Coronavirus: the increase in cyber attacks

Answer

Sadly, cyber criminals are already profiting from this public health emergency. This article reminds us that cyber security must remain a priority for businesses.

What is the context of the increased risk?

As a response to the coronavirus (covid-19) pandemic, entire workforces around the world have shifted to working from home over a short few weeks. Rather than the incremental, cautious approach that most organisations would have preferred, they were forced to 'jump in the deep end' with their remote working platforms and processes – plans were rushed and usual tests went out of the window.

In addition to this, there has been a rapid surge in online activity outside the workplace: a significant increase in internet shopping; more time for people to spend online; a large appetite for covid-19-related online information; and a flood of virtual education/sport classes. Generally, there has been an accelerated reliance on technology.

In some ways, technology is helping to mitigate the economic impact to business. However, this huge technological and practical shift over such a short period creates significant challenges. Adding a rapidly changing environment and global crisis presents openings for cyber criminal opportunists. In light of (and despite) this unfamiliar landscape, it is important that business do not lose sight of the risk of cyber security and the damage it could cause.

What is 'phishing'?

Phishing involves the sending of emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers or to click on links that use websites or software to gain credentials to access systems and perpetrate cyber crime. Cyber criminals use phishing to gather financial or other confidential information and/or personal data.

It often involves emails that link to 'fake' websites which seem genuine and are often designed in a way to trick or entice people into visiting and/or entering personal information. Sometimes merely clicking on a link to such a website is enough to compromise a system or confidential information.

Phishing emails are one of the fastest-growing risks to system and information security businesses and one of the main methods cybercriminals are using to profit from the current situation.

Has phishing increased due to covid-19?

Phishing has most definitely increased during these first few months of the covid-19 pandemic. Reports suggest a huge number of new, coronavirus-related domains have been registered since the beginning of January 2020 and a large number of fraudulent emails have been reported.

The National Cyber Security Centre (NCSC) recently warned that attacks are likely to rise as the outbreak intensifies. It has recently taken steps "to automatically discover and remove malicious sites which serve phishing and malware" and that those sites used coronavirus and the specific disease covid-19 "as a lure to make victims 'click the link'".

Why is there an increased cyber security risk?

The NCSC has explained that cyber criminals are "opportunistic" and will look to "exploit people's fears".  They are aware, for example, of the appetite for covid-19-related information. They are taking advantage of this by sending emails or publishing apps using coronavirus references as bait, with links directing to malicious websites or attachments infected with malware. For example, the World Health Organisation (WHO) has warned that criminals have been sending fake emails purporting to come from WHO in an effort to take advantage of the covid-19 emergency. The BBC has also reported on email scams such as "Click for Corona-Virus Cure" and "UK Government Tax Refund".

Additional pressures and apprehensions are distracting everyone. From a common-sense perspective, at least to begin with, it is inevitable that employees may be less vigilant in their home environment than they would be in an office environment. Distractions such as childcare may mean they can be tricked more easily by a genuine-looking email or accidentally leave the workstation unlocked. Cyber criminals know the huge pressure the crisis is putting on businesses and will try to take advantage of this distraction.

Depending on the extent to which a business was previously set up for remote working, it may not yet have in place sufficient protections and policies to deal with such a significant change. Businesses are having to balance the need to provide remote access for productivity with security. Depending on the systems used, it may be easier for hackers to compromise work and home systems in a single attack. Further, workers do not have colleagues around them at home to help identify scams – it may be less convenient to check a concern with IT support, or to check the validity of an email claiming to be from a colleague.

In addition to the increased risk of attacks, the current situation is also likely to amplify the impact of an attack. The personnel that monitor IT infrastructure and provide support are also likely to be working remotely, so monitoring, spotting and addressing cyber attacks could be hampered.

How can businesses reduce the risk of cyber attacks?

The following are suggestions of some of the actions a business can take to mitigate cyber security risks. Note that this list is far from exhaustive.

• Anti-virus protection and information security. Ensure that anti-virus, email filtering and other security software to identify and monitor unusual activity are deployed, up to date in terms of versions and patches and configured to proactively scan devices, attachments and downloads. Consider using tools to prevent user accounts sending mass emails. Use IP blocking where appropriate to prevent access to systems from internet users in certain countries in which the organisation does not operate. Check whether systems enabling remote access are patched to the latest version available.

• Prioritise IT/security teams. Prioritise the resilience of IT teams and ensure they have bandwidth to deal with a surge in IT issues and questions from remote workers. Carefully consider whether furloughing such staff is wise given the potential impact of a ‘lean’ team. Remember that working remotely will most likely mean their everyday security 'firefighting' will be much slower and more difficult. It may compromise their ability to respond as quickly as possible should an attack occur. Consider whether this can be mitigated in any way and regularly check in on the team to identify issues.

• Employee communications/training. Remind employees of security policies already in place regarding issues such as downloading, using insecure networks, verifying website URLs before interacting with them, data destructions and restrictions on home printing. Ensure there is an easy and quick way for staff to report suspicious communications and regularly make them aware of this procedure.

Consider conducting refresher training, including covid-19-specific risks and how to deal with these. For example:

• Emails with a covid-19-related subject line, attachment or hyperlink.
• Social media pleas, texts or calls related to covid-19.
• Illegitimate sources providing information about covid-19.
• Charities requesting 'donations' for those impacted by covid-19.
• Leave your work station locked at all times when you are not using the device.

Employers could give specific, real examples as and when they are reported.

• Strong authentication. Consider whether multi-factor authentication should be increased, such as for accessing important systems/data and for authorising of transfers of money/secure information.

How should a business prepare and respond to a cyber attack?

Below are some considerations when preparing and responding to a cyber attack. Note that these are by no means exhaustive and depend on the systems and policies the business has in place:

• Incident response plan. In preparation for an attack, consider and review the business' incident response plan. Does this address the current situation of company-wide home working and government movement restrictions? Consider the practical implications of the incident response plan – for example, is there a member of the IT team better suited to attend the service location and/or access servers to deal with malware in the system? Will it be more difficult to perform remedial work on the devices remotely?  

Although the government has not explicitly mentioned this scenario, the current guidance suggests that travelling to work in order to deal with a cyber attack, if it cannot be dealt with from home, would be acceptable (as long as the individual is not in a category of persons who should be self-isolating and social distancing rules are complied with). Ensure contact information for all staff is up to date and confirm policies on reporting incidents to employees. Check that business continuity/disaster recovery plans work in the current climate.

• Consider regulatory obligations. If the attack may have compromised personal data, the organisation may have a legal obligation to notify the applicable data protection authority – in the UK this would be the Information Commissioner's Office - and/or other applicable regulators. For example, regulated businesses, such as those in financial services and energy, may also be obliged to notify their sectoral regulator in such cases. Ensure members of the response team are informed of these obligations.
• Contact insurers. Consider whether the business' insurance is adequate and covers cyber security. Contact the insurer to obtain assistance from experts to assist. Remember you may be under an obligation to notify of an incident as soon as possible. Discuss with your broker if you are unclear what level of cover you have regarding cyber attacks and/or what other policies are available in the market.

Gemma Neath is a solicitor in the commercial team at Michelmores LLP.