How has COVID-19 affected cybercrime risks for businesses?
The coronavirus pandemic means that an unprecedented number of people are currently working from home, many of whom will not have done so regularly before. This may make many businesses more vulnerable to attack or other cybersecurity issues. Particular risks include that: IT arrangements for remote working may not be as secure; employees may be unfamiliar with new IT arrangements for working from home; and employees may otherwise be anxious and stressed about the ongoing pandemic, which could affect their judgment and make them more susceptible to scams and suspicious communications.
Indeed, criminals are actively seeking to exploit anxiety and uncertainty related to the pandemic. Action Fraud (the UK’s National Fraud and Cyber Crime Reporting Centre) reported a 400 per cent increase in coronavirus-related fraud reports in March. These figures relate to a variety of new scams, including:
- A wide range of phishing scams (i.e. bogus communications that purport to be from a well-known and trusted source, which request confidential information (typically login/password details or banking information)), including:
- Emails purporting to be from HM Government asking for donations to the NHS during the COVID-19 outbreak
- Emails purporting to be from a research group that mimic the Centre for Disease Control and Prevention (CDC) and World Health Organisation (WHO), requesting donations
- Communications containing investment scheme and trading advice encouraging people to take advantage of the coronavirus downturn
- Malware, spyware and Trojans have been found embedded in interactive coronavirus maps and websites. Spam emails are also tricking users into clicking on links which download malware to their computers or mobile devices
- Online shopping scams for products which have never been delivered (e.g. protective face-masks, hand-sanitiser).
There are many types of cybercrime (also often known as cyberfraud); the above list is not exhaustive. We have previously published an article, which provides more detail on some of the main types of cybercrime.
While there has been a rise in scams such as the above, the fundamental risks to businesses from cybercrime (i.e. the loss of confidential data and information and financial loss) remain broadly the same. Common scams in operation before the current crisis continue.
What practical steps can businesses take to limit the risk/effect of cybercrime?
Burges Salmon’s data protection team has recently published an article setting out practical steps and tips businesses should follow to protect their employees’ and visitors’ health data.
The fundamental preliminary step which all businesses can and should take in order to prevent a cyber-incident/attack is to consider and develop a strategy to prevent cybercrime and how to respond if affected. Key elements of any such strategy are likely to include:
- Understanding the cyber security risk in relation to the individual business and its critical business operations
- Integration across information assurance and personnel, technical and physical security arrangements
- Establishing protective monitoring to prevent and deter the 'insider' threat from an organisation’s own employees
- Accepting that some attacks will breach defences, and planning on that basis.
There are a number of practical measures which businesses should consider as part of any such strategy to help protect against risks of cybercrime (whether related to working from home, COVID-19 or otherwise) and to mitigate against the impact of any breaches of IT security:
- Protocol for outward payments - Cyber-criminals often specifically target an organisation’s finance function or those responsible for making payments. It is vital that businesses have a clear protocol for outward payments, which should be communicated throughout the business. In particular, businesses should require checks to verify all new or changed bank account details before making payments (especially those received by email), for example by using a trusted telephone number to contact the intended recipient.
- Encryption of all devices – All work devices should be encrypted and PIN/password-protected. Business may wish to consider installing a system to track and delete data from tablets and phones remotely if they are lost or stolen. Businesses should also consider using two-factor authentication for log-ins where possible.
- Back up key files – Organisations should take steps to back up important files if they have not already done so, and should store them independently from their system (e.g. in the cloud or on an external drive).
- Necessary updates– Organisations should ensure that their devices (and where relevant, employees’ own devices) are fully updated with the latest operating system and key software updates.
- Use work devices if possible – In general, allowing employees to bring their own devices ('BYOD') could pose challenges to personal data and IT security. If possible, organisations should request employees to only use work devices when working from home. Documents and data should be stored on the organisation’s trusted networks or cloud services. If such services and solutions are not available, employees should be required to back up locally saved documents regularly on the employer’s device. Employers may also wish to provide guidance to employees on how to ensure their home networks are secure.
- BYOD – If employees will have to use their own devices to carry out work, organisations should issue relevant BYOD policies and if possible provide remote training sessions. Organisations should ensure that employees only use work email accounts rather than personal accounts and update passwords regularly. Where a secure cloud solution is available, documents should be saved in this secure environment rather than locally on employees’ own devices. Once organisations resume working from their usual offices, it is recommended that employees are asked to delete any work-related data saved on their own devices.
- Paper documents – Organisations should remind employees that paper documents can still be confidential and could be personal data if it is intended as part of a filing system. Employees should be asked to keep such hard copy documents secure and keep a register of the documents they have taken home.
- Communication and training – It is vitally important that businesses are able to communicate effectively with employees working from home, and to provide remote support to any employees experiencing technical issues. Businesses might want to consider preparing simple how-to guides for staff on certain topics to help them adapt. As noted above, businesses might also want to consider providing / refreshing IT training for employees, with a particular emphasis on IT security. All staff should be reminded of the procedure to follow if they suspect they have been the victim of a cyber-attack in connection with work or have clicked on a suspicious link.
The National Cyber Security Centre has recently launched the Suspicious Email Reporting Service, which the public can use to report suspected phishing emails, though victims should still report crimes to Action Fraud (see below).
What should businesses do if affected by cybercrime?
Here are five key considerations if you discover that your business has fallen victim to cybercrime:
1. Investigation
As a preliminary step, the business will need to calmly assess precisely what has happened:
- Investigation team and plan: Assemble a suitably qualified and experienced investigation team. Typically, this will include members of senior management, legal, IT and public relations teams. The team should devise an investigation plan setting out issues, work-streams, responsibilities and deadlines.
- Understanding the facts: The team should establish, as clearly as possible, what has happened. What is the nature of the attack? Who was involved? How much money has been lost? Is it clear that the incident is not simply due to a technological failure?
- Imaging: It will often be prudent to make a forensic image of the affected computers and servers. Two copies should be made: a 'control' image that can be preserved, for legal purposes if required, and a 'working' image that can be interrogated.
2. Damage limitation
It is critical to ensure that, whatever cybercrime has been perpetrated against your business, and whatever loss has been suffered, the problem is immediately and successfully contained:
- Immediate steps: Consider what, if anything, needs to be done in order to stop the attack from spreading or being repeated. Of crucial importance is denying the transmission of further data from the perpetrator. Measures can include network isolation and traffic blocking, filtering and rerouting.
- Records: Ensure that a full record is kept of all damage suffered, financial loss incurred and all responsive measures taken.
3. Get help
Cybercrime matters are often highly complex as well as resource- and time-intensive. Consider obtaining IT and legal expertise to support your business's efforts in dealing with the problem:
- IT forensics: IT forensics experts can review your IT systems to identify compromised information and can preserve and handle digital evidence to assist with legal remedies and recover losses.
- Legal assistance: All forms of cybercrime can result in substantial losses, reputational damage, business disruption, aggressive creditors and criminal actions. We can help to plan and manage the investigation, protect your company's rights, especially if the cyber-attack may leave your business vulnerable to legal or regulatory penalties and seek to trace and recover funds where possible.
4. Report the attack
Consider who you may need to report the attack to, and at what stage:
- Action Fraud: All cases of cybercrime should be reported to Action Fraud, who will in turn inform the National Fraud Intelligence Bureau and provide a police crime reference number.
- Bank: In the case of financial loss from bank accounts, consult your account provider to immediately protect your cash accounts and start a fraud investigation.
- Insurers: Check whether you have any insurance cover in respect of losses resulting from cybercrime and, if so, notify the insurer accordingly.
- CIFAS: If you are worried that your personal details have been stolen, it is possible to apply to CIFAS for protective registration, notifying others that you have been at risk ensuring more checks are undertaken should any applications be received in your name.
- Regulator: Consider whether you are under a legal or regulatory obligation to inform your industry regulator and/or the Information Commissioner’s Office (where personal data may have been accessed or obtained).
5. Conduct a post-incident review
Once the matter has been dealt with, do not simply move on. Carefully consider the following:
- IT protections: Consider if the business’s IT network and cyber-protection measures were sufficient and up to date. Have specific weaknesses been identified? How were they exploited by the fraudsters? How can this be prevented from occurring again? Have wider weaknesses been identified? If IT is outsourced, ensure that there is an open dialogue with the provider to understand how the system works, and demand change if necessary.
- Incident response: How well did the business deal with the incident? Did the business have an incident response plan for such a scenario? How could the conduct of the investigation be improved in the future?
- Training: Look at your internal training programme to ensure all staff remain vigilant to the different types of cybercrime threats faced by the business and that they are clear on their obligations to report suspicious activity internally.
- Intelligence: Consider how best to arm your business with appropriate counter-cybercrime intelligence. For example, consider signing up to the Cyber Information Sharing Partnership (CiSP) to stay up to date with threat information.
- Record: It is vital to ensure that you keep a record of all the actions you have taken and of the bodies and organisations you have contacted and when you have done so.
How can Burges Salmon help?
If you would like help or advice, please contact David Hall or another member of our Business Crime and Regulatory Investigations team.
This article was written by Sam Aldous.