Cyber Risk and Coronavirus: Your assets and your data may be more at risk now than ever
Cybercriminals are taking advantage of the increasing amount of time that people spend online due to the coronavirus outbreak [1]. With the volume of business conducted online, our fear is becoming their business opportunity.
Contemporary threats
We are seeing phishing emails containing links which purport to provide updates on the progress of a coronavirus vaccine or governmental guidelines but instead, once clicked on, trigger a malware upload onto your systems [2]. There is also an increase in water-holing attacks [3], in which websites a particular group of targeted victims are prone to visit, are infected (or specifically created) with malware which is automatically uploaded from the website once it is accessed [4]. Since January 2020, more than 4,000 web domains have been registered across the world relating to coronavirus, where 3% have been found to be malicious and a further 5% suspicious [5].
The banking industry has also warned of a surge in "smishing" scams as cybercriminals seek to exploit the coronavirus pandemic. Smishing involves criminals using text messages to impersonate other organisations in a bid to extract personal and financial information, or money, from victims. UK Finance has urged the public to be vigilant in the face of these scams which are being delivered via their personal or work telephones amid the lockdown [6].
Common mistakes
With working from home becoming the norm during the coronavirus pandemic, in the rush to provide employees with company laptops or remote access during lockdowns, shortcuts are being taken in cyber risk management. Home networks and individuals’ home computers are usually less secure and easier for threat actors to compromise. As Target found to their cost in 2014 it may not be your system that is the source of the initial cyber-breach; instead it may be that of your contractual counterpart, service provider or employee [7].
It is a misconception for companies to believe that the cyber-threats exist only outside their organisations. The threat posed by a company’s own employees (and by extension, connected contractors and vendors) is one of the largest unsolved issues in cyber risk management and is a contributing factor in over 50% of breaches [8] .
Whilst many attacks will be of limited duration, many criminals prefer to play the long game, embedding themselves in their targets infrastructure in order to maximise the financial gain from the breach [9]. Once compromised, your exposure encompasses business interruption risk; reputational risk, legal risk (in the form of third-party claims) and regulatory risk.
What should be done?
COVID-19 has created unprecedented challenges for business, and society as a whole. However, whilst the nature of the cyber-threat may have evolved, what amounted to best practice and sound cyber-risk management before the global pandemic remains unaltered.
In short you need a Cyber Risk Management Plan (“CRM”) that is adopted and supported from the board down. It cannot simply be a function of the IT department. There is a lot of guidance available in the public domain with the UK Department of Transport's Code of Practice being particularly good [10]. It is easy to read, relatively concise and adopts the three pillars fundamental to good cyber-risk management, namely:
- the appointment of a Cyber Security Officer (CySO);
- performing a Cyber-Security Assessment (CSA); and
- creating and then implementing a Cyber Risk Management Plan (CRM).
The aim is not perfection; in terms of cyber-risk management that is not realistic. Just being better than the other businesses around you will significantly decrease your cyber-risk profile.
Conclusion
The number of phishing emails and other cyber threats currently circulating which relate to the coronavirus may represent the greatest concentration of cyber-attacks around a single theme ever [11]. Whilst businesses across the globe have quite rightly shut down in order to try and contain the devastating effects of COVID-19, it is crucial that you do not inadvertently shut down or compromise your cyber threat protection.
Now is not the time for most businesses to undertake a full CSA with a view to implementing a CRM; with cash-flow currently compromised there will likely be other priorities. However do not overlook the easy wins. Monitor your networks for unusual activity; remind your employees about good password hygiene; circulate guidance on the contemporary threats and social engineering techniques; keep your anti-virus and firewalls updated and software patched.
Like any criminal, cyber threat actors are looking for the soft target. In these most uncertain of times take steps to mitigate your risk. Let your competitors assets be the low-hanging fruit they look to harvest.
If you need any assistance on cyber-risk issues please do not hesitate to contact the authors, or your usual Ince contact.
Rory Macfarlane
William Tunstall-Prince
[9] https://on.wsj.com/3awo0Uw