COVID-19: Navigating cybersecurity risks

We are in the midst of what looks like becoming the worst public health situation in a century. Understandably, cybersecurity is far from the top of most peoples’ minds. Unfortunately – for many of us - it needs to be. A number of factors linked to the current crisis have significantly increased the cybersecurity risk faced by organisations.

Covid-19 linked scams

Cyber criminals are seeking to capitalise on disruption and employees’ fears caused by the coronavirus outbreak. There has been an increase in coronavirus related phishing emails, some purporting to be from healthcare facilities or sellers of protective equipment (like face masks). It is commonly observed that where phishing emails can leverage off individuals insecurity such crimes are more likely to be successful. Such insecurity is currently rife. The risk is emphasised in circumstances where many individuals are working from home, sometimes without the technical support and safeguards that would be in place in the office, and where many businesses will find themselves short-staffed and under pressure.

Unfortunately, there has also been some evidence of deliberate (and potentially state backed) efforts to disrupt the response to Covid-19. It was reported this week that a recent (unsuccessful) denial of service cyber-attack on the US Health and Human Services Department’s computer system was part of a campaign of disruption aimed at hindering the US response to the pandemic.

A number of previous major cyber incidents including the WannaCry and not-Petya ‘outbreaks’ in 2017 have been linked back to alleged state-backed activity and spread well beyond their initial targets to infect institutions and businesses around the world.

In this challenging new environment companies need to be sure their cyber security is up to scratch.

Employee risk and working from home

However, it is not major, newsworthy cyber-attacks that present the greatest threat to businesses managing with the fallout from Covid-19. Rather, as has always been the case, human error remains the greatest risk.

It is now abundantly clear that (to the extent they have not already) ever greater numbers of companies around the world will close offices, following government advice in order to slow the spread of the virus. These programs allow for business continuity. They also significantly increase risk as they are likely to lead to additional avenues for unauthorized access to company systems. For example, employees working remotely are more likely to make use of personal devices, including by forwarding company information to personal email accounts or onto unprotected devices. Such steps are more likely to appear convenient to home workers, but they significantly increase risks relating to data leakage and potential unauthorised access.

As such, if they have not already, companies must urgently review what cybersecurity controls are in place and need to be supplemented. At a minimum companies should be:

• checking whether they comply with best practice guidelines in relation to two-factor authentication for accessing company networks and webmail and encryption on laptops and mobile devices;
• warning employees that cyber criminals will exploit the current turmoil to increase phishing attacks. In particular we have seen attempted phishing attacks hidden in emails regarding medical updates or “important notices” for those working remotely;
• reminding employees of existing company policies governing the acceptable use of company systems, devices and information. Training and reminders should also be issued where necessary; and
• for regulated companies (e.g. by the FCA), ensuring that regulatory compliance, including relating to systems and controls, is maintained.

The National Cyber Security Centre has published a guide on preparing for home working which is available here.

Insurance

All this means that insurers of both affirmative and silent cyber risks must be paying attention. As above, the numbers working from home are likely to prompt significantly increased data security risks. Moreover, more employees working from home will necessarily prompt far greater reliance on technology to keep businesses running. Insurers’ potential exposure to losses in the event of opportunistic phishing attacks, IT failures or interruption of network access could increase.

The use of health data

One particular issue of note is that companies need to be mindful of privacy laws when collecting information about employees or clients they might not have previously collected, most obviously health information and travel itineraries.

GDPR will not hinder measures taken in the fight against the coronavirus pandemic; there is a carve out that allows for the processing of personal data where necessary to protect “against serious cross-border threats to health” (Article 9). Covid-19 certainly fits the bill. That said, the law does not stop and even in exceptional times data controllers remain obliged to ensure the protection of personal data. Companies need to continue to have a mind to the need for confidentiality, anonymisation, data minimisation and purpose limitations.

As such, employers should be cautious when requesting health data and, where this needs to be shared, ensure its anonymisation. Data protection authorities appear to agree that it is permissible to ask employees whether they have been infected, whether they have visited high risk jurisdiction and who they have been in contact with. But taking more granular health data will be problematic. For instance, the CNIL in France have said that it is not permissible to carry out temperature tests on employees before they enter offices or meetings (albeit with complete lock downs in place or pending across much of Europe, the window for such measures to be applied may now have passed).

The ICO and EU Commission have both published guidance on this and related issues.