On 29 June 2021, The Lawyer reported that 4 New Square Chambers, described by Chambers and Partners as a ‘leading commercial set’, had been the victim of a ransomware attack. The chambers’ website professes a specialism in information technology, illustrating that every set is a potential target for malware regardless of size or expertise. This point was emphasised three days later, on 2 July 2021, when news agencies reported that over 200 American businesses had been subject to a ransomware attack following an incident at a Miami-based IT firm.

So if leading commercial sets and IT firms are vulnerable to attack how should chambers protect themselves from ransomware? The National Cyber Security Centre (NCSC) provides a range of advice and guidance relevant to securing chambers’ systems under their Cyber Essentials programme. Cyber Essentials also provides two forms of certification – Cyber Essentials and Cyber Essentials Plus – which are designed to provide peace of mind that cyber defences are in place to protect against the vast majority of common cyber-attacks.

Whether chambers achieves certification or not, the following five points are vital to ensure that hackers are not simply being invited to walk through an open door:

1: Use a firewall to secure your internet connection

A firewall is an area between your computer, or computers, and your internet connection in which incoming traffic, whether emails or digital downloads, can be analysed and assessed before being permitted to enter the network.

Firewalls can be placed at various points within a chambers’ network:

  • Boundary firewalls are common for most organisations and will protect the whole network.
  • Individual firewalls should be considered by each member of chambers for their internet connected personal laptops or computers. These will normally be included within the operating system and can be accessed through ‘Settings’.
  • Router firewalls can also provide boundary protection but are not always available. Chambers will need to talk to their internet service providers about the specific models being used.

Members of chambers should not consider the imposition of firewalls to be a ‘chambers problem’ rather than an issue for each individual. A boundary firewall will generally protect from external threats; however, if a personal laptop has been used, without a firewall, outside of a chambers setting, in particular when accessing public networks or untrusted Wi-Fi connections, then this can represent a risk to the chambers’ network. The NCSC Cyber Essentials Certification requires that all devices are configured to use a firewall.

2: Choose the most secure settings for your devices and software

When you acquire new devices or software check that the security levels are at their highest and not at the default ‘Recommended’. Default configurations are often configured to ensure ease-of-use rather than security. While this may be a benefit for a home computer or tablet that is being used to access music, games or videos, in a professional setting this may not be appropriate.

Passwords must be applied to all devices: computers; laptops; tables and smartphones. Default passwords must be changed, and, whenever possible, ‘strong passwords’ applied.

A strong password will contain upper and lower case letters, numbers, and special characters (@?!), and will contain multiple word combinations. Using multiple word combinations, rather than a single word which includes a special character or number, can be easier to remember, especially when a password needs to be updated regularly, and harder for a hacker to guess. ‘Password1’ which is changed to ‘Password2’ is very insecure, whereas ‘Cartoon-Duck-14-Coffee’ followed by ‘Cartoon-Duck-14-Tea’ is significantly more secure.

Face and touch ID now means that memorising passwords is no longer required but does increase the risk if passwords are insecure.

Where chambers are protecting particular important information, multi-factorial authentication (‘2FA’) should be applied. Microsoft 365 now provides 2FA using smartphones for the second-factorial authentication.

3: Control who has access to your data and services

Admin accounts should not be keys to the entire castle. Check what privilege administrators have over a system and reduce access so that the admin accounts only have access to undertake specific administrative tasks.

Any account which requires full access, such as IT professionals or significant employees, must use 2FA authentication to access the account.

Only use software from official sources. The easiest method is to ensure users install software from manufacturer approved stores, which will be screening for malware. For mobile devices, this means sources such as Google Play or the Apple App Store.

NCSC Cyber Essentials Certification requires that administrative privileges are only given to those who need them, and that administrator access is controlled. Further, only necessary applications from official sources should be used.

4: Protect yourself from viruses and other malware

Ransomware falls within the definition of malware, and can be introduced into a network in a variety of ways: through an infected email attachment; by a user browsing a malicious website; or use of a removable storage device, like a USB stick, carrying malware. Educating members of chambers, and staff, is an excellent way to start defending a network. However, the following technical measures should also be put in place:

  • Anti-malware/anti-virus software should be installed and kept updated. Anti-malware measures such as Windows Defender are often free and can be enabled through your laptop or personal computer control panel. Anti-virus software may need to be purchased, or updated through a paid subscription. However, group discounts will often be available for multiple users or the whole of chambers.
  • Allowed lists prevent users from installing applications on to networks without permission. Those users with permission will be required to take responsibility for ensuring that anything installed is from an approved store. Alternatively, all users can be permitted to install applications but an ‘allowed list’ of software could be created. Installation of applications not found on the allowed list would be refused.
  • ‘Sandboxing’ is a cyber security practice where applications are run in an isolated environment separated from user files, such as client data. Google Chrome, for example, runs a sandbox around each separate browser being used by default.

Cyber Essentials Certification requires the use of at least one of the anti-malware defences listed above.

5: Keep your devices and software up to date

Many of the most popular applications will update regularly by default. However, this may often require a laptop or computer to restart before the updates are fully implemented. Individuals are encouraged to update and restart as soon as you are prompted. This will improve your machine, and network security; and will also prevent embarrassing updates causing a loss of connection in the middle of remote hearings.

Certification by the NCSC requires that devices, software and applications are kept up-to-date. This may mean updating devices, such as older iPhones, which no longer support the latest software versions.

Following the NCSC Guidance makes a network more secure and acts as a disincentive for a hacker. Why spend hours looking for a way into one network when you could potentially walk straight into another? However, ransomware is a problem that can affect anyone regardless of the size of the organisation, or the caution which is applied. If, like 4 New Square, a chambers is affected by ransomware, applying appropriate measures may assist when reporting a personal data breach to the Information Commissioner. 

Further information: The Bar Council recently put out a notice on cybersecurity. The ethical guidance documents provided by the Bar Council’s IT Panel offer help on various data protection and privacy issues.