This article was originally published on Finsbury.com
Jenny Davey, Partner in Finsbury’s UK Crisis practice and member of Finsbury’s Global Cyber Task Force interviews Simon Shooter, Head of Bird & Bird’s International Commercial Group and founder of the firm’s Cyber Security Team on how Covid-19 is raising the threat level for Cyber crime.
How would you characterise the cyber threat right now and how will a financial and healthcare crisis like Covid-19 change the cyber landscape?
The cyber threat is presently at a peak. Sadly, there are criminals that appear to have no qualms in seeking to exploit the distress of others. Covid-19 sees charlatans manufacturing and selling non-effective protective equipment and cyber criminals seeing Covid-19 as a golden opportunity to increase their activity. We’ve seen criminals pretending to be the World Health Organisation and then sending fraudulent emails which then demand bitcoin donations or sensitive password information or create phishing links which unleash malware. As more people work from home and shop and bank online, we are seeing a potent combination of significantly higher usage, using significantly less secure systems, which are then ripe for exploitation.
Regulators, including the New York Financial Regulator have reminded financial institutions they need to plan for cyber fraud as part of their response to managing Covid-19 – how important is it that companies don’t let cyber slip through the gaps during this moment of crisis?
Clearly when there is a heightened risk, measures that can sensibly be taken, should be taken. It’s important to do everything you can to protect your businesses and your people. However, a proportionate response is sensible. A balance needs to be reached between enabling the business to continue to operate and the business being appropriately secured. Banning the use of home computer systems that link to office networks may improve cyber resilience, but it is also likely to materially impact on the ability to adhere to anything like normal working practices. Employees may find workarounds which increase risk if they feel too stifled. In the UK the National Cyber Security Centre (NSCS) issued its guidance to businesses on 17 March: “Home working: preparing your organisation and staff”. It’s worth making sure that remote access security systems are up to date and multifactor authentication is introduced where possible.
What should companies and DPOs be doing during Covid-19 and how does mass home working change the picture for cyber risk?
Home working enlarges the cyber target and offers possible vulnerabilities to exploit. The issues presented by home working include:
a. Increased reliance on the internet
b. Use of home systems and devices
c. The increased changes of a psychological relaxation of security attitudes as a result of being in a non work environment.
A strong communications programme which educates your people about these risks is critical during this period.
It’s also worth revisiting good cyber practice security practices including:
• Is the technology and infrastructure deployed secured against malicious actors, outside and inside the organization?
• Do all company employees, subcontractors and relevant third parties have clear instructions and guidance on how to conduct their work in a secure manner?
• Do any of the security measures in place block employees from conducting their work efficiently?
When issuing new equipment to employees, including new laptops and phones to help with working from home, there needs to be effective asset management in place. Know what devices have access to your network and data, plan for any changes, and block or remove obsolete equipment from your network before it becomes a weak point in your security.
What should companies be warning their employees to look out for? We’ve heard many examples of Fake CEO emails for example.
The first line of defence should be to educate and support your colleagues and provide regular reminders in a range of different formats. Behavioural science suggests that often employees need to receive information four or five different ways before it is fully embedded and acted upon when it comes to cyber security:
Simple points:
A. Ask colleagues to security scan their devices using their own system security products. Seek to encourage all staff to ensure their software is up to date, especially their protective systems. It’s worth considering implementing email scanning technology which can spot suspicious emails if you don’t already have this installed.
B. Reinforce education to colleagues. If you have remote working policies or mobile device provisions remind your staff of the key points. It is correct that what are referred to as “CEO letters” from suppliers telling of their COVID-19 plans have in some cases been high-jacked by cyber criminals to deliver malware. Accordingly, it is sensible to repeat training and advice on spotting phishing email.
C. Ensure your segregation/suspicious email lines are operating well so colleagues can learn the good behaviours of sending suspect mail to a segregated address where the mail can be opened in an isolated and secure environment.
D. For important matters, such a money transfer requests, keep enforcing existing protective measures such as requiring telephone confirmation.
E. Consider enforcing a password change. However, do not over do this otherwise the changed passwords are likely to become easy derivatives of the previous password. Like all security measures proportion and human psychology play an essential role.
When home working, where does the employer’s cyber security liability start and end, should it be allocated per working hours, or do companies now have to accept that they are liable for all employees’ online activity 24 hours a day?
Nothing on Covid-19 has changed the liability landscape here. The standard rules of employers’ liability or vicarious liability apply. Accordingly, the employer is responsible for the acts and omissions of that employee in the course of his or her employment (whether that is at home or in the workplace, inside or outside of normal working hours), with the chain of responsibility only being broken in circumstances where the employee’s actions cannot be said to have a “close connection“ with his or her employment.
Are particular sectors more vulnerable to cyber attacks right now? We’ve seen some Cyber extortionists pledge “No more healthcare cyber attacks” during Covid-19 – can we believe these kinds of promises?
It all depends on your level of belief in honour amongst thieves. Frankly I have no such belief. There are some who may well play by these more altruistic codes but that will only be a fraction.
From a cybercrime perspective vulnerability is often properly assessed by an understanding of the threat vector. The lower levels of cyber criminals are by nature interested in maximum gain for minimum effort. Accordingly, with more low hanging fruit becoming available from proliferation of work traffic on home systems we can expect an uptick in Phishing and Business Email Compromise. Given the core reliance on central systems being remotely accessed we can also expect a continued rise in extortion attempts as businesses are greatly exposed to system denial and so are possibly more inclined to pay ransoms.
I also predict that although state actors may not be as active while governments focus on addressing the issues immediately at hand, the relative confusion and increased vulnerabilities present a hard to miss opportunity to gain access to systems and insert malware for a later day.
What role do you believe good cyber communications plays right now as part of the mix?
Good and clear communications and education are in the front line of a proportionate response to the current circumstances. If you don’t already have a joined up communications plan as part of your cyber incident response planning – it’s worth spending the time now to ensure at least a basic plan is in place, in case you do get attacked. It’s equally important to ensure that you have a pro-active communications plan for your employees during this time, reiterating simple and easily accessible explanations and reminders of your existing policies and procedures in a variety of different formats to embed the advice, whether that’s online training, gamification or video messages. The messages will generally be as relevant to your employees in their personal life as to their work lives.