*/
On 29 June 2021, The Lawyer reported that 4 New Square Chambers, described by Chambers and Partners as a ‘leading commercial set’, had been the victim of a ransomware attack. The chambers’ website professes a specialism in information technology, illustrating that every set is a potential target for malware regardless of size or expertise. This point was emphasised three days later, on 2 July 2021, when news agencies reported that over 200 American businesses had been subject to a ransomware attack following an incident at a Miami-based IT firm.
So if leading commercial sets and IT firms are vulnerable to attack how should chambers protect themselves from ransomware? The National Cyber Security Centre (NCSC) provides a range of advice and guidance relevant to securing chambers’ systems under their Cyber Essentials programme. Cyber Essentials also provides two forms of certification – Cyber Essentials and Cyber Essentials Plus – which are designed to provide peace of mind that cyber defences are in place to protect against the vast majority of common cyber-attacks.
Whether chambers achieves certification or not, the following five points are vital to ensure that hackers are not simply being invited to walk through an open door:
A firewall is an area between your computer, or computers, and your internet connection in which incoming traffic, whether emails or digital downloads, can be analysed and assessed before being permitted to enter the network.
Firewalls can be placed at various points within a chambers’ network:
Members of chambers should not consider the imposition of firewalls to be a ‘chambers problem’ rather than an issue for each individual. A boundary firewall will generally protect from external threats; however, if a personal laptop has been used, without a firewall, outside of a chambers setting, in particular when accessing public networks or untrusted Wi-Fi connections, then this can represent a risk to the chambers’ network. The NCSC Cyber Essentials Certification requires that all devices are configured to use a firewall.
When you acquire new devices or software check that the security levels are at their highest and not at the default ‘Recommended’. Default configurations are often configured to ensure ease-of-use rather than security. While this may be a benefit for a home computer or tablet that is being used to access music, games or videos, in a professional setting this may not be appropriate.
Passwords must be applied to all devices: computers; laptops; tables and smartphones. Default passwords must be changed, and, whenever possible, ‘strong passwords’ applied.
A strong password will contain upper and lower case letters, numbers, and special characters (@?!), and will contain multiple word combinations. Using multiple word combinations, rather than a single word which includes a special character or number, can be easier to remember, especially when a password needs to be updated regularly, and harder for a hacker to guess. ‘Password1’ which is changed to ‘Password2’ is very insecure, whereas ‘Cartoon-Duck-14-Coffee’ followed by ‘Cartoon-Duck-14-Tea’ is significantly more secure.
Face and touch ID now means that memorising passwords is no longer required but does increase the risk if passwords are insecure.
Where chambers are protecting particular important information, multi-factorial authentication (‘2FA’) should be applied. Microsoft 365 now provides 2FA using smartphones for the second-factorial authentication.
Admin accounts should not be keys to the entire castle. Check what privilege administrators have over a system and reduce access so that the admin accounts only have access to undertake specific administrative tasks.
Any account which requires full access, such as IT professionals or significant employees, must use 2FA authentication to access the account.
Only use software from official sources. The easiest method is to ensure users install software from manufacturer approved stores, which will be screening for malware. For mobile devices, this means sources such as Google Play or the Apple App Store.
NCSC Cyber Essentials Certification requires that administrative privileges are only given to those who need them, and that administrator access is controlled. Further, only necessary applications from official sources should be used.
Ransomware falls within the definition of malware, and can be introduced into a network in a variety of ways: through an infected email attachment; by a user browsing a malicious website; or use of a removable storage device, like a USB stick, carrying malware. Educating members of chambers, and staff, is an excellent way to start defending a network. However, the following technical measures should also be put in place:
Cyber Essentials Certification requires the use of at least one of the anti-malware defences listed above.
Many of the most popular applications will update regularly by default. However, this may often require a laptop or computer to restart before the updates are fully implemented. Individuals are encouraged to update and restart as soon as you are prompted. This will improve your machine, and network security; and will also prevent embarrassing updates causing a loss of connection in the middle of remote hearings.
Certification by the NCSC requires that devices, software and applications are kept up-to-date. This may mean updating devices, such as older iPhones, which no longer support the latest software versions.
Following the NCSC Guidance makes a network more secure and acts as a disincentive for a hacker. Why spend hours looking for a way into one network when you could potentially walk straight into another? However, ransomware is a problem that can affect anyone regardless of the size of the organisation, or the caution which is applied. If, like 4 New Square, a chambers is affected by ransomware, applying appropriate measures may assist when reporting a personal data breach to the Information Commissioner.
Further information: The Bar Council recently put out a notice on cybersecurity. The ethical guidance documents provided by the Bar Council’s IT Panel offer help on various data protection and privacy issues.
On 29 June 2021, The Lawyer reported that 4 New Square Chambers, described by Chambers and Partners as a ‘leading commercial set’, had been the victim of a ransomware attack. The chambers’ website professes a specialism in information technology, illustrating that every set is a potential target for malware regardless of size or expertise. This point was emphasised three days later, on 2 July 2021, when news agencies reported that over 200 American businesses had been subject to a ransomware attack following an incident at a Miami-based IT firm.
So if leading commercial sets and IT firms are vulnerable to attack how should chambers protect themselves from ransomware? The National Cyber Security Centre (NCSC) provides a range of advice and guidance relevant to securing chambers’ systems under their Cyber Essentials programme. Cyber Essentials also provides two forms of certification – Cyber Essentials and Cyber Essentials Plus – which are designed to provide peace of mind that cyber defences are in place to protect against the vast majority of common cyber-attacks.
Whether chambers achieves certification or not, the following five points are vital to ensure that hackers are not simply being invited to walk through an open door:
A firewall is an area between your computer, or computers, and your internet connection in which incoming traffic, whether emails or digital downloads, can be analysed and assessed before being permitted to enter the network.
Firewalls can be placed at various points within a chambers’ network:
Members of chambers should not consider the imposition of firewalls to be a ‘chambers problem’ rather than an issue for each individual. A boundary firewall will generally protect from external threats; however, if a personal laptop has been used, without a firewall, outside of a chambers setting, in particular when accessing public networks or untrusted Wi-Fi connections, then this can represent a risk to the chambers’ network. The NCSC Cyber Essentials Certification requires that all devices are configured to use a firewall.
When you acquire new devices or software check that the security levels are at their highest and not at the default ‘Recommended’. Default configurations are often configured to ensure ease-of-use rather than security. While this may be a benefit for a home computer or tablet that is being used to access music, games or videos, in a professional setting this may not be appropriate.
Passwords must be applied to all devices: computers; laptops; tables and smartphones. Default passwords must be changed, and, whenever possible, ‘strong passwords’ applied.
A strong password will contain upper and lower case letters, numbers, and special characters (@?!), and will contain multiple word combinations. Using multiple word combinations, rather than a single word which includes a special character or number, can be easier to remember, especially when a password needs to be updated regularly, and harder for a hacker to guess. ‘Password1’ which is changed to ‘Password2’ is very insecure, whereas ‘Cartoon-Duck-14-Coffee’ followed by ‘Cartoon-Duck-14-Tea’ is significantly more secure.
Face and touch ID now means that memorising passwords is no longer required but does increase the risk if passwords are insecure.
Where chambers are protecting particular important information, multi-factorial authentication (‘2FA’) should be applied. Microsoft 365 now provides 2FA using smartphones for the second-factorial authentication.
Admin accounts should not be keys to the entire castle. Check what privilege administrators have over a system and reduce access so that the admin accounts only have access to undertake specific administrative tasks.
Any account which requires full access, such as IT professionals or significant employees, must use 2FA authentication to access the account.
Only use software from official sources. The easiest method is to ensure users install software from manufacturer approved stores, which will be screening for malware. For mobile devices, this means sources such as Google Play or the Apple App Store.
NCSC Cyber Essentials Certification requires that administrative privileges are only given to those who need them, and that administrator access is controlled. Further, only necessary applications from official sources should be used.
Ransomware falls within the definition of malware, and can be introduced into a network in a variety of ways: through an infected email attachment; by a user browsing a malicious website; or use of a removable storage device, like a USB stick, carrying malware. Educating members of chambers, and staff, is an excellent way to start defending a network. However, the following technical measures should also be put in place:
Cyber Essentials Certification requires the use of at least one of the anti-malware defences listed above.
Many of the most popular applications will update regularly by default. However, this may often require a laptop or computer to restart before the updates are fully implemented. Individuals are encouraged to update and restart as soon as you are prompted. This will improve your machine, and network security; and will also prevent embarrassing updates causing a loss of connection in the middle of remote hearings.
Certification by the NCSC requires that devices, software and applications are kept up-to-date. This may mean updating devices, such as older iPhones, which no longer support the latest software versions.
Following the NCSC Guidance makes a network more secure and acts as a disincentive for a hacker. Why spend hours looking for a way into one network when you could potentially walk straight into another? However, ransomware is a problem that can affect anyone regardless of the size of the organisation, or the caution which is applied. If, like 4 New Square, a chambers is affected by ransomware, applying appropriate measures may assist when reporting a personal data breach to the Information Commissioner.
Further information: The Bar Council recently put out a notice on cybersecurity. The ethical guidance documents provided by the Bar Council’s IT Panel offer help on various data protection and privacy issues.
The Chair of the Bar sets out how the new government can restore the justice system
In the first of a new series, Louise Crush of Westgate Wealth considers the fundamental need for financial protection
Unlocking your aged debt to fund your tax in one easy step. By Philip N Bristow
Possibly, but many barristers are glad he did…
Mental health charity Mind BWW has received a £500 donation from drug, alcohol and DNA testing laboratory, AlphaBiolabs as part of its Giving Back campaign
The Institute of Neurotechnology & Law is thrilled to announce its inaugural essay competition
How to navigate open source evidence in an era of deepfakes. By Professor Yvonne McDermott Rees and Professor Alexa Koenig
Brie Stevens-Hoare KC and Lyndsey de Mestre KC take a look at the difficulties women encounter during the menopause, and offer some practical tips for individuals and chambers to make things easier
Sir Geoffrey Vos, Master of the Rolls and Head of Civil Justice since January 2021, is well known for his passion for access to justice and all things digital. Perhaps less widely known is the driven personality and wanderlust that lies behind this, as Anthony Inglese CB discovers
The Chair of the Bar sets out how the new government can restore the justice system
No-one should have to live in sub-standard accommodation, says Antony Hodari Solicitors. We are tackling the problem of bad housing with a two-pronged approach and act on behalf of tenants in both the civil and criminal courts
-(1)-(002).tmb-carlisting79eb.png){kind=logo}
