COVID-19 and Cyber Security
31 March 2020
In light of the COVID-19 pandemic, organisations have been undergoing significant changes to the way in which they work. The last number of weeks have seen an unprecedented increase in the number of people working from home, with reliance being placed on remote IT systems on a scale never seen before.
Remote working is of course not a new prospect and many businesses already have in place fulsome policies and infrastructure to enable home working. However, COVID-19 has meant that these structures now need to be implemented for higher numbers of staff, some of whom (including individual employees or entire roles) will not be used to working in this manner. Such a rapid increase in numbers has led to many organisations finding gaps in their cyber security protocols.
Furthermore, unfortunately we have had reports of several cyber threats already targeting COVID-19 subject matter. These are ranging from phishing emails purporting to be from the NHS or World Health Organisation, to fraudulent websites that have registered coronavirus related domains (such as coronavirus.com and coronaoutbreakworldmap.com), sometimes with embedded malicious code which imitates legitimate COVID-19 documentation.
Therefore, it would be prudent for organisations to review and update their cyber security policies and systems in an effort to reduce their likelihood of falling foul of these malevolent cyber-attacks. To this end, it would be prudent for organisations to consider taking the following steps:
Review and Refresh Polices
Now is a good time to review and, if necessary, refresh your remote working policies. It is also a good time to remind members of staff, perhaps through awareness messaging, of the controls your organisation has in place to mitigate the cyber and data security risk associated with remote working and what members of staff are expected to do and not do in order to continue working securely away from the office.
Additionally, it would be sensible to review and update your existing cyber and data security incident response plan, in particular checking that your incident response communication protocols and collaborative working infrastructure remain fit for purpose in the light of new working arrangements (in which case all relevant stakeholders should be updated).
Many employees may not have had experience in regularly working from home and the requirements which they need to follow in order to reduce data security risk. Therefore, it would be prudent for organisations to provide staff training on these matters. The National Cyber Security Centre (NCSC) has some helpful resources in this regard, including a homeworking guidance document, which outlines numerous steps for individuals to take when working from home, and a 30 minute cyber security e-learning package which employees can complete.
Raise Awareness of Cyber Attacks
Organisations should raise staff awareness about COVID-19 related phishing emails and cyber-attacks. In this vain, you should consider refreshing your core messages around phishing emails and start to regularly inform staff about the COVID-19 related phishing attempts.
Improve IT Infrastructure
Your organisation may need to expand its reliance on allowing members of staff to work using their own devices. This will require purchasing more VPN and desktop virtualisation licences, and ensuring the work-related information is effectively sandboxed. Some practical tips for maintaining IT integrity during this time includes: maintaining network security by increasing data backup regularity; regularly monitoring third party access to organisation networks; and purchasing new security solutions which interlock.
Should you wish to discuss this further, have any cyber security related questions, or have unfortunately suffered a cyber security breach please do not hesitate to get in touch with one of our experts at Carson McDowell at [email protected].
*This note reflects the position as at 31 March 2020.
*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.