In our latest article, our Cyber Security Consultant, Adam Foody explains why UK businesses reacting to COVID-19 may inadvertently be exposing themselves to serious data loss, and what can be done to prevent it.
In the midst of the COVID-19 pandemic sweeping the globe, there is a perception that the economy has all but closed down and is waiting for the emergency to avert in the coming months. In reality, businesses are still operating (albeit many in a reduced capacity) in extremely challenging circumstances and with new risks to manage and control. Risks such as supply chain delays, lack of labour, diminished cashflow, and restrictions on the physical movement of people are just some of the challenges being faced. Another is the considerable increase in the likelihood of a cyber security breach from a range of different sources. In this article, we will consider two of these – the serious risk of data breaches as a result of switching to a distributed homeworking model, and the exploitation by cyber criminals seeking to take advantage of the disruption caused by COVID-19. Adam Foody – Cyber Security Consultant
The serious data breach risks of homeworking
For small, medium, and large businesses, offices are designed to ensure the protection of physical and intangible assets. The latest networking technology, including firewalls, real-time threat detection systems, and point to point encryption ensures that end-users and clients are protected from cyber threats. But when businesses are forced to rapidly disband from their secure offices and to switch to a homeworking model, there is a real risk that some of this protection is lost.
Businesses invest large amounts each year in their IT infrastructure to ensure client devices are locked down and secure. There is a serious risk that in allowing the use of personal devices, workers may download sensitive data or inadvertently leave traces of information insecure which may constitute a data breach. Whereas business devices are typically encrypted, both in terms of data held on the hard-drive and the inbound and outbound transmission of data, this is unlikely to be the case with a consumer-level home computer. The use of personal devices, whether mobile phones, tablets, or computers for work purposes, should be prevented. Instead, remote workers should be provided with company devices installed with the same tools and protection as available within the office, and secure VPN network connectivity.
Data storage is also a key consideration. Whereas as businesses invest heavily in secure network storage, it may be tempting to revert to free cloud-based options as a stop-gap solution for home workers. Using storage platforms such as Dropbox and Google Drive may be fine for personal use, but for the storage of sensitive business data, they should not be an option.
Other risks to consider when home working include the potential for client records and personal details to be breached as a result of leaving physical files and paperwork unsecured, and phone calls being held where there is the potential that sensitive information may be overheard. Also, the considerable popularity of online video conferencing services such as Zoom has highlighted the potential for business meetings to be hacked. In the case of Zoom, which has garnered an enormous user base in recent weeks, including by high-level government officials, there is some question over whether, despite being marketed as such, it provides secure end to end encryption, and whether user data is being sold to Facebook. Businesses must ensure that workers are not using homeworking and communication tools of their own choosing. Rather homeworking policies and procedures must be updated to mandate the use of specific platforms and tools which your business has verified as secure.
Malicious cyber security threats increasing due to COVID-19
There are always unscrupulous individuals who will seek to take advantage of human suffering and economic turmoil. Over 500 COVID-19 related scams and over 2,000 phishing attempts have now been reported to UK investigators, resulting in the theft of £1.6m. While many attacks are focused on individuals, businesses are just as at risk. The National Cyber Security Centre (NCSC) has already issued guidance warning businesses to train workers on how to spot the signs of a phishing scam. Criminals have already realised that companies are circulating new guidance to workers in relation to COVID-19. Some have launched phishing attacks with emails purporting to be from the employer with links to ‘new guidance’ which may then request that individual to enter their company username and password.
Businesses need to prepare for an increase in this type of phishing attack by boosting the level of cyber security training to users, implementing tighter controls on access to company systems (including requiring more frequent changes of passwords), and actively looking for signs of possible data breaches.
One of the challenges is that cyber criminals are seeking to exploit the fears and good nature of individuals by asking them to donate, providing cures, offering easy money, and charging fake fines for breaching social distancing rules. Unfortunately, the risk of an employee clicking on an unsecured link may be sensitive data loss, virus infection, loss of corporate IP, ransom attacks, which, in turn, can lead to large fines, business interruption, and loss of competitive advantage.
All businesses are facing an unprecedented set of challenges in the wake of COVID-19. This does not, however, provide a license for complacency when it comes to data protection compliance. All business directors must remember that the GDPR (General Data Protection Regulation) sets a maximum fine of up to €20 million or 4% of annual global turnover – whichever is greater, for data breaches.
While it may be challenging due to remote home working, we recommend that all businesses increase their cybersecurity risk assessments and measures, given the potential unmanaged vulnerabilities which may now exist as a result of reacting to COVID-19. Doing so will ensure that your business is better able to weather the storm and is not faced with any unnecessary fines, legal action, or other commercial threats which it could well do without.
Lineal is a data services organization leveraging AI and process-driven workflows to solve discovery, privacy, compliance, DSAR, conversion, and cyber issues for law firms and corporations. To find out more about our services, please call us on +44 (0)20 7940 4799 or email firstname.lastname@example.org.