*/
With 2021 firmly in the rearview mirror, and optimists carefully listening for the first chaffinch song of spring, it is easy to forget that within the last 12 months one chambers sought an injunction against ‘persons unknown’ from disseminating information obtained in a ransomware attack, and the Bar Council described cyberattacks as a ‘wake-up call’.
Last year was significant for cyber threats to the Bar. Working from home continued as a result of the pandemic, impacting upon overall security concerns. High-profile attacks on prominent chambers and law firms put the legal profession at the forefront of cyber news.
Past warnings should still be fresh in people’s minds. The Bar Council suggested chambers ‘check the security of their information networks’ and ensure that ‘their critical business interruption plans are up to date and effective’.
But if these are the warnings of the past, what are the worries for the future? It may be ‘so 2021’ to be subject to a ransomware attack but unfortunately, unless chambers is aware of the potential future threats, it may also be an issue in 2022, 2023 and so on. Indeed, in March news broke that a criminal defence firm was fined £98,000 by the Information Commissioner’s Office (ICO) following a ransomware attack.
Previous advice in Counsel on the essential protection from cyberattack, and the best ways to respond, remains valid and appropriate in most circumstances. However, the following are five areas to consider going into 2022:
Domestic internet service providers are now boasting that wi-fi connections can support 100 devices. If this is an indication of the continued growth of the Internet of Things (IoT) in a home, then consider a set with dozens of tenants, clerks and support staff. It is not merely each having their own laptops, mobile phones, tablets, smart-watches and bluetooth-connected headphones. The chances are that if chambers buys any new equipment, whether an essential work device like a printer or a new fridge-freezer, it is highly likely that this could potentially access the chambers’ network.
These IoT devices often contain the minimum cyber-security protection required in order to maximise the efficiency of the primary function and minimise the cost of the device. And chambers should not underestimate the proliferation of IoT devices and the threat that these pose. Security cameras, smart TVs and internet-connected appliances were used by the Mirai Botnet to attack websites in a denial-of-service attack. If you have remote access to something in chambers, then an IoT device is being used. This could either be a tool for a hacker or an access point into your network.
The best advice: understand what IoT devices are being used in chambers, and ensure that security functions within the device are engaged. The default setting for many IoT devices is to allow access without restriction. This facilitates the initial connection to a network and increases the speed of the device. But this then generates a point of weakness within the network. Once you have completed the initial set-up, apply the highest security level available. You must also regularly update software for the device to ensure that historic bugs cannot be utilised to gain access to the device and consequently into your systems.
It is unsurprising that as the risk environment for cyberattacks becomes more precarious, the premiums associated with cyber insurance increase. It is not merely the increased headline cost of the premium which could impact upon chambers. Many insurance companies are now requiring additional security measures in order to keep premiums at their lowest level. Like a home insurer requiring windows and doors to be equipped with locks that meet a certain standard, going into 2022, cyber-insurers will now likely require, as standard, multi-factorial authentication (MFA) to access crucial chambers’ systems. Chambers may also be required to provide assurances that proper policies and procedures are in place to deal with ‘disaster recovery’.
The Bar Council IT Panel provides a wide range of guidance on the breadth of IT issues likely to impact barristers individually and chambers collectively. Just because you have read the guidance once does not necessarily mean that you are applying best practice. Chambers’ policies and procedures should be regularly updated and cross-referenced against the updates provided by the IT Panel.
If the renewal of chambers’ insurance does not requires a sudden move to MFA and a reconsideration of policies and procedures, then government regulation may impact upon cyber security considerations in 2022. Three key strategies from the ICO came to a conclusion in 2021: Information rights strategic plan 2017-2021; Technology Strategy 2018-2021; and International Strategy 2017-2021. Further, ICO Openness by Design comes to a conclusion this year. In the context of increased US regulation following the SolarWinds intrusion and the Colonial Pipeline ransomware attack, it is highly likely that the ICO will publish strategies targeting cyber security to protect personal data.
Self-employed barristers are all individually registered with the ICO, meaning that each is personally responsible for implementing any new strategic vision. ICO policies do not tend to be prescriptive. However, barristers will need to have at least some awareness of any new duty in processing personal data. Again, the Bar Council will seek to publish guidance on any ICO initiative which significantly impacts upon people’s practice but it is incumbent upon those at the Bar to be mindful that potential changes may be coming this year.
Supply chain concerns do not just affect retail or construction firms. If you use email, you are subject to a software supply chain. And going into 2022 it will be the software supply chain, rather than individual companies, which will be targeted by ransomware attacks. A successful ransomware attack on a technology company or internet service provider can impact upon hundreds if not thousands of companies, with the corresponding benefit to the hackers also increasing.
Chambers may not have the expertise in-house to monitor email security, Microsoft’s operating systems and/or cloud collaboration tools. These should be raised as a point of concern with any external IT provider.
‘Spear-phishing attacks’, however, when cybercriminals personalise emails to fit a smaller group of individuals so as to appear more authentic, are an area that barristers should be considering. Any suspicious emails should immediately be raised within chambers using an appropriate method. This might include having a single contact who notifies chambers when concerns arise, or having an alert function within chambers management software. Never forward on a suspicious email. Notify the appropriate person, who can identify whether attacks have been sent to multiple members of chambers.
Spear-phishing and traditional phishing attacks are successful because they target the weakest point within any chambers’ network: people.
Within companies, security teams are being encouraged to reach out and engage employees to ensure that people are aware of the most recent threats. A similar approach should be adopted in chambers. Articles or guidance relevant to cyber security should be circulated, and people encouraged to engage with the concerns that are coming in the future.
With 2021 firmly in the rearview mirror, and optimists carefully listening for the first chaffinch song of spring, it is easy to forget that within the last 12 months one chambers sought an injunction against ‘persons unknown’ from disseminating information obtained in a ransomware attack, and the Bar Council described cyberattacks as a ‘wake-up call’.
Last year was significant for cyber threats to the Bar. Working from home continued as a result of the pandemic, impacting upon overall security concerns. High-profile attacks on prominent chambers and law firms put the legal profession at the forefront of cyber news.
Past warnings should still be fresh in people’s minds. The Bar Council suggested chambers ‘check the security of their information networks’ and ensure that ‘their critical business interruption plans are up to date and effective’.
But if these are the warnings of the past, what are the worries for the future? It may be ‘so 2021’ to be subject to a ransomware attack but unfortunately, unless chambers is aware of the potential future threats, it may also be an issue in 2022, 2023 and so on. Indeed, in March news broke that a criminal defence firm was fined £98,000 by the Information Commissioner’s Office (ICO) following a ransomware attack.
Previous advice in Counsel on the essential protection from cyberattack, and the best ways to respond, remains valid and appropriate in most circumstances. However, the following are five areas to consider going into 2022:
Domestic internet service providers are now boasting that wi-fi connections can support 100 devices. If this is an indication of the continued growth of the Internet of Things (IoT) in a home, then consider a set with dozens of tenants, clerks and support staff. It is not merely each having their own laptops, mobile phones, tablets, smart-watches and bluetooth-connected headphones. The chances are that if chambers buys any new equipment, whether an essential work device like a printer or a new fridge-freezer, it is highly likely that this could potentially access the chambers’ network.
These IoT devices often contain the minimum cyber-security protection required in order to maximise the efficiency of the primary function and minimise the cost of the device. And chambers should not underestimate the proliferation of IoT devices and the threat that these pose. Security cameras, smart TVs and internet-connected appliances were used by the Mirai Botnet to attack websites in a denial-of-service attack. If you have remote access to something in chambers, then an IoT device is being used. This could either be a tool for a hacker or an access point into your network.
The best advice: understand what IoT devices are being used in chambers, and ensure that security functions within the device are engaged. The default setting for many IoT devices is to allow access without restriction. This facilitates the initial connection to a network and increases the speed of the device. But this then generates a point of weakness within the network. Once you have completed the initial set-up, apply the highest security level available. You must also regularly update software for the device to ensure that historic bugs cannot be utilised to gain access to the device and consequently into your systems.
It is unsurprising that as the risk environment for cyberattacks becomes more precarious, the premiums associated with cyber insurance increase. It is not merely the increased headline cost of the premium which could impact upon chambers. Many insurance companies are now requiring additional security measures in order to keep premiums at their lowest level. Like a home insurer requiring windows and doors to be equipped with locks that meet a certain standard, going into 2022, cyber-insurers will now likely require, as standard, multi-factorial authentication (MFA) to access crucial chambers’ systems. Chambers may also be required to provide assurances that proper policies and procedures are in place to deal with ‘disaster recovery’.
The Bar Council IT Panel provides a wide range of guidance on the breadth of IT issues likely to impact barristers individually and chambers collectively. Just because you have read the guidance once does not necessarily mean that you are applying best practice. Chambers’ policies and procedures should be regularly updated and cross-referenced against the updates provided by the IT Panel.
If the renewal of chambers’ insurance does not requires a sudden move to MFA and a reconsideration of policies and procedures, then government regulation may impact upon cyber security considerations in 2022. Three key strategies from the ICO came to a conclusion in 2021: Information rights strategic plan 2017-2021; Technology Strategy 2018-2021; and International Strategy 2017-2021. Further, ICO Openness by Design comes to a conclusion this year. In the context of increased US regulation following the SolarWinds intrusion and the Colonial Pipeline ransomware attack, it is highly likely that the ICO will publish strategies targeting cyber security to protect personal data.
Self-employed barristers are all individually registered with the ICO, meaning that each is personally responsible for implementing any new strategic vision. ICO policies do not tend to be prescriptive. However, barristers will need to have at least some awareness of any new duty in processing personal data. Again, the Bar Council will seek to publish guidance on any ICO initiative which significantly impacts upon people’s practice but it is incumbent upon those at the Bar to be mindful that potential changes may be coming this year.
Supply chain concerns do not just affect retail or construction firms. If you use email, you are subject to a software supply chain. And going into 2022 it will be the software supply chain, rather than individual companies, which will be targeted by ransomware attacks. A successful ransomware attack on a technology company or internet service provider can impact upon hundreds if not thousands of companies, with the corresponding benefit to the hackers also increasing.
Chambers may not have the expertise in-house to monitor email security, Microsoft’s operating systems and/or cloud collaboration tools. These should be raised as a point of concern with any external IT provider.
‘Spear-phishing attacks’, however, when cybercriminals personalise emails to fit a smaller group of individuals so as to appear more authentic, are an area that barristers should be considering. Any suspicious emails should immediately be raised within chambers using an appropriate method. This might include having a single contact who notifies chambers when concerns arise, or having an alert function within chambers management software. Never forward on a suspicious email. Notify the appropriate person, who can identify whether attacks have been sent to multiple members of chambers.
Spear-phishing and traditional phishing attacks are successful because they target the weakest point within any chambers’ network: people.
Within companies, security teams are being encouraged to reach out and engage employees to ensure that people are aware of the most recent threats. A similar approach should be adopted in chambers. Articles or guidance relevant to cyber security should be circulated, and people encouraged to engage with the concerns that are coming in the future.
The Chair of the Bar sets out how the new government can restore the justice system
In the first of a new series, Louise Crush of Westgate Wealth considers the fundamental need for financial protection
Unlocking your aged debt to fund your tax in one easy step. By Philip N Bristow
Possibly, but many barristers are glad he did…
Mental health charity Mind BWW has received a £500 donation from drug, alcohol and DNA testing laboratory, AlphaBiolabs as part of its Giving Back campaign
The Institute of Neurotechnology & Law is thrilled to announce its inaugural essay competition
How to navigate open source evidence in an era of deepfakes. By Professor Yvonne McDermott Rees and Professor Alexa Koenig
Brie Stevens-Hoare KC and Lyndsey de Mestre KC take a look at the difficulties women encounter during the menopause, and offer some practical tips for individuals and chambers to make things easier
Sir Geoffrey Vos, Master of the Rolls and Head of Civil Justice since January 2021, is well known for his passion for access to justice and all things digital. Perhaps less widely known is the driven personality and wanderlust that lies behind this, as Anthony Inglese CB discovers
The Chair of the Bar sets out how the new government can restore the justice system
No-one should have to live in sub-standard accommodation, says Antony Hodari Solicitors. We are tackling the problem of bad housing with a two-pronged approach and act on behalf of tenants in both the civil and criminal courts