The number of recent ransomware attacks on barristers’ chambers is a reminder that you’re not immune from cyberattack. Indeed, in 2018 the UK National Cyber Security Centre found that 60% of law firms had experienced an information security incident in the preceding year. The NCSC then issued a report highlighting how and why the legal sector is targeted by cybercriminals.
You’re under attack because you hold commercially valuable and sensitive client information, and perhaps material that attracts “hacktivists” with a political or ideological agenda. You’re also perceived to be a relatively soft target because too often the sector has treated cybersecurity as an IT concern, rather than as the strategic risk management issue it in fact is.
Because to be clear, cyberattacks pose a massive risk to chambers. At the very least there’s the cost of lost productivity when systems are down and data lost or corrupted. In addition there could be the costs of extortion, e.g. ransomware victims can find themselves paying for a decryption code only to have criminals ask for more money to release it, and then come back for more against the threat that stolen data will be put in the public domain.
If stolen confidential data does get into the public domain, chambers will be in breach of both Bar and Law Society standards, could be liable to pay a heavy fine for breaching GDPR; plus cybersecurity insurance could be invalidated. It will also likely cause devastating reputational damage. Chambers are well-advised therefore to ensure they’re taking reasonable steps to protect themselves from cyberattacks. So what should you do?
How to mount reasonable cyber defences
A good place to start would be to conduct a quick cybersecurity audit. At what level is cybersecurity handled? Who sets the agenda? The most senior decision-makers in your chambers ought to be apprised of actions taken on cybersecurity at least quarterly. They ought to have signed off on an incident response plan that is regularly reviewed and chambers ought to regularly conduct some testing of their cyber-defences.
Do you operate some relatively straightforward security practices, such as a fully documented and regularly tested back-up regime, protected against ransomware attacks via isolation or by other means? Do you use multi-factor authentication to protect access and validate user credentials? Do you regularly review privileged access and have standards in place on security protocols such as the length of passwords and how often they’re changed? Do you run device management solutions that monitor end user devices and ensure they meet minimum security standards?
Do you regularly train staff and barristers on the importance of cybersecurity – this is critical because “human error” – accidental or malicious – accounts for the vast majority of data breaches. People need an awareness of how cybercriminals operate and their so-called “social engineering” techniques such as “scareware” where victims are scared into providing system access or sensitive information. Or phishing emails that create a sense of time pressure, curiosity or fear to get victims to reveal sensitive information or click on a link to a malicious site, or an attachment containing malware.
After training’s done, chambers then ought to conduct behaviour tests to make sure people are continuing to keep their defences high. And of course, the attack vector is larger for cybercriminals when people work from home. It’s difficult to control the devices they’re using. It’s harder to secure the network. It’s also harder to know when a member of staff is becoming acutely disaffected.
Finally, where and how is your IT system hosted? Is it in-house, in which case is all software, including anti-virus and anti-malware software, up to date and do you operate additional protections: e.g. solutions that use AI to scan emails for anomalous content or pick up when an email is addressed to an out-of-context recipient to prevent users simply sending information to the wrong person?
Or do you use a reputable public cloud solution that takes care of data encryption and ensures safe storage and back-up but doesn’t offer any tailored advice or guidance or in-house protections? This is a strong option but probably doesn’t go far enough out of the box.
A third option is to work with a managed services provider that can supply a fully considered solution covering software and technology. Such organizations have experts who do cybersecurity for a living; have sectoral knowledge; and have the resources to continually keep up to date with evolving threats and best practice – which could be the difference between avoiding a devastating cyberattack, and being obliterated by one.