Stay safe – and secure

By Addleshaw Goddard legal director Samantha Haigh and consultant Abigail Healey

It is perhaps unsurprising that criminals and other malicious actors are seeking to take advantage of the COVID-19 outbreak.

The UK’s National Cyber Security Centre (NCSC) has identified an increase in individuals as well as businesses being targeted with a range of ransomware and malware.

With a return to ‘normal’ unlikely for some time to come, what should businesses be doing – if they aren’t already – to protect themselves?

1. Ensure that there are established lines of communication in place, so that your employees can readily identify a legitimate internal communication from an illegitimate one. Criminals are attempting to exploit the fact that people are working remotely and lines of communication may be more restricted than usual. There have been a number of instances, for example, of emails purporting to be from HR or a manager attaching a ‘Coronavirus update’ which contains malware. Other examples include so-called spear-phishing attacks where an instruction is purportedly sent from someone in management requesting the transfer of money. Particularly if it concerns the transfer of money or data, ensure that people are aware of how instructions are to be communicated. As a failsafe, consider having to confirm instructions by telephone.
2. Educate employees about current security risks. A number of recent phishing attacks or malicious applications have come from what appears to be a trustworthy source, such as the ‘World Health Organisation’, in a bid to exploit people’s thirst for information about the outbreak. Education is important for the individual’s online security as well as that of the business, given clicking on a link or opening an attachment could download malware or ransomware, obtain passwords, or fool an individual into giving away sensitive business (or personal) information. The NCSC has published a useful (non-exhaustive) list of COVID-19 related indicators of compromise.
3. Unless or until a proper security assessment can be carried out, businesses should be wary of installing new software to meet the immediate needs of the business. Are there other work arounds in the meantime? For instance, if it is for the purpose of keeping in touch with colleagues (and the content is not business confidential), could employees use their own devices?
4. If new software is installed, ensure that people understand what is installed and how it will work in practise. As there has been an increase in the use of communications platforms such as Zoom or Microsoft Teams, so too has there been an increase in the number of email attacks attaching files or containing links which might look like meeting details to the uninformed.
5. Does the business permit employees to use their own devices for work purposes? Depending on the nature of the business there may be good reasons to revise that policy, but whatever is decided, taking into account the potential risks, it should be documented and communicated to employees.
6. Does the business’s cyber response plan need updating in light of the current working regime? Is it still fit for purpose? For instance, how is your crisis management team going to ‘meet’ – and is it secure? Many crisis plans might assume that the team can likely assemble, at short notice, in person. If your systems are down, do you have an alternative means of being able to communicate with your key stakeholders (including employees)?

What the future holds as far as COVID-19 is concerned is far from certain.

Abigail Healey

If one thing is certain, however, it is that malicous actors will continue to try to take advantage of the current situation.

How a business seeks to mitigate that risk may prove to be fundamental to its very survival and if these issues have not been adequately addressed to date, do not delay.