Cyber risk warning as coronavirus spurs remote working

Out-Law News | 17 Mar 2020 | 9:37 am | 2 min. read

Employers telling staff to work from home to minimise the spread of coronavirus in the workplace should urgently review and bolster if necessary the cybersecurity measures they have in place, an expert has said.

Cyber risk specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law, said a shift towards remote working will enable many employers to maintain 'business as usual' operations over the forthcoming period, but he said there is already evidence that cyber criminals are seeking to profit from the public health emergency.

Birdsey highlighted a warning from the National Cyber Security Centre (NCSC) in the UK that so-called 'phishing' attacks are likely to rise as the coronavirus outbreak intensifies. The NCSC said it had taken steps in recent days "to automatically discover and remove malicious sites which serve phishing and malware" and that those sites used coronavirus and its official name Covid-19 "as a lure to make victims ‘click the link’".

Phishing is commonly carried out via email where individuals are duped into clicking on links that take them to webpages run by hackers. The links and the webpages themselves can appear genuine and are often designed to trick people into divulging personal information. The act of clicking on the link itself may be enough to enable hackers to gain access to underlying systems and data.

A visible and easy-to-use tool should also be made available to enable staff to report phishing, and there should be regular phishing campaigns and tests to raise awareness. Multi-factor authentication is vital for controlling access to important systems and data too

Birdsey said: "Phishing is the first step or link in the chain. Attackers are looking to gather user credentials to perpetrate cyber crime. The next step post-phishing is to gather financial and/or personal data to affect payment diversion frauds, send spam, or even launch chain-phishing attacks."

"Coronavirus is just the latest topic or hook for attackers, who are cynically preying on users’ fears or thirst for information. The World Health Organisation (WHO) has already warned that criminals have been sending fake emails purporting to come from it in an effort to take advantage of the Covid-19 emergency – this is a particularly cynical example of the lengths hackers will go to," he said.

"For employers, asking staff to work from home poses additional cybersecurity challenges. It is arguably easier for attackers to compromise work and home systems in a single attack, and phishing scams present a greater threat than normal as people work individually with no colleagues around them to help them identify the scams," Birdsey said.

Birdsey said there are a number of actions employers can take to manage cyber risk stemming from the Covid-19 emergency.

He said: "Measures include deploying effective anti-virus and email filtering software and other security software to identify and monitor for unusual activity. IT teams must have sufficient resilience and bandwidth to deal with a wave of IT issues and questions from users. A visible and easy-to-use tool should also be made available to enable staff to report phishing, and there should be regular phishing campaigns and tests to raise awareness. Multi-factor authentication is vital for controlling access to important systems and data too."

Birdsey also said employers will also wish to consider using tools to prevent mass emails being sent from user accounts, and that IP blocking might also be appropriate in some cases to prevent access to systems from internet users in certain countries where the company does not have business interests.

Should a phishing attack be successful, however, the organisation could face a legal duty to inform any applicable regulators, he said.

"If a business mailbox that is compromised is synchronised and contains personal data, the organisation might be required to notify the applicable data protection authority – such as the Information Commissioner's Office in the UK – in line with the data breach notification provisions set out in the General Data Protection Regulation," Birdsey said. "Regulated businesses, such as those in financial services and energy, may also be obliged to notify their sectoral regulator in such cases."

Paul Chichester, director of operations at the NCSC, said: "We know that cyber criminals are opportunistic and will look to exploit people’s fears, and this has undoubtedly been the case with the coronavirus outbreak. Our advice to the public is to follow our guidance, which includes everything from password advice to spotting suspect emails."