Coronavirus (COVID-19) and cybersecurity
UPDATE 15 May 2020: An increased number of cyber-attacks continue to be reported during the Coronavirus pandemic. On Wednesday, for example, two companies involved in building emergency Coronavirus hospitals were victims of cyber-attacks. The National Cyber Security Centre (NCSC) has launched its 'Cyber Aware' campaign promoting behaviours to mitigate threats. It has also created a world-leading scam reporting service for people to flag suspicious emails. Helpful information can be found on its website, and the email for the Suspicious Email Reporting Service (SERS) can be found here.
Why has there been an increase in the risk posed by cyberattacks and how can businesses mitigate this risk?
Sadly, cyber criminals are already profiting from this public health emergency. This article reminds us that cybersecurity must remain a priority for businesses.
What is the context of the increased risk?
As a response to the Coronavirus (COVID-19) pandemic, over a few short weeks entire workforces around the world have shifted to working from home. Rather than the incremental, cautious approach that most organisations would have preferred, they were forced to 'jump in the deep end' with their remote working platforms and processes - plans rushed and the usual tests out of the window.
In addition to this, there has been a rapid surge in online activity outside the workplace: a significant increase in internet shopping; more time for people to spend online; a large appetite for Coronavirus (COVID-19)-related online information; and a flood of virtual education/sport classes. Generally, there has been an accelerated reliance on technology.
In some ways, technology is helping to mitigate the economic impact on business. However, this huge technological and practical shift over such a short period creates significant challenges. Adding a rapidly changing environment and a global crisis presents openings for cyber criminal opportunists. In light of (and despite) this unfamiliar landscape, it is important that business do not lose sight of the associated cybersecurity risks and the damage they could cause.
What is 'phishing'?
Phishing involves the sending of emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers or to click on links that use websites or software to gain credentials to access systems and perpetrate cybercrime. Cyber criminals use phishing to gather financial or other confidential information and/or personal data.
It often involves emails that link to 'fake' websites, seeming genuine and often designed in a way to trick or entice people into visiting and/or entering personal information. Sometimes merely clicking on a link to such a website is enough to compromise a system or confidential information.
Phishing emails are one of the fastest-growing risks system and information security businesses are facing today and one of the main methods cyber criminals are using to profit from the current situation.
Has phishing increased due to Coronavirus (COVID-19)?
Levels of phishing have most definitely increased during these first few months of the COVID-19 pandemic. Reports suggest a huge number of new, Coronavirus-related domains have been registered since the beginning of January 2020 and a large number of fraudulent emails have been reported.
The UK's National Cyber Security Centre (NCSC) recently warned that attacks are likely to rise as the outbreak intensifies. It has recently taken steps "to automatically discover and remove malicious sites which serve phishing and malware" and that those sites used Coronavirus and its official name COVID-19 "as a lure to make victims 'click the link'".
Why is there an increased cybersecurity risk?
NCSC has explained that cyber criminals are "opportunistic" and will look to "exploit people's fears". They are aware, for example, of the appetite for Coronavirus/COVID-19-related information. They are taking advantage of this by sending emails or publishing apps using Coronavirus references as bait, with links directing to malicious websites or attachments infected with malware. For example: the World Health Organisation (WHO) has warned that criminals have been sending fake emails purporting to come from WHO in an effort to take advantage of the COVID-19 emergency. The BBC has also reported on email scams such as "Click for Corona-Virus Cure" and "UK Government Tax Refund".
Additional home-pressures and apprehensions are distracting everyone. From a common-sense perspective, it is inevitable that, at least to begin with, employees may be less vigilant in their home environment than they would be in the office. Distractions such as childcare may mean they can be tricked more easily by a genuine-looking email or accidentally leave their workstation unlocked. Cyber criminals are aware of the huge pressure the crisis is putting on businesses, and will try to take advantage of this distraction.
Depending on the extent to which a business was previously set up for remote working, it may not yet have in place sufficient protections and policies to deal with such a significant change. Businesses are having to balance the need to provide remote access for productivity against security. Depending on the systems used, it may be easier for hackers to compromise work and home systems in a single attack. Workers do not have colleagues around them at home to help identify scams – it may be less convenient to check a concern with IT support, or to check the validity of an email claiming to be from a colleague.
In addition to the increased risk of attacks, the current situation is also likely to amplify the impact of an attack. The personnel that monitor IT infrastructure and provide support are also liable to be working remotely and monitoring, spotting and addressing cyberattacks could be hampered.
How can businesses reduce the risk of cyberattacks?
The following are suggestions for some of the actions a business can take to mitigate cybersecurity risks. Note that this list is far from exhaustive.
Anti-virus protection and information security. Ensure that anti-virus, email filtering software and other security software to identify and monitor unusual activity are deployed, up-to-date in terms of versions and patches, and configured to proactively scan devices, attachments and downloads.
Consider using tools to prevent user accounts sending mass emails. Use IP blocking where appropriate to prevent access to systems from internet users in certain countries in which the organisation does not operate. Check whether systems enabling remote access are patched to the latest version available.
Prioritise IT/security teams. Prioritise the resilience of IT teams and ensure they have bandwidth to deal with a surge in IT issues and questions from remote workers. Carefully consider whether furloughing such staff is wise given the potential impact of a "lean" team.
Remember that working remotely will most likely mean their everyday security 'firefighting' will be much slower and more difficult. It may compromise their ability to respond as quickly as possible should an attack occur. Consider whether this can be mitigated in any way and check in on the team regularly to identify issues.
Employee communications/training. Remind employees of security policies already in place regarding issues like: downloading, using insecure networks, verifying website URLs before interacting with them, data destructions, and restrictions on home printing. Ensure there is an easy and quick way for staff to report suspicious communications and make them aware of this procedure regularly.
Consider conducting refresher training, including Coronavirus/COVID-19-specific risks and how to deal with these. For example:
Emails with a Coronavirus/COVID-19-related subject line, attachment or hyperlink.
Social media pleas, texts or calls related to Coronavirus/COVID-19.
Illegitimate sources providing information about Coronavirus/COVID-19.
Charities requesting 'donations' for those impacted by Coronavirus/COVID-19.
Leave your work station locked at all times when you are not using the device.
Employers could give specific, real examples as and when they are reported.
- Strong authentication. Consider whether multi-factor authentication should be increased, such as for access to important systems/data and for the authorisation of the transfer of money/secure information.
How should a business prepare and respond to a cyberattack?
Below are some considerations in respect of preparation and response to a cyberattack. Note that these are by no means exhaustive and depend on the systems and policies the business has in place:
Incident response plan. In preparation for an attack, consider and review the business' incident response plan. Does this address the current situation i.e. company-wide home working and Government movement restrictions? Consider the practical implications of the incident response plan – for example: is there a member of the IT team who is better suited to attend the service location and/or access servers to deal with malware in the system, will it be more difficult to perform remedial work on the devices remotely?
Although the Government has not explicitly mentioned this scenario, the current guidance suggests that travelling to work in order to deal with a cyberattack, if it cannot be dealt with from home, would be acceptable (as long as the individual is not in a category of persons who should be self-isolating and social distancing rules are respected). Ensure contact information for all staff is up-to-date and confirm policies on reporting incidents to employees. Generally, check that business continuity/disaster recovery plans work in the current climate.
Consider regulatory obligations. If the attack may have compromised personal data, the organisation may have a legal obligation to notify the applicable data protection authority – in the UK this would be the Information Commissioner's Office - and/or other applicable regulators. For example: regulated businesses, such as those in financial services and energy, may also be obliged to notify their sectoral regulator in such cases. Ensure members of the response team are informed of these obligations.
- Contact insurers. Consider whether the business' insurance is adequate and covers cyber security. Contact the insurer to obtain assistance from experts to assist. Remember you may be under an obligation to notify of an incident as soon as possible. Discuss with your broker if you are unclear what level of cover you have regarding cyberattacks and/or what other policies are available in the market. If you need legal advice on whether your losses are within the scope of your insurance policy, our Insurance and Reinsurance team are able to review the relevant policy and give a preliminary view on coverage.
If you would like to discuss any of the issues raised in this article, or have other concerns about the impact of Coronavirus, please contact Nathaniel Lane or Gemma Neath in Michelmores' Technology & Innovation team.
CORONAVIRUS STOP PRESS – Click here to keep up-to-date with all of our latest articles.
This article is for information purposes only and is not a substitute for legal advice and should not be relied upon as such. Please contact our specialist lawyers to discuss any issues you are facing.