Various different threat intelligence sources have reported an ‘explosion’ of COVID-19 themed attacks & these include:
- Phishing type attacks – where malicious emails have offered to provide particularly important health advice and government guidance, taking advantage of peoples’ wish to obtain more information regarding the disease, & the latest developments.
- Targeted spear-phishing attacks – those which claim to be communications from colleagues to people now working at home.
- Phoney websites which appear to provide medical or other virus-related advice.
A majority of those reported incidents involve the use of malware or social engineering techniques to con users into then downloading ransomware and/or compromising their login credentials.
The full extent to which more capable groups may be exploiting the current turmoil remains as yet unquantifiable.
Initial speculation on the virus did suggest that cyber-criminals would zero-in on both health care providers & other critical services, including on-line food delivery services, & also collaborative working platforms. Whilst this does remain a concern, mainly, there has not been a perceived big increase in attacks (some hacker groups have even made public statements that they will ‘not be targeting healthcare providers’).
Looking at how the vastly increased move to home working has inevitably massively increased the vulnerability of companies:
- Staff working in a less familiar environment may be more vulnerable to manipulation by cyber-criminals.
- Processes & controls could be weakened as staff numbers are reduced & working patterns change.
- Many companies whose staff have to work from home will not perhaps have the same level of protection, e.g. firewalls, active threat management & detection, that they would have had back in their offices. Likely to be a particular problem for those who do not use Virtual Private Networks (VPNs)
- Increasing home working also by definition places increased pressure on IT depts. Short term this can cause delay both in identifying & in then responding to security breaches. Longer term it may also reduce the organisation’s resilience to cyber threats. This is particularly true if routine jobs such as patching become delayed because of new resource issues.
Some Legal Vulnerabilities
The legal issues arising from data breaches have been described as:
- Data protection & other regulatory risk arising from loss of personal data;
- Privacy claims brought by data-subjects;
- Commercial disputes with customers and/or third-party service providers regarding responsibility for incidents.
Guidance from the Information Commissioner’s Office (ICO) :
- The ICO will not change the 72-hour deadline to notify a data breach or the rules on responding to subject access requests. However, they will exercise their discretion not to penalise organisations who can show that they were not able to comply with the guidance for a good reason during the pandemic.
- Although organisations may have larger numbers of staff than normal homeworking, that should not result in any relaxation of the security standards that would apply to homeworkers in more normal circumstances.
- They have issued extra guidance on the collection & sharing of health-related personal data, making it quite clear that they will take a ‘broader view’ about the sharing of information by public bodies for the purpose of protecting against serious threats to public health.
The rules appear to remain as before, however, the ICO implies being prepared to be ‘pragmatic’ & provide businesses with a certain flexibility, given the current situation. But, businesses should none-the-less continue to try to meet the correct standards.
A key message seems to be that the ICO will not penalise those businesses which can show they are well-managed, have taken those appropriate technical & organisational measures before the incident, & have then acted promptly, & also responsibly, in response to the incident itself.
The risk of enforcement will remain considerable where an incident raises concerns about the organisations underlying approach to data security, or where organisations just use the pandemic situation as an excuse to justify their own inadequacies in their procedures or response.