As the coronavirus has spread across the globe, businesses have had to battle to quickly develop new processes to cope with the practical implications arising from the outbreak. With the widespread transition to homeworking, the UK’s National Cyber Security Centre (“NCSC”) has issued a public alert and new guidance as cyber criminals get wise to the lucrative potential of the virus and look for opportunities to exploit vulnerabilities.

“Covid-19 is presenting not only a physical threat but a cyber threat as well.” (Lotem Finkelsteen, Head of Cyber Threat Research at Check Point). The coronavirus has presented cyber criminals with an unprecedented opportunity to launch phishing emails and fake websites. On 17 April 2020, Google reported that it was blocking 18 million coronavirus scam emails every day. In response to this, Google has now announced the launch of a new “Scam Spotter” programme to combat scams related to the pandemic, which recommends a three-step process for individuals to consider before disclosing personal information over the phone or via email.

Remote Working

Remote working, virtual “meetings” and conference calls are now becoming our new norm during this unprecedented time. Due to significantly higher volumes of employees working from home, businesses have had to adopt new practices, such as using VPN-based technologies to mitigate virtual working capacity issues and engage new business partners to process confidential information and personal data. Businesses should ensure that these new technologies are adopted safely and securely.

The NCSC has issued guidance advising on how organisations can manage the cyber security challenges of increased home working and has made a number of general recommendations for secure remote working:

  • Some employees, due to the nature of their role, may not be used to working remotely. NCSC recommends that businesses produce written “How to…” guides for employees on how to use different types of software at home.
  • There is an increased risk that devices may be lost/stolen when they are taken out of the office, or that employees are using personal devices that may be more susceptible to viruses. It is therefore important to ensure that devices encrypt data whilst at rest, which will protect data on the device to deal with these circumstances.
  • If possible, businesses should install software using encryption for transmission of data. This software is highly relevant for remote working arrangements in order to maintain a safe working environment.
  • Businesses should ensure that staff are aware of the procedure for reporting any security issues (i.e. send regular emails and coronavirus updates detailing procedures that the company has in place for dealing with any IT/security related issues).
  • Businesses may also wish to run training sessions for those who do not regularly work at home to ensure that employees are comfortable with the systems for remote working and aware of how to spot scam emails.

The NCSC also provides some information on security basics such as using strong passwords when setting up new accounts and ensuring VPNs are fully patched and have sufficient licences and bandwidth to manage an increase in users. Two-factor or multi-factor authentication should also be used for logging in to systems and accessing important data.

Phishing Emails

Cyber security experts have reported a spike in phishing emails linked to the coronavirus. The NCSC has reported that “cyber criminals are preying on fears of the coronavirus and sending phishing emails that try and trick users into clicking on a bad link.” There have been reports of scam emails circulating information on the virus purportedly being sent from the World Health Organisation, and some even claimed to offer tax refunds from HMRC.

Businesses should alert employees to this increased risk and ask them to stay vigilant, and review the NCSC’s guidance on dealing with suspicious emails. During this time, it is advised that companies should also review data breach and incident response plans to ensure that a robust plan is in place for responding to a data breach.

Employers can take various measures to warn against cyber attacks. For example, businesses should ensure there is sufficient anti-virus and email filtering software installed to identify any unusual activity. Businesses should also ensure that, if possible, sufficient IT support / cyber security professionals are in place to deal with any IT issues and/or phishing queries from their employees. IT teams may experience an influx of queries with a higher volume of employees currently working remotely so it is vital to have IT resources well staffed to deal with any problems.

What now?

The cyber threat facing organisations is on a new scale and is presenting new challenges. Businesses must ensure that any new process or software that is introduced to manage this new working environment does not bring with it unintended cyber risks. However, these risks can be mitigated if the recommendations above are considered.

Businesses should ensure that staff are well informed on how to safely and securely work from home, while being aware of the flurry of coronavirus related phishing emails that are currently contaminating inboxes. Be cautious and stay alert – cyber security is not immune to the coronavirus!

We will be giving more detail of measures businesses can take to protect their cyber security as part of our Data Privacy Summer Series. Find out more here.