As the UK remains in lockdown amid the Covid-19 pandemic, the National Crime Agency (NCA) has identified a surge in ‘coronavirus-themed’ malicious apps, websites, phishing emails and messages that seek to steal confidential or sensitive information. The Chartered Trading Standards Institute has even estimated that the UK has been the most heavily targeted country for Covid-19 related phishing emails.
Whilst much of the malicious cyber-activity that has been identified is targeted at vulnerable individuals and organisations involved in the pandemic response (such as healthcare organisations), businesses should not rest on their laurels. Not only might staff members be targeted, thereby putting business systems and information at risk, but remote working systems are also vulnerable to attack.
Attacks that compromise your business’s systems could ultimately lead to the loss of sensitive information, fraudulent activity or personal data breaches, which could have serious financial and legal implications for your business.
To help, we’ve taken a look at how your business can keep ahead of the curve by identifying and addressing any potential cyber-vulnerabilities.
What should businesses be looking out for?
In joint advisories published with the United States, the UK’s National Cybersecurity Centre (NCSC) has identified the following key types of Covid-19 cyberattacks to look out for:
Email, SMS, or WhatsApp messages with Covid-19 related content that lure people to click on links to phishing websites where personal or financial information is stolen.
2. Malware distribution
This will often come in the form of emails asking readers to open an attachment or download a file, which contains malware or ransomware and therefore compromises their device. These email campaigns may appear to come from official sources e.g. the World Health Organisation.
3. Registration of new domain names
Phishing emails or messages may lure people to click on links to websites designed to steal user credentials. They will lead the user to a ‘spoofed login’ page where they will be asked to submit information such as their email password.
4. Attacks on remote working systems
With many people now working on remote systems, cyber-criminals are exploiting vulnerabilities in systems such as Virtual Private Networks (VPNs) and videoconferencing systems by sending emails with links to malicious files that purport to be links inviting someone to join a call.
5. Password spraying
Malicious cyber-groups try commonly used passwords to gain access to and compromise accounts. Commonly used passwords include those based on the name of the organisation being attacked, the month of the year and/or the seasons.
What steps should your business be taking to protect itself?
- Review your policies and procedures
There are numerous HR policies that your business can put in place to ensure smooth and secure home working. Whilst you are not under strict legal requirement to implement these, it is best practice and can help you to streamline your processes.
A working from home policy can set out your expectations for your staff whilst they are working from home, including in relation to data security and confidentiality. To comply with your data protection obligations, it is likely to also be appropriate for you to have a separate data protection policy setting out what duties your staff are under when they are handling personal data, including ensuring that it is processed securely at all times.
An IT security policy can include requirements as regards to passwords, the physical security of devices and protocol around installing software. If you already have an IT security policy, you should review it to make sure it is fit for purpose and consider that the NCSC strongly recommends the use of two-factor authentication wherever possible.
If you allow staff to use their personal devices whilst working from home, consider a BYOD (bring your own device) policy to address the additional security risks that will arise. For instance, this will help you to ensure that appropriate security measures are taken when it comes to handling sensitive information, including any third-party data, on personal devices.
It will also be beneficial to have a personal data breach policy setting out your business’s response plan in the event that a data breach occurs following a cyberattack.
- Check your remote working systems
If your business is accustomed to having staff work remotely, check that all of your remote working systems are updated with the most recent security patches and firewalls. If working from home is new for your business, take the time to make sure that the systems you set up are fit for purpose and that you have applied appropriate and up-to-date security functions. For example, ensure that virtual meetings are private and require password entry.
- Secure your devices
Make sure you take steps to secure devices whilst they are outside the workplace. For example, ensure encryption is turned on and that you can remotely lock devices and erase or retrieve data that is stored on them in case they are misplaced or stolen.
If staff are using their own devices to work on, make sure they know how to save work remotely and not locally on their device, check that their antivirus software is installed and fully updated and remind staff to ensure the physical security of their work, for example by locking their screens when they are not working.
Make sure your employees are backing up their work regularly. Any back-ups should also have strict security measures in place; for example access should be restricted to certain people within your organisation and should be kept separate from the original copy (e.g. by using a cloud service). If your important data is backed up you won’t lose it if devices are lost or stolen and you can protect your business from ransomware attacks (which make your system or data unavailable until you pay a ransom).
- Train your staff
Individuals are a key target of cyber-crime so remind your staff to be alert and make sure they are aware of the risks to look out for. This may require you to recirculate your policies, refresh their training on relevant security procedures or to circulate specific examples of Covid-19 cyber-crime.
Make sure your staff know what to do and who to report to if they identify a cyberattack or they think there might have been a data breach. Not only might an attack put your business under threat, but it might create legal obligations for you under data protection law.
- Provide IT support
Your staff may be working from home, but they’re still likely to need access to IT support. Check whether your normal support will continue whilst staff are working remotely, and make sure you update staff if there are any changes. If support is readily available, IT vulnerabilities are more likely to be flagged quickly.
- Remember GDPR!
Any data that your business handles that contains personal information will trigger data protection law, and you must remember your data protection obligations at all times.
If there has been a personal data breach due to a cyberattack (i.e. a breach leading to the destruction, loss, alteration, unauthorised disclosure of or access to personal data) and that breach carries some risk to individuals, you will have to notify the ICO (Information Commissioner’s Office) within 72 hours of you becoming aware of the breach. You may also need to notify affected individuals. Even if you do not need to report the breach to the ICO (because you don’t think there is a risk to individuals) you should still keep a written record of it.
These legal obligations serve as a reminder of the importance of businesses having effective cybersecurity policies and procedures in place to ensure that they can both protect their business from attack, and comply with their legal obligations if and when an attack does occur.
- Report any breaches
If you think that your business has been the victim of cybercrime, you should report this through the Action Fraud Website.
The content in this article is up-to-date at the date of publishing. The information provided is for information purposes only, and is not for the purpose of providing legal advice. ©Sparqa Limited 2020. All rights reserved.
Francesca Mundy, Lawyer and Senior Legal Editor, Sparqa Legal