Following the ransomware attack, which resulted in the encryption of 972,191 files (including 24,712 relating to court bundles, 60 of which were posted in underground data marketplaces), the Information Commissioner’s Office fined the criminal defence firm almost £100,000.
However, the penalty is only likely to be the public-visible cost. Although most people understand the obvious costs of an attack, such as business interruption and enforcement fines, the unanticipated costs – like management disruption, reputational damage, supplier damage claims, client impact, increased insurance premiums and group litigation – are often forgotten about.
Since the attack, the firm said it has strengthened its procedures. However, the case has highlighted the need for chambers and their barristers to have robust cyber security measures in place to protect themselves from the rising threat of hackers, meet their statutory and legal obligations, and safeguard their clients, who are the lifeblood of their business.
Without the correct resilience being implemented, a cyber attack happening is a case of when, not if. And that is assuming an attack and data theft has not already occurred as the most successful type of breach is one you did not know happened.
Technology has become a vital component in our life, so it is not surprising that cyber crime is on the rise. The threat posed by hackers is significant; research from Statista discovered that 31% of businesses experience a cyber attack weekly, with 1 in 12 reporting breaches several times a day.
Like any business, hackers want to make sure there is a return on their investment. Ultimately, cyber criminals are after a pay day, and unsecured chambers and their barristers can provide them with fertile hunting ground.
Barristers have extremely good people networks, typically working on cases involving high-profile individuals or businesses, large amounts of money, and sensitive personal and commercial data. Furthermore, barristers’ reputations are critical to their success. This provides cyber criminals with a perfect cocktail when it comes to motivation – they know that if they can undermine or exploit any of these components, they will be able to manipulate their target and secure the pay day they are looking for.
The key thing to understand is that a cyber attack is not a hacker’s end goal – it is simply a tool to reaching their target. It could be that criminals want to prevent access to a barrister’s laptop through a ransomware attack to stop them operating, which could have an adverse impact on their reputation. They may also be looking to interrupt the delivery of justice. Another motivation could be using the barrister and their people networks as a means to get to somebody else, possibly a client or an associate, for example.
From phishing and malware to social engineering and spyware, there are lots of ways cyber criminals can conduct a digital attack and these methods are constantly evolving.
In order to ensure a barrister and their chambers are protecting themselves and meeting their legal obligations, they should conduct a cyber and data security assessment. This is a thorough analysis of all information assets and cyber controls, making it is an essential first step to understanding their cyber resilience, and uncovering any weaknesses and risks that could leave them vulnerable to an attack.
Typically, an assessment will consider every security component of a business to find any possible blind-spots, highlight where systems may have already been breached, and identify whether any information is already publically available that could put a chamber at risk.
Once an assessment has been completed, the outcome will be a full picture of what is working well, what requires improvement, and what is missing entirely. Most importantly, it will provide a roadmap of what needs to be done to make you resilient, and limit your risk of a cyber attack and potential financial, reputational and legal damage.
We live in a world where cyber risk is a clear and present threat. Being lucky so far does not correlate with being lucky in the future – an attack is inevitable. As, ultimately, cyber criminals are looking to maximise their opportunity to get their pay day, barristers need to ensure they are hard to hack. If it is too difficult, they will find weaker prey.
There are many components of a resilience programme that should be blended to meet your compliance obligations and make your chamber hard to hack. For example, when it comes to mutating viruses, Trojans, spyware and distributed denial of service (DDoS), digital technical controls, such as artificial intelligence (AI) threat detection and quarantine systems are the best weapons of choice. Cyber criminals use AI to reconnoitre and find vulnerabilities. To defend against and beat AI, you need AI – as humans, we simply cannot keep up anymore.
On the flipside, a chamber’s barristers are its best asset. However, if they do not understand the risks and are not properly trained, they can be a huge cyber security liability too. It is very easy to compartmentalise our personal and professional lives. However, they are intertwined digitally. Cyber criminals recognise that because we are not personally mandated, legislated and regulated like businesses are, we tend to let our barriers down when at home and be less disciplined.
The most obvious way to protect yourself and your chamber is password management. Currently, there are millions of email and password combinations for sale on the dark web for miniscule amounts. Cyber criminals can then use this information to gain access to web portals containing emails, documents, pictures, saved bank account details and addresses, and fuse this with other pieces of information to enable greater social engineering targeting.
Our research found that 1 in 8 employees working in UK businesses reuse their personal passwords at work and, shockingly, 73% do not change their professional passwords enough, with 1 in 3 admitting to never changing their work log-in details or only doing so when prompted.
Using the same password across multiple accounts or both personally and professionally is a major weak link in a security system. If one site is breached and credentials are exposed, your risk is amplified exponentially if you use that same password elsewhere. However, if you change your password frequently – at minimum at least quarterly – you will break the chain.
Another tool in a cyber criminal’s arsenal is hoax calls and emails, which are designed to steal and defraud. A typical scam the legal industry experiences is payments getting intercepted. If you receive an email at the last minute from someone who has changed their bank details, this is a major red flag and you should instantly stop. Phone the company’s front desk – via a number from a credible source online – and ask to be put through to the accounts department to verify.
While becoming hard to hack will make you more resilient to a cyber attack, no security programme is infallible. If a cyber criminal is committed to their goal, they will find a way. With this in mind, you should make the assumption it will happen and, therefore, you need to have comprehensive incident response and disaster recovery plans in place.
If an attack is successful and an incident occurs, halting it as quickly as possible should be your primary concern to ensure you can minimise its scope and scale. This can be done with by having an incident response plan in place. A disaster recovery plan will then get your business back to normal and operating as swiftly as possible.
Both plans need to be regularly reviewed and rehearsed so you know how to react swiftly to any incident and are able to minimise the associated impact. If you end up suffering a ransomware attack, for example, you will be unlikely able to access files saved on your system, so will need to know what you are doing to be able to respond effectively.
Should a cyber attack cripple your chambers, you could be facing some hefty costs – including system repair, business interruption, delays to schedule, knock-on impact to other clients, adverse media coverage, and financial damages claims and regulatory fines. This can be mitigated by good cyber insurance, but only if the right insurance is purchased with realistic cover and service levels, and having met the minimum cyber security standards for the policy to be valid.
While even the most secure business is not guaranteed immunity, having the appropriate measures in place and being prepared should the worst happen will ensure confident, compliant and resilient barristers, which, in turn, create a well-protected chamber.
Our team of dedicated experts can analyse your business to identify any vulnerabilities it may have. Once we’re done, you’ll have the tools and knowledge to fix these in order to stay safe and secure. Contact us today.