The COVID-19 crisis has created significant cybersecurity risks for organizations across the world, particularly arising from remote working, scams and phishing attacks, and weakened information governance controls. These risks warrant attention by legal counsel and information security officers in light of potentially significant adverse legal, financial and reputational consequences that could arise – all while the organization is dealing with effects of a global pandemic.
In addition to identifying the cybersecurity risks, we also consider key measures that organizations can consider adopting to reduce such risks, including measures recommended by the UK’s National Cybersecurity Centre (NCSC), EU’s Agency for Cybersecurity (ENISA) and the US Federal Bureau of Investigation. The speed at which the COVID-19 crisis has evolved has meant that many organizations have not been able to deploy effective risk-reducing measures in a timely manner.
Potential sources of COVID-19-related cybersecurity risks include:
- Vulnerabilities arising from remote access: Employees may work remotely using personal laptops or BYOD devices that are less “hardened” to protect against cyber attack. These devices may also be without up-to-date anti-malware software be vectors of malware that infect their employer’s systems. In addition, employees who access their employer’s systems from home WiFi networks are more at risk of being hacked (particularly, if passwords and endpoint security are weak, or if 2-factor authentication has not been implemented), eavesdropped and subject to “man-in-the-middle” attacks.
- Phishing attacks and scams: A number of “phishing” attacks and scams are being mounted by “bad actors” taking advantage of COVID-19 anxieties. For example, the World Health Organization has warned of fake emails being sent in its name. Also, “bad actors” appear to be “phishing” individuals to sign-up to fake COVID-19 products and services (such as COVID cures or tax refunds) to perpetrate ransomware attacks. And also because employees may not be present in their offices, it may be easier to impersonate them to carry-out (for example) fraudulent bank or wire transfers or securities trades.
- Removal of data and physical devices from offices: Employees may have removed – either with or without the organization’s permission – laptops, removable media (such as USB/thumb drives) or physical copies of confidential and personal information from their employer’s offices. In turn, such laptops (particularly, if unencrypted), devices and information are at risk of being stolen, lost or exposed in such circumstances.
- Use of unofficial unsecure communication channels: While working remotely, employees are more at risk of using unofficial communication channels (such as personal instant messaging or e-mail platforms) to conduct official business. The organization may be unable to comply with its record keeping obligations (such as with respect to securities trades) because material information may be stored outside of the organization’s official systems. And such unofficial communication channels may also be less secure and at higher risk for cyber attack.
- Dispersed incident response decision-makers and IT staff: In the event of a cyber-incident, some organizations may find it more challenging to timely and effectively respond: key incident response decision-makers and IT staff may be difficult to contact or may be unavailable (if they are in isolation or sick). As a result, any pre-agreed incident response plan may be difficult to implement.
- Supply chain cybersecurity risks: Many suppliers to organizations (including IT suppliers) may be themselves subject to significant cybersecurity vulnerabilities because of the COVID-19 crisis (including the risks identified above). As a result, even if an organization does not directly suffer a cyber incident, it may be exposed to the consequences of an incident affecting its suppliers.
To counteract these increased risks, EU and US regulators and law enforcement agencies, and cybersecurity professionals are recommending that organizations adopt additional measures to ensure sufficient cybersecurity protections. Some of these measures include:
- Consider conducting a cyber security vulnerability review to consider the organization’s exposure to specific COVID-related cyber risks, and drafting and implementing a plan to address those vulnerabilities, including the measures outlined below.
- Where possible implement 2-factor authentication for any remote access to emails and remote log-in capabilities to employer resources.
- Consider developing a series of “how to” guides and send out regular reminders regarding best practices for working remotely to ensure conformity with employer policies and procedures. Such guides should focus on, for example, how to log into and use online collaboration tools; discourage use of personal accounts for conducting business activities and discourage emailing documents to employee personal email accounts; and reminding employees to not disclose sensitive documents in public policies and not to use public WiFi networks without sufficient security controls such as VPN.
- Carefully vet third-party applications and platforms to ensure conformity with employer security controls. When entering into new vendor agreements, organizations should ensure proper controls are in place to ensure protection of material or sensitive confidential information or personal information.
- Implement – and take steps to enforce where feasible – written “remote working policies”, (including employees’ use of BYOD devices), and regularly reminding employees of their confidentiality obligations (including the removal of documents from the organization’s offices)
- Regularly update patches regarding VPN technologies and other associated software utilized for remote access to company IT resources.