Following my certification from Cyber Essentials I discuss what steps are wise for cyber protection.
I understand that I may be the first private practice barrister in England to attain Cyber Essentials Plus certification, initiated by Orlagh Kelly, barrister and CEO of BRIEFED, and delivered by Evolve North, the nation’s premier provider of cyber protection evaluation.
In what was a fascinating process, here are the highlights and how to achieve them.
It was September 2023 that my senior clerk alerted me to the prospect of government funding for cyber security. He told me that individual barristers could apply for grant aid to achieve the Cyber Essentials and Cyber Essentials Plus certifications. The full cost of the Certification was to be covered.
There appeared to be many benefits of such government-backed certifications. In addition to increased cyber security for my personal legal practice, those qualifying may access £25,000 Cyber Insurance, Cyber Essentials Certification, listing in the UK Directory of awarded businesses, and eligibility for various government instructions and tenders.
Having applied and provided my pre-assessment information, by 26 September 2023 I was accepted onto the programme and allocated Andrew Spencer, my personal guide and assessor at Evolve North, a company based coincidentally near my home, in Richmond, N Yorks.
Andrew explained the process clearly. The first step for basic certification involved a self-assessment questionnaire, searching to say the least, that required detailed information on systems used, internet providers, routers, hardware and software. This was then to be evaluated with a view to identifying obvious risks. Second, for the Cyber Essentials Plus certification, was the installation of a scanning agent leading to internal and external vulnerability scanning.
It was mid October when we reviewed the results of the preliminary questionnaire. The detail required threw up a number of significant issues – some of which required more information, others indicating potential vulnerabilities. Accordingly, I provided Signable authority for Evolve North to scan my IP address, allowing them to perform an initial network scan.
There followed a series of TEAMS meets and remedial discussions with Andrew Spencer and Gary Reeves at Evolve North, however by 20 November 2023 I was awarded Cyber Essentials Basic Certification. This completed my first stage, and Jenny Pullin at BlockMark awarded my online certificate.
Having undertaken basic certification I now qualified for the enhanced stage of Cyber Essentials Plus under previously allocated funding. This, it must be said, was far more intensive, requiring the installation of an internal scanning agent on my computer system to perform a user and device assessment. Over a period of weeks my internet traffic was monitored and assessed. This revealed ten ‘critical vulnerabilities’ where intruders could gain control of my system, leading to the compromise of the entire network security. Vulnerabilities at this level could include full read and write access to files, remote execution of commands, and the presence of backdoors.
Additionally, there were twelve ‘high vulnerabilities’ that could lead to leakage of highly sensitive information, two ‘medium vulnerabilities’ giving access to specific information including security settings and three low risks allowing intruders to collect sensitive information.
I granted Evolve North remote access to my computer and screen-share whilst they took me through a series of steps to eliminate all known vulnerability. This took time, but success – vulnerabilities addressed. Cyber Essentials Plus – awarded on 31 January 2024!
For those who may wish to improve their cyber security but are not yet prepared to undertake a process of certification, these are my basic top ten tips:
- Make sure that your internet provider is industry-recognised, and only connect to those providers that offer high levels of internet security and protection.
- Ensure that you have a recent router provided by your broadband provider, that it is fully and securely password protected, and that any repeaters you use are securely linked to it.
- Limit the hardware that has access to and from your router.
- Remove all old software (obsolete, unlikely to be updated and protected), and replace with current versions.
- Check that your virus protection is current and active.
- Keep your software updated with installation set to ‘automatic”, especially important for your web browser.
- Ensure that all software changes are individually password-protected with complex code.
- Disable Microsoft autoplay.
- Only allow notified updates that you have first recognised, checked and knowingly authorised.
- Create a separate administrator account (guest account) to take charge of all system changes to your computer. This will alert you to requests to make changes that are sought (or induced).
Whilst these basic steps may provide improvements to your cyber security, they will not ensure full protection. Should you seek professional support? Knowing what I now know about cyber vulnerability, and having historic involvement in computer fraud, I would definitely say you should.
Indeed, with the progress of artificial intelligence, I expect that our professional regulators will require certification. But, that aside, compare the cost and inconvenience of action now, with the devastation of a serious cyber breach and the penalties that will undoubtedly follow.
Advertisements appearing within or below this post are placed by the platform, not the writer. They are neither endorsed nor monetarised.
*
*
*
*
Stephen Twist's Barrister Blog 