As the UK remains subject to strict measures amid the COVID-19 pandemic, the National Crime Agency (NCA) has identified a surge in ‘coronavirus-themed’ malicious apps, websites, phishing emails and messages that seek to steal confidential or sensitive information. The Chartered Trading Standards Institute has even suggested that the UK has been the most severely targeted country for COVID-19 related phishing emails.
Whilst the Government recently warned about cyber criminals specifically targeting vulnerable individuals and organisations involved in the pandemic response (such as healthcare organisations), the National Cyber Security Centre (NCSC) has warned that businesses of all sizes are vulnerable to attack.
To help, Sparqa Legal have taken a look at how businesses can identify and address potential cyber vulnerabilities when employees are working from home;
What should businesses be looking out for?
In joint advisories published with the United States, the UK’s NCSC has identified the following key types of COVID-19 cyber attacks.;
Email, SMS, or WhatsApp messages with COVID-19 related content that lure people to click on links to phishing websites that steal personal or financial information.
2. Malware distribution
This will usually be an email asking readers to open an attachment or download a file, which contains malware or ransomware and therefore compromises their device. These targeted campaigns often appear to come from official sources.
3. Registration of new domain names
Phishing emails or messages may encourage people to click on links to websites that will take them to a ‘spoofed login’ page designed to steal user credentials.
4. Attacks on remote working systems
With a majority of people working remotely, cyber criminals are exploiting vulnerabilities in systems such as Virtual Private Networks (VPNs) and videoconferencing apps, for example by sending emails with links to malicious files that appear to be links inviting someone to join a call.
5. Password spraying
Malicious cyber groups try commonly used passwords to gain access to and compromise accounts (e.g. those based on the company name or the month of the year).
What steps should you be taking to protect your business?
So what steps should you take to protect your business from the myriad of potential cyber attacks?
1. Review your policies and procedures
There are numerous HR policies that your business can put in place to help to safeguard against potential cyber attacks. Although these are not strictly legally required, they are best practice and can help you to streamline your processes.
An official working from home policy can set out your expectations for your staff, including in relation to data security and confidentiality. It will also be beneficial for you to have a separate data protection policy summarising the duties your staff are under when they are dealing with personal data, including ensuring that it is always processed securely.
An IT security policy can set out requirements relating to passwords, the physical security of devices and protocols around installing software. If you already have an IT security policy, you should review it to make sure it is fit for purpose and take into account that the NCSC encourages the use of two-factor authentication wherever possible.
If you allow staff to use their personal devices whilst working remotely, consider a ‘bring your own device’ policy to address the additional security risks. This will help you to ensure that staff appropriately secure those devices and protect your business’s sensitive information.
It is also sensible to have a personal data breach policy outlining your business’s response plan if a data breach occurs following a cyber attack.
2. Check your remote working systems
If your business is used to having staff work from home, check that your remote working systems are updated with the most recent security patches and firewalls.
If remote working is new to your business, double check that the systems you set up are fit for purpose and have appropriate and up-to-date security functions (e.g. ensuring that virtual meetings require password entry).
3. Provide training and support for staff
Individuals are often a key target of cyber crime, so make sure your staff are aware of the risks to look out for. It will be a good idea to recirculate your policies, refresh their training on relevant security procedures or to circulate specific examples of COVID-19 cyber attacks.
Make sure your staff know what to do if they identify a cyber attack or they think there might have been a data breach.
Your staff will also still need IT support whilst working remotely, so check whether your normal services will continue and make sure all staff are updated if there are any changes. If support is readily available, IT vulnerabilities are likely to be identified sooner.
4. Back-up work
Make sure staff are backing up their work regularly and saving it separately from the original (e.g. by using a cloud service). All back-ups should also have strict security measures in place; for example, access should be limited to specific people within your business.
If important data is backed up, you won’t lose it if devices are lost or stolen and you can protect your business from ransomware attacks (which make your systems or data unavailable until you pay a ransom). This article explains some different Data Back Up Solutions.
5. Secure your devices
There is a greater risk of work devices getting stolen when they’re being used outside the workplace, so make sure you take steps to secure them. This includes making sure that encryption is turned on and that you can remotely lock devices and erase or retrieve data that is stored on them.
If staff are working on their own devices, make sure they know how to save work remotely, check that their antivirus software is up-to-date and remind staff to ensure the physical security of their work by locking their screens when they are not working.
6. Remember GDPR
Any data that your business handles that contains personal information will trigger data protection law, and you must always remember your GDPR obligations.
If there has been a personal data breach due to a cyber attack (i.e. a breach leading to the destruction, loss, alteration, unauthorised disclosure of or access to personal data) and that breach carries some risk to individuals, you will have to notify the ICO (Information Commissioner’s Office) within 72 hours of becoming aware of the breach.
You may also need to notify affected individuals. Even if you do not need to report the breach to the ICO (because you don’t think there is a risk to individuals) you should keep a written record of it.
These legal obligations are a reminder of the importance of businesses having suitable cyber security policies in place to ensure that they can both protect their business from attack, and comply with their legal obligations if an attack does occur.
About the author
This guide has been written exclusively for ByteStart by Francesca Mundy, Lawyer and Senior Legal Editor at Sparqa Legal, an online platform providing expert legal guidance and autogenerated documents for all businesses. Founded by a team of senior barristers and tech executives, Sparqa Legal is on a mission to make law accessible and recently launched the Sparqa Post to provide free expert advice to SME’s on all their legal needs.
The content in this article is up-to-date at the date of publishing. The information provided is for information purposes only, and is not for the purpose of providing legal advice.
More from ByteStart
ByteStart is packed with help and tips on all aspects of starting and running your own business. Check out some of our most popular guides;
- Which Types of Insurance Must Your Business Have?
- Faulty or Unwanted Goods – What Are Your Customer’s Rights?
- A Small Business Guide to e-commerce Regulations
- What is Employers Liability Insurance, and Is My Business Legally Required to Have Cover?
- A Practical Guide to Flexible Working Rights for Small Businesses
- Making Staff Redundant – How to Do It & Stay On the Right Side of the Law