Amid the COVID-19 outbreak, the National Crime Agency (NCA) has identified a surge in ‘coronavirus-themed’ malicious apps, websites, phishing emails and messages that seek to steal confidential or sensitive information
Whilst the Government recently warned about cyber criminals specifically targeting organisations involved in the pandemic response (such as healthcare organisations), the National Cyber Security Centre (NCSC) has warned that individuals and businesses of all sizes are at risk. Not only might staff members be targeted, thereby putting business systems and information at risk, but remote working systems are also vulnerable to attack.
To help businesses stay alert, we’ve taken a look at how they can identify and address potential cyber vulnerabilities.
What should businesses be looking out for?
In joint advisories published with the United States, the UK’s NCSC has identified the following key types of COVID-19 cyber attacks to look out for:
1. Phishing
Email, SMS, or WhatsApp messages with COVID-19 related content that lure people to click on links to phishing websites where personal or financial information is stolen.
2. Registration of new domain names
Phishing emails or messages may lure people to click on links to websites designed to steal user credentials. They will lead the user to a ‘spoofed login’ page where they will be asked to submit information such as their email password.
3. Malware distribution
This will often be an email asking recipients to open an attachment or download a file, which contains malware or ransomware and therefore compromises their device.
4. Password spraying
Malicious cyber groups try commonly used passwords (e.g. those based on the name of the business or the month of the year) to gain access to and compromise accounts.
5. Attacks on remote working systems
Cyber criminals are exploiting vulnerabilities in systems such as Virtual Private Networks (VPNs) and videoconferencing systems by sending emails with links to malicious files that purport to be links inviting someone to join a call.
What steps should your business be taking to protect itself?
Carrying out a risk assessment will allow businesses to identify their areas of vulnerability and put in place appropriate measures to address them. These could include:
· Review policies and procedures
There are different HR policies that your business can put in place to help safeguard against potential cyber vulnerabilities whilst staff are working remotely. Whilst you are not under a strict legal obligation to implement these, it is best practice and can help to ensure smooth and secure processes.
A working from home policy can lay out your expectations for your staff whilst they are working from home, including in relation to data security and confidentiality. This should be complemented by a separate data protection policy outlining what duties your staff are under when they are handling personal data, including ensuring that it is always processed securely.
An IT security policy can include requirements relating to passwords, the physical security of devices and protocol around using external drives. If you already have an IT security policy, you should review it to make sure it is fit for purpose and bear in mind that the NCSC recommends the use of two-factor authentication wherever possible.
If you permit staff to use their own devices whilst working from home, consider a BYOD (bring your own device) policy to mitigate the additional risks for your business by ensuring appropriate security measures are taken by your staff.
It is also sensible to have a personal data breach policy setting out your business’s response plan if a data breach occurs following a cyber attack.
· Check remote working systems
If your business is used to having staff work from home, check that your remote working systems are updated with the most recent security patches and firewalls. If home working is new for your business, make sure that the systems you are using are fit for purpose and that you have applied appropriate and up-to-date security functions (e.g. ensuring that virtual meetings are private and require password entry).
· Provide training and support for staff
Cyber criminals often target individuals, so make sure your staff are alert and aware of the risks to look out for. This may require you to recirculate your policies, refresh their training on relevant security procedures or to circulate specific examples of COVID-19 cyber crime. Make sure your staff know what to do if they identify a cyber attack or they think there might have been a data breach. Your staff will also still need IT support whilst working from home so check whether your normal services will continue and make sure you notify all staff if there are any changes. If support is easily available, IT vulnerabilities are likely to be flagged sooner.
· Back-up!
Make sure staff back up their work regularly and save it remotely (e.g. by using a cloud service). Any back-ups should also have strict security measures in place; for example access should be restricted to certain people within the organisation. If important data is backed up you won’t lose it if devices are lost or stolen and you can protect your business from ransomware attacks (which make your system or data unavailable until you pay a ransom).
· Secure devices
There is a greater risk of work devices getting stolen when they are being used outside the workplace, so make sure you take steps to secure them. For example, ensure encryption is turned on and that you can remotely lock devices and erase or retrieve data that is stored on them.
If staff are working on personal devices, make sure they save work remotely and not locally on their device, check that their antivirus software is installed and up-to-date and remind staff to ensure the physical security of their work by locking their screens when they are away from their devices.
· Remember GDPR!
Any data that your business handles that contains personal information will trigger data protection law.
If there has been a personal data breach due to a cyber attack (i.e. a breach leading to the destruction, alteration, unauthorised disclosure of or access to personal data) and that breach carries some risk to individuals, you will have to notify the ICO (Information Commissioner’s Office) within 72 hours of you becoming aware of the breach. You may also need to notify affected individuals. Even if you do not need to report the breach to the ICO (because you don’t think there is a risk to individuals) you should still keep a written record of it.
These legal obligations are a reminder of the importance of businesses having sufficient cyber security policies and procedures in place to ensure that they can both protect their business from attack, and comply with their legal obligations if an attack does occur.
· Report any breaches
If you think that your business has been the victim of cybercrime, you should report this through the Action Fraud Website.
About the Author
Francesca Mundy, Lawyer and Senior Legal Editor at Sparqa Legal.
Sparqa Legal is an online platform providing expert legal guidance and autogenerated documents for all businesses. Founded by a team of senior barristers and tech executives, Sparqa Legal is on a mission to make law accessible and recently launched the Sparqa Post to provide free expert advice to SME’s on all their legal needs.
Featured image: ©YingYaiPumi
