updated on 19 May 2020
QuestionCoronavirus: why has there been an increase in the risk posed by cyber attacks and how can businesses mitigate this risk?
Sadly, cyber criminals are already profiting from this public health emergency. This article reminds us that cyber security must remain a priority for businesses.
What is the context of the increased risk?
As a response to the coronavirus (covid-19) pandemic, entire workforces around the world have shifted to working from home over a short few weeks. Rather than the incremental, cautious approach that most organisations would have preferred, they were forced to 'jump in the deep end' with their remote working platforms and processes – plans were rushed and usual tests went out of the window.
In addition to this, there has been a rapid surge in online activity outside the workplace: a significant increase in internet shopping; more time for people to spend online; a large appetite for covid-19-related online information; and a flood of virtual education/sport classes. Generally, there has been an accelerated reliance on technology.
In some ways, technology is helping to mitigate the economic impact to business. However, this huge technological and practical shift over such a short period creates significant challenges. Adding a rapidly changing environment and global crisis presents openings for cyber criminal opportunists. In light of (and despite) this unfamiliar landscape, it is important that business do not lose sight of the risk of cyber security and the damage it could cause.
What is 'phishing'?
Phishing involves the sending of emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers or to click on links that use websites or software to gain credentials to access systems and perpetrate cyber crime. Cyber criminals use phishing to gather financial or other confidential information and/or personal data.
It often involves emails that link to 'fake' websites which seem genuine and are often designed in a way to trick or entice people into visiting and/or entering personal information. Sometimes merely clicking on a link to such a website is enough to compromise a system or confidential information.
Phishing emails are one of the fastest-growing risks to system and information security businesses and one of the main methods cybercriminals are using to profit from the current situation.
Has phishing increased due to covid-19?
Phishing has most definitely increased during these first few months of the covid-19 pandemic. Reports suggest a huge number of new, coronavirus-related domains have been registered since the beginning of January 2020 and a large number of fraudulent emails have been reported.
The National Cyber Security Centre (NCSC) recently warned that attacks are likely to rise as the outbreak intensifies. It has recently taken steps "to automatically discover and remove malicious sites which serve phishing and malware" and that those sites used coronavirus and the specific disease covid-19 "as a lure to make victims 'click the link'".
Why is there an increased cyber security risk?
The NCSC has explained that cyber criminals are "opportunistic" and will look to "exploit people's fears". They are aware, for example, of the appetite for covid-19-related information. They are taking advantage of this by sending emails or publishing apps using coronavirus references as bait, with links directing to malicious websites or attachments infected with malware. For example, the World Health Organisation (WHO) has warned that criminals have been sending fake emails purporting to come from WHO in an effort to take advantage of the covid-19 emergency. The BBC has also reported on email scams such as "Click for Corona-Virus Cure" and "UK Government Tax Refund".
Additional pressures and apprehensions are distracting everyone. From a common-sense perspective, at least to begin with, it is inevitable that employees may be less vigilant in their home environment than they would be in an office environment. Distractions such as childcare may mean they can be tricked more easily by a genuine-looking email or accidentally leave the workstation unlocked. Cyber criminals know the huge pressure the crisis is putting on businesses and will try to take advantage of this distraction.
Depending on the extent to which a business was previously set up for remote working, it may not yet have in place sufficient protections and policies to deal with such a significant change. Businesses are having to balance the need to provide remote access for productivity with security. Depending on the systems used, it may be easier for hackers to compromise work and home systems in a single attack. Further, workers do not have colleagues around them at home to help identify scams – it may be less convenient to check a concern with IT support, or to check the validity of an email claiming to be from a colleague.
In addition to the increased risk of attacks, the current situation is also likely to amplify the impact of an attack. The personnel that monitor IT infrastructure and provide support are also likely to be working remotely, so monitoring, spotting and addressing cyber attacks could be hampered.
How can businesses reduce the risk of cyber attacks?
The following are suggestions of some of the actions a business can take to mitigate cyber security risks. Note that this list is far from exhaustive.
Consider conducting refresher training, including covid-19-specific risks and how to deal with these. For example:
Employers could give specific, real examples as and when they are reported.
How should a business prepare and respond to a cyber attack?
Below are some considerations when preparing and responding to a cyber attack. Note that these are by no means exhaustive and depend on the systems and policies the business has in place:
Although the government has not explicitly mentioned this scenario, the current guidance suggests that travelling to work in order to deal with a cyber attack, if it cannot be dealt with from home, would be acceptable (as long as the individual is not in a category of persons who should be self-isolating and social distancing rules are complied with). Ensure contact information for all staff is up to date and confirm policies on reporting incidents to employees. Check that business continuity/disaster recovery plans work in the current climate.
Gemma Neath is a solicitor in the commercial team at Michelmores LLP.