*/
On 29 June 2021, The Lawyer reported that 4 New Square Chambers, described by Chambers and Partners as a ‘leading commercial set’, had been the victim of a ransomware attack. The chambers’ website professes a specialism in information technology, illustrating that every set is a potential target for malware regardless of size or expertise. This point was emphasised three days later, on 2 July 2021, when news agencies reported that over 200 American businesses had been subject to a ransomware attack following an incident at a Miami-based IT firm.
So if leading commercial sets and IT firms are vulnerable to attack how should chambers protect themselves from ransomware? The National Cyber Security Centre (NCSC) provides a range of advice and guidance relevant to securing chambers’ systems under their Cyber Essentials programme. Cyber Essentials also provides two forms of certification – Cyber Essentials and Cyber Essentials Plus – which are designed to provide peace of mind that cyber defences are in place to protect against the vast majority of common cyber-attacks.
Whether chambers achieves certification or not, the following five points are vital to ensure that hackers are not simply being invited to walk through an open door:
A firewall is an area between your computer, or computers, and your internet connection in which incoming traffic, whether emails or digital downloads, can be analysed and assessed before being permitted to enter the network.
Firewalls can be placed at various points within a chambers’ network:
Members of chambers should not consider the imposition of firewalls to be a ‘chambers problem’ rather than an issue for each individual. A boundary firewall will generally protect from external threats; however, if a personal laptop has been used, without a firewall, outside of a chambers setting, in particular when accessing public networks or untrusted Wi-Fi connections, then this can represent a risk to the chambers’ network. The NCSC Cyber Essentials Certification requires that all devices are configured to use a firewall.
When you acquire new devices or software check that the security levels are at their highest and not at the default ‘Recommended’. Default configurations are often configured to ensure ease-of-use rather than security. While this may be a benefit for a home computer or tablet that is being used to access music, games or videos, in a professional setting this may not be appropriate.
Passwords must be applied to all devices: computers; laptops; tables and smartphones. Default passwords must be changed, and, whenever possible, ‘strong passwords’ applied.
A strong password will contain upper and lower case letters, numbers, and special characters (@?!), and will contain multiple word combinations. Using multiple word combinations, rather than a single word which includes a special character or number, can be easier to remember, especially when a password needs to be updated regularly, and harder for a hacker to guess. ‘Password1’ which is changed to ‘Password2’ is very insecure, whereas ‘Cartoon-Duck-14-Coffee’ followed by ‘Cartoon-Duck-14-Tea’ is significantly more secure.
Face and touch ID now means that memorising passwords is no longer required but does increase the risk if passwords are insecure.
Where chambers are protecting particular important information, multi-factorial authentication (‘2FA’) should be applied. Microsoft 365 now provides 2FA using smartphones for the second-factorial authentication.
Admin accounts should not be keys to the entire castle. Check what privilege administrators have over a system and reduce access so that the admin accounts only have access to undertake specific administrative tasks.
Any account which requires full access, such as IT professionals or significant employees, must use 2FA authentication to access the account.
Only use software from official sources. The easiest method is to ensure users install software from manufacturer approved stores, which will be screening for malware. For mobile devices, this means sources such as Google Play or the Apple App Store.
NCSC Cyber Essentials Certification requires that administrative privileges are only given to those who need them, and that administrator access is controlled. Further, only necessary applications from official sources should be used.
Ransomware falls within the definition of malware, and can be introduced into a network in a variety of ways: through an infected email attachment; by a user browsing a malicious website; or use of a removable storage device, like a USB stick, carrying malware. Educating members of chambers, and staff, is an excellent way to start defending a network. However, the following technical measures should also be put in place:
Cyber Essentials Certification requires the use of at least one of the anti-malware defences listed above.
Many of the most popular applications will update regularly by default. However, this may often require a laptop or computer to restart before the updates are fully implemented. Individuals are encouraged to update and restart as soon as you are prompted. This will improve your machine, and network security; and will also prevent embarrassing updates causing a loss of connection in the middle of remote hearings.
Certification by the NCSC requires that devices, software and applications are kept up-to-date. This may mean updating devices, such as older iPhones, which no longer support the latest software versions.
Following the NCSC Guidance makes a network more secure and acts as a disincentive for a hacker. Why spend hours looking for a way into one network when you could potentially walk straight into another? However, ransomware is a problem that can affect anyone regardless of the size of the organisation, or the caution which is applied. If, like 4 New Square, a chambers is affected by ransomware, applying appropriate measures may assist when reporting a personal data breach to the Information Commissioner.
Further information: The Bar Council recently put out a notice on cybersecurity. The ethical guidance documents provided by the Bar Council’s IT Panel offer help on various data protection and privacy issues.
Sam Thomas is a barrister at Serjeants’ Inn. He is the co-author of Cyber Security: Law and Practice (LexisNexis: 2019) and Blockchain and Cryptocurrency: International Legal and Regulatory Challenges (Bloomsbury: 2023). Sam sits on the Bar Council IT Panel and is Chair of the Association of Regulatory and Disciplinary Lawyers. Sam’s practice encompasses advocacy and advice in cyber compliance and regulatory law, for which he was recognised by Chambers & Partners and the Legal 500, 2021-25.
On 29 June 2021, The Lawyer reported that 4 New Square Chambers, described by Chambers and Partners as a ‘leading commercial set’, had been the victim of a ransomware attack. The chambers’ website professes a specialism in information technology, illustrating that every set is a potential target for malware regardless of size or expertise. This point was emphasised three days later, on 2 July 2021, when news agencies reported that over 200 American businesses had been subject to a ransomware attack following an incident at a Miami-based IT firm.
So if leading commercial sets and IT firms are vulnerable to attack how should chambers protect themselves from ransomware? The National Cyber Security Centre (NCSC) provides a range of advice and guidance relevant to securing chambers’ systems under their Cyber Essentials programme. Cyber Essentials also provides two forms of certification – Cyber Essentials and Cyber Essentials Plus – which are designed to provide peace of mind that cyber defences are in place to protect against the vast majority of common cyber-attacks.
Whether chambers achieves certification or not, the following five points are vital to ensure that hackers are not simply being invited to walk through an open door:
A firewall is an area between your computer, or computers, and your internet connection in which incoming traffic, whether emails or digital downloads, can be analysed and assessed before being permitted to enter the network.
Firewalls can be placed at various points within a chambers’ network:
Members of chambers should not consider the imposition of firewalls to be a ‘chambers problem’ rather than an issue for each individual. A boundary firewall will generally protect from external threats; however, if a personal laptop has been used, without a firewall, outside of a chambers setting, in particular when accessing public networks or untrusted Wi-Fi connections, then this can represent a risk to the chambers’ network. The NCSC Cyber Essentials Certification requires that all devices are configured to use a firewall.
When you acquire new devices or software check that the security levels are at their highest and not at the default ‘Recommended’. Default configurations are often configured to ensure ease-of-use rather than security. While this may be a benefit for a home computer or tablet that is being used to access music, games or videos, in a professional setting this may not be appropriate.
Passwords must be applied to all devices: computers; laptops; tables and smartphones. Default passwords must be changed, and, whenever possible, ‘strong passwords’ applied.
A strong password will contain upper and lower case letters, numbers, and special characters (@?!), and will contain multiple word combinations. Using multiple word combinations, rather than a single word which includes a special character or number, can be easier to remember, especially when a password needs to be updated regularly, and harder for a hacker to guess. ‘Password1’ which is changed to ‘Password2’ is very insecure, whereas ‘Cartoon-Duck-14-Coffee’ followed by ‘Cartoon-Duck-14-Tea’ is significantly more secure.
Face and touch ID now means that memorising passwords is no longer required but does increase the risk if passwords are insecure.
Where chambers are protecting particular important information, multi-factorial authentication (‘2FA’) should be applied. Microsoft 365 now provides 2FA using smartphones for the second-factorial authentication.
Admin accounts should not be keys to the entire castle. Check what privilege administrators have over a system and reduce access so that the admin accounts only have access to undertake specific administrative tasks.
Any account which requires full access, such as IT professionals or significant employees, must use 2FA authentication to access the account.
Only use software from official sources. The easiest method is to ensure users install software from manufacturer approved stores, which will be screening for malware. For mobile devices, this means sources such as Google Play or the Apple App Store.
NCSC Cyber Essentials Certification requires that administrative privileges are only given to those who need them, and that administrator access is controlled. Further, only necessary applications from official sources should be used.
Ransomware falls within the definition of malware, and can be introduced into a network in a variety of ways: through an infected email attachment; by a user browsing a malicious website; or use of a removable storage device, like a USB stick, carrying malware. Educating members of chambers, and staff, is an excellent way to start defending a network. However, the following technical measures should also be put in place:
Cyber Essentials Certification requires the use of at least one of the anti-malware defences listed above.
Many of the most popular applications will update regularly by default. However, this may often require a laptop or computer to restart before the updates are fully implemented. Individuals are encouraged to update and restart as soon as you are prompted. This will improve your machine, and network security; and will also prevent embarrassing updates causing a loss of connection in the middle of remote hearings.
Certification by the NCSC requires that devices, software and applications are kept up-to-date. This may mean updating devices, such as older iPhones, which no longer support the latest software versions.
Following the NCSC Guidance makes a network more secure and acts as a disincentive for a hacker. Why spend hours looking for a way into one network when you could potentially walk straight into another? However, ransomware is a problem that can affect anyone regardless of the size of the organisation, or the caution which is applied. If, like 4 New Square, a chambers is affected by ransomware, applying appropriate measures may assist when reporting a personal data breach to the Information Commissioner.
Further information: The Bar Council recently put out a notice on cybersecurity. The ethical guidance documents provided by the Bar Council’s IT Panel offer help on various data protection and privacy issues.
Update from the Chair of the Bar
By Clement Cowley, Partner at The Penny Group
Modernising communication and collaboration at a leading Chancery set. A Zexi case study
How to build profile without compromising professional duties. By Naumaan Farooq, Co-Founder of Inked PR
Marie Law, Director of Toxicology at AlphaBiolabs, examines the role of cut-off levels, and the wider range of factors that must be considered when interpreting results for family court proceedings
Endometriosis Awareness North, a charity raising awareness of endometriosis and supporting those affected across the North of England, has received a £500 boost from AlphaBiolabs via the company’s Giving Back initiative
A decade of reviews and research has disrupted accepted thinking in the search for causality. Suicides following abuse have overtaken domestic homicides. Is the law keeping up? Professor Susan Edwards KC (Hon) examines recent cases and the obstacles to successful prosecution
The case against judge-only justice – and why efficiency is not enough. By Professor Leslie Thomas KC
Heritage as an anchor and a compass, finding our common humanity and embracing the power of the outsider – Melina Antoniadis’s lessons learnt
Seeing the full picture – Baljit Ubhey OBE outlines the CPS action plan to tackle violence against women and girls, offering insights directly relevant to courtroom practice
Lauren Fullerton examines the how, what and why of setting up a second chambers base
