Numerous organisations have recently warned about the prevalence of COVID-19 related cyber crime, including the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC). The Chartered Trading Standards Institute has even estimated that the UK has been the most heavily targeted country for COVID-19 related phishing emails.
As malicious cyber actors seek to exploit the situation by preying on people’s fears, we look at how your business can keep ahead of the curve by identifying and addressing any potential cyber vulnerabilities.
COVID-19 and cyber crime
What’s the risk?
The NCA has identified a surge in ‘coronavirus-themed’ malicious apps, websites, phishing emails and messages that seek to steal confidential or sensitive information. Whilst much of the malicious cyber activity that’s been identified is targeted at vulnerable individuals and organisations involved in the national pandemic response (such as healthcare organisations), businesses should not rest on their laurels. Not only might staff members be targeted, thereby putting business systems and information at risk, but remote working systems are also vulnerable to attack. Attacks that compromise your business’s systems could ultimately lead to the loss of sensitive information, fraudulent activity or personal data breaches, which could have serious financial and legal implications for your business.
It’s particularly important to remember that your staff may be experiencing anxiety about the pandemic, which coupled with a new routine of working from home and the increased stresses they may be under, might result in them being less alert to cyber threats. Equally, some of your staff may not have worked remotely before and will therefore be unfamiliar with your remote working policies and procedures. These factors should all be taken into account when you are assessing the risk that cyber crime poses to your business.
What should my business be looking out for?
When assessing the specific risk posed by cybercrime to your business, it’s important that you take into account what malicious activity has been identified. In a joint advisoriesy published with the United States, the NCSC has identified the following key types of COVID-19 cyber attacks:
Emails, SMS or WhatsApp messages with COVID-19 related content that lure people to click on links to phishing websites where personal or financial information is stolen. One example provided by the NCSC is of SMS messages purporting to offer government payments or rebates.
2. Malware distribution
This will often come in the form of emails asking readers to open an attachment or download a file, which contains malware or ransomware and therefore compromises their device. The NCSC has identified email campaigns that appear to be sent from official people eg at the World Health Organisation (WHO) or to offer virus related products (such as face masks).
3. Registration of new domain names
Phishing emails or messages may lure people to click on links to websites designed to steal user credentials. The websites are designed to look legitimate and typically contain COVID-19 related wording in their URL. They will lead the user to a ‘spoofed login’ page where they will be asked to submit information such as their email password.
4. Attacks on remote working systems
With many people now working at home on remote working systems, cyber criminals are exploiting vulnerabilities in those systems. This includes Virtual Private Networks (VPNs) and videoconferencing systems, such as Zoom and Microsoft Teams (eg by sending emails with links to malicious files that purport to be links inviting someone to join a call).
5. Password spraying
Malicious cyber groups try commonly used passwords (eg those based on the name of the business, the month of the year or the seasons) to gain access to and compromise accounts.
You could also consider signing up to the Action Fraud Alert Service (a free service) to receive updates about cyber scams and fraud in your area.
Fortify your cyberspace
What steps should your business be taking to protect itself?
The steps your business should take to protect itself from cyber threats will depend on a number of factors, including what technologies and devices you use, how many staff you have, whether staff are used to working remotely and what your business operations are. You will need to carry out a risk assessment to identify possible areas of vulnerability and then specifically address those by putting in place appropriate security measures.
To get you started, we’ve put together the following list of steps that business should consider taking:
1. Review your policies and procedures
There are numerous HR policies that your business can put in place to ensure smooth and secure home working. Whilst you are not under a strict legal requirement to have any of these policies, it is best practice and can help you to streamline your processes:
A working from home policy
This will typically set out what your expectations are on your staff whilst they are working from home, including in relation to data security and confidentiality. It will also confirm how your other usual policies and procedures apply when staff are working remotely. If you’ve not got one already, use our free template to put a policy in place.
An IT security policy
This will typically set out what your business’s general rules are to ensure the security of IT equipment used by your staff. This includes requirements as regards to passwords, the physical security of devices, installing software, using external drives (eg USB drives), reporting suspicious emails and using company devices for personal use. Bear in mind that the NCSC strongly recommends the use of two-factor authentication wherever possible. If you already have an IT security policy, review it now to make sure it’s fit for purpose in light of the requirement for your staff to work from home. If you don’t already have one, now would be a good time to put one in place. Use our template to get you started.
A data protection policy
It is likely to be appropriate for all employers to have a data protection policy in place and provide details to their staff. This will set out what duties your staff are under when they’re handling personal data, including ensuring that it is handled securely at all times. If you already have one, review it regularly to make sure it’s fit for purpose. If you need to put one in place, use our template to create a bespoke policy for your business.
A Bring Your Own Device (BYOD) policy
When your staff work from home, you may allow them to use their personal devices (eg laptops, smartphones etc.) for work purposes. If you do, consider putting in place a BYOD policy to ensure that appropriate security measures are taken by your staff. This will help to ensure that any of your business’s sensitive information, including any third party data, is kept securely and confidentially at all times. If you don’t have a policy in place already, you can use our template to draw one up.
A personal data breach policy
This will set out your business’s response plan in the event that a personal data breach occurs (eg following a cyber attack) as well as steps your business plans on taking to prevent such breaches occurring. Use our template if you want to put a personal data breach policy in place.
2. Check your remote working systems
Your business may be accustomed to having staff work remotely, in which case, check that all of your remote working systems are updated with the most recent security patches and firewalls. You may also need to check that they can handle any increased traffic now that all of your staff will be working from home.
If working from home is new for your business, you may have had to rush to provide new services to your staff to ensure that your operations can continue (eg using new videoconferencing technology or VPNs). Take the time now to make sure the new systems you are using are fit for purpose and that you have applied appropriate and up-to-date security functions (eg ensuring that virtual meetings are private and require password entry). It may also be worthwhile producing ‘how to’ guides for your staff to ensure that they know how to properly use any new technology!
Note that the NCSC has published specific guidance about using video conferencng services securely, which you may find helpful.
Check in with your staff to see how they are coping; they might be the best ‘eyes on the ground’ to identify any potential security issues or vulnerabilities.
3. Secure your devices
There’s a greater risk of work devices getting stolen when they’re being used outside the workplace, so make sure you take steps to secure them. This includes making sure that encryption is turned on and ensuring that you know how to remotely lock access to devices and/or erase or retrieve data that is stored on them.
If staff are using their own devices to work on, make sure your BYOD policy is up to date (see above). Although there are financial benefits of allowing your staff to use their own equipment, the security risks are greater. Make sure staff know to save work remotely (eg in the Cloud or on your intranet) wherever possible and not to save locally on their device.
Ask staff to check that antivirus software is installed on whatever devices they are using and that this is fully updated. You should also remind them to ensure the physical security of their work by locking their screens when they’re not working, using screen protectors if necessary and keeping devices somewhere safe.
Ultimately, encouraging staff to report loss or theft as soon as possible will help you to minimise the risk of a security breach, so make sure they know how and when to make a report, emphasising a blame free culture.
We can’t stress this enough. Back-up. Regularly. Then secure your back-ups. If your important data is backed-up you won’t lose it if devices are lost or stolen, and you can protect your business from ransomware attacks (which make your data or systems unavailable until you pay a ransom). Any back-ups should have strict security measures in place, such as restricted access to only certain people within your organisation and keeping them separately from the original copy (eg on a different device or by using cloud services). For specific guidance about the security measures you should put in place if you’ll be storing personal data in the cloud, see our Q&A on secure data storage.
5. Train your staff
As discussed above, individuals are a key target of cyber crime, and that in turn makes your business vulnerable. Remind your staff to be alert and make sure they know both what the risks are and what they should be looking out for (eg badly written emails, typos, unknown senders, emails requesting the reader to click on links). This may require you to recirculate your policies, refresh their training on relevant security procedures (eg using strong passwords), or to circulate specific examples of COVID-19 cyber crime. The NCSC’s advisory contains examples you could use.
If you haven’t provided your staff with any bespoke training, the NCSC offers a free 30 minute cyber security training session that is specifically aimed at SMEs. You can access it here: ‘Stay Safe Online: Top Tips for Staff’.
Finally, make sure your staff know what to do and who to report to if they identify a cyber attack or if they think there might have been a data breach. Not only might this put your business under threat, but it might create legal obligations for you under data protection law (see below).
6. Provide IT support
Your staff may be working from home, and they may even be working on their own devices, but they’re likely to still need access to IT support. Check whether your normal support will continue whilst staff are working remotely, and make sure you update staff if there are any changes. If support is readily available, IT vulnerabilities are more likely to be flagged quickly.
7. Remember GDPR!
Any data that your business handles that contains any personal information will trigger data protection law, and you must remember your data protection obligations at all times. We’ve got detailed Q&A about how to make sure you’re storing data securely.
Specifically in the context of cyber attacks, if there has been a personal data breach (ie a breach leading to the destruction, loss, alteration, unauthorised disclosure of or access to personal data) and that breach carries some risk to individuals, you will have to notify the ICO (Information Commissioner’s Office) within 72 hours of you becoming aware of the breach. You may also need to notify affected individuals. Even if you don’t need to report the breach to the ICO (ie because you don’t think there is a risk to individuals), you should still keep a written record of it. For detailed guidance about what your obligations are when a data breach occurs, see our Q&A on data breaches.
These legal obligations serve as a reminder of the importance of businesses having effective cyber security policies and procedures in place to ensure that they can both protect their business from attack, and comply with their legal obligations if and when an attack does occur.
8. Report any breaches
If you think that your business has been the victim of cybercrime, you should report this through the Action Fraud Website. The NCSC has produced a 5 point action plan for small businesses to help them to respond and recover from cyber attacks.
Before joining Sparqa Legal as a Senior Legal Editor in 2017, Frankie spent five years training and practising as a corporate disputes and investigations lawyer at leading international law firm Hogan Lovells. As legal insights lead, Frankie regularly contributes to Sparqa Legal’s blog, writing content across employment law, data protection, disputes and more.