Many of the most popular applications will update regularly by default. However, this may often require a laptop or computer to restart before the updates are fully implemented. Individuals are encouraged to update and restart as soon as you are prompted. This will improve your machine, and network security; and will also prevent embarrassing updates causing a loss of connection in the middle of remote hearings.
Certification by the NCSC requires that devices, software and applications are kept up-to-date. This may mean updating devices, such as older iPhones, which no longer support the latest software versions.
Following the NCSC Guidance makes a network more secure and acts as a disincentive for a hacker. Why spend hours looking for a way into one network when you could potentially walk straight into another? However, ransomware is a problem that can affect anyone regardless of the size of the organisation, or the caution which is applied. If, like 4 New Square, a chambers is affected by ransomware, applying appropriate measures may assist when reporting a personal data breach to the Information Commissioner.
Further information: The Bar Council recently put out a notice on cybersecurity. The ethical guidance documents provided by the Bar Council’s IT Panel offer help on various data protection and privacy issues.
On 29 June 2021, The Lawyer reported that 4 New Square Chambers, described by Chambers and Partners as a ‘leading commercial set’, had been the victim of a ransomware attack. The chambers’ website professes a specialism in information technology, illustrating that every set is a potential target for malware regardless of size or expertise. This point was emphasised three days later, on 2 July 2021, when news agencies reported that over 200 American businesses had been subject to a ransomware attack following an incident at a Miami-based IT firm.
So if leading commercial sets and IT firms are vulnerable to attack how should chambers protect themselves from ransomware? The National Cyber Security Centre (NCSC) provides a range of advice and guidance relevant to securing chambers’ systems under their Cyber Essentials programme. Cyber Essentials also provides two forms of certification – Cyber Essentials and Cyber Essentials Plus – which are designed to provide peace of mind that cyber defences are in place to protect against the vast majority of common cyber-attacks.
Whether chambers achieves certification or not, the following five points are vital to ensure that hackers are not simply being invited to walk through an open door:
A firewall is an area between your computer, or computers, and your internet connection in which incoming traffic, whether emails or digital downloads, can be analysed and assessed before being permitted to enter the network.
Firewalls can be placed at various points within a chambers’ network:
Members of chambers should not consider the imposition of firewalls to be a ‘chambers problem’ rather than an issue for each individual. A boundary firewall will generally protect from external threats; however, if a personal laptop has been used, without a firewall, outside of a chambers setting, in particular when accessing public networks or untrusted Wi-Fi connections, then this can represent a risk to the chambers’ network. The NCSC Cyber Essentials Certification requires that all devices are configured to use a firewall.
When you acquire new devices or software check that the security levels are at their highest and not at the default ‘Recommended’. Default configurations are often configured to ensure ease-of-use rather than security. While this may be a benefit for a home computer or tablet that is being used to access music, games or videos, in a professional setting this may not be appropriate.
Passwords must be applied to all devices: computers; laptops; tables and smartphones. Default passwords must be changed, and, whenever possible, ‘strong passwords’ applied.
A strong password will contain upper and lower case letters, numbers, and special characters (@?!), and will contain multiple word combinations. Using multiple word combinations, rather than a single word which includes a special character or number, can be easier to remember, especially when a password needs to be updated regularly, and harder for a hacker to guess. ‘Password1’ which is changed to ‘Password2’ is very insecure, whereas ‘Cartoon-Duck-14-Coffee’ followed by ‘Cartoon-Duck-14-Tea’ is significantly more secure.
Face and touch ID now means that memorising passwords is no longer required but does increase the risk if passwords are insecure.
Where chambers are protecting particular important information, multi-factorial authentication (‘2FA’) should be applied. Microsoft 365 now provides 2FA using smartphones for the second-factorial authentication.
Admin accounts should not be keys to the entire castle. Check what privilege administrators have over a system and reduce access so that the admin accounts only have access to undertake specific administrative tasks.
Any account which requires full access, such as IT professionals or significant employees, must use 2FA authentication to access the account.
Only use software from official sources. The easiest method is to ensure users install software from manufacturer approved stores, which will be screening for malware. For mobile devices, this means sources such as Google Play or the Apple App Store.
NCSC Cyber Essentials Certification requires that administrative privileges are only given to those who need them, and that administrator access is controlled. Further, only necessary applications from official sources should be used.
Ransomware falls within the definition of malware, and can be introduced into a network in a variety of ways: through an infected email attachment; by a user browsing a malicious website; or use of a removable storage device, like a USB stick, carrying malware. Educating members of chambers, and staff, is an excellent way to start defending a network. However, the following technical measures should also be put in place:
Cyber Essentials Certification requires the use of at least one of the anti-malware defences listed above.
Many of the most popular applications will update regularly by default. However, this may often require a laptop or computer to restart before the updates are fully implemented. Individuals are encouraged to update and restart as soon as you are prompted. This will improve your machine, and network security; and will also prevent embarrassing updates causing a loss of connection in the middle of remote hearings.
Certification by the NCSC requires that devices, software and applications are kept up-to-date. This may mean updating devices, such as older iPhones, which no longer support the latest software versions.
Following the NCSC Guidance makes a network more secure and acts as a disincentive for a hacker. Why spend hours looking for a way into one network when you could potentially walk straight into another? However, ransomware is a problem that can affect anyone regardless of the size of the organisation, or the caution which is applied. If, like 4 New Square, a chambers is affected by ransomware, applying appropriate measures may assist when reporting a personal data breach to the Information Commissioner.
Further information: The Bar Council recently put out a notice on cybersecurity. The ethical guidance documents provided by the Bar Council’s IT Panel offer help on various data protection and privacy issues.
In this month’s column, Chair of the Bar Sam Townend KC highlights the many reasons why barristers should pay the Bar Representation Fee and back the Bar Council’s efforts on behalf of the profession
Is now the time to review your financial position, having reached a career milestone? asks Louise Crush
If you were to host a dinner party with 10 guests, and you asked them to explain what financial planning is and how it differs to financial advice, you’d receive 10 different answers. The variety of answers highlights the ongoing need to clarify and promote the value of financial planning.
Leading legal DNA, drug, and alcohol testing provider AlphaBiolabs has made its first Giving Back charity draw of 2024 with Andrew Sibson, a Legal Officer at Leeds City Council, being chosen as its first winner
Discover Lloyd’s unique approach to financial planning and experience working with barristers
Trust Delaunay Wealth to stand by your side amid the uncertainties ahead, writes Lloyd French
Lighting fires that cast unfairness into the shadows, creating history at home and abroad, and being comfortable with who you are – the remarkable criminal and international human rights barrister Kirsty Brimelow KC
Marking International Women's Day, Will Tyler KC interviews two female silks at the helm of two huge specialist Bar associations about their lives and careers – finding a common theme both to their success and the challenges facing their respective Bars
No longer an exclusive boys’ club, but still some way to go. To mark International Women's Day, Millie Rai describes what it’s like being a young female barrister at the Commercial Chancery Bar
If we fail to nurture women’s collective talent, half the population of this country will not be properly represented – from the junior Criminal Bar right up to the senior Judiciary. We cannot let all the hard work be undone, says Tana Adkin KC on International Women's Day
In this month’s column, Chair of the Bar Sam Townend KC highlights the many reasons why barristers should pay the Bar Representation Fee and back the Bar Council’s efforts on behalf of the profession