As the world continues to deal with the economic and operational challenges from the global COVID-19 pandemic, cyber criminals are seeking to exploit new work practices and capitalise on uncertainty. Organisations should be conscious of the general data, privacy and business risks associated with COVID-19.
In response to multiple requests from clients for guidance, the Australian cyber team have prepared a two part series of updates titled 'How to address the privacy and cyber risk facing your organisation' which provide a comprehensive roadmap of responses to frequently asked questions about how organisations should respond to COVID-19 from a privacy and cyber perspective.
- Part 1: Key privacy considerations ( see here)
- Part 2: Key working-from-home business and cyber risks (below)
If you have any questions or issues that you would like us to address in further updates, please get in touch with one of the team. In particular, future updates will be focussed on "the road to recovery" with a focus on assisting organisations endure these challenging times.
Part 2 of 2: Working-from-home business and cyber risks
Q: What are the privacy and cyber-security considerations in relation to workforces working from home?
The speed at which organisations are being forced to respond to social isolation restrictions as a result of COVID-19 could be leaving many organisations vulnerable to attack by threat actors rushing to exploit the situation.
There are increased risks associated with remote working. These generally include:
- increased risk of cyber-crime, where criminals will look to exploit changes to business environments to extract funds or personal information from employees; and
- risk of employees inadvertently disclosing personal information through using unfamiliar document storage and conference platforms.
How can these risks be managed?
While technology controls can assist with mitigating risk, increased staff awareness around cyber/data risk and developing procedures for securely sharing personal information and conducting financial transactions is critical.
In particular, employees should be advised to remain hyper-vigilant to phishing campaigns, and think twice before clicking on anything relating to COVID-19.
As a quick non-exhaustive checklist, organisations should consider implementing the following:
- Passwords – enforce complex password requirements for all email accounts and other systems used to hold sensitive data (e.g. payroll systems, HR systems or client management systems).
- Multi Factor Authentication – enforce multifactor password requirements for all remote access sessions.
- Secure connection – ensure remote connections to systems are secure, including removing open RDP ports and implementing secure VPN connections where possible.
- Stress testing – where possible, organisations should be stress testing technologies and configurations ahead of time to determine if there are any unanticipated implementation gaps.
- Least privilege access management – limit access to particular systems and restrict privileges on those accounts to only those who require it to perform their role.
- Phishing awareness training – educate employees about the risk of phishing emails especially while working from home. Encourage employees to call the sender if they have the slightest doubt about the authenticity of an email.
- Cyber insurance – if appropriate, purchase cyber insurance to help address the potential costs of responding to a cyber incident.
The Australian government has prepared some helpful resources about how to manage data risk through the pandemic response:
You can also read the OAIC's guidance on conducting Privacy Impact Assessments in changed working environments, which provides a list of considerations relevant to protecting data (see here).
Q: What are the security risks associated with communication applications such as Zoom, Skype, WhatsApp and similar video conferencing software? Is communication through these programs secure, private and confidential?
Video conferencing is a useful way to remain in contact when working from home. However, video conferencing software must be used with care, as these tools increase exposure to cybercrime and inadvertent disclosure of data.
Cyber criminals are seeking to exploit the popularity of communication applications including one application in particular (which has received significant media attention). Security intelligence suggests that no one particular application is being targeted, which means that all applications should be carefully reviewed.
To reduce the threat of the above, organisations should be:
- checking what security is offered by the application provider – is multi-factor authentication offered? Is end-to-end encryption offered? Does the provider keep any metadata from your conferences (or other data)? If data is collected, how is it used?;
- reading the provider's terms and conditions to check your organisation's rights and the provider's obligations;
- ensuring your organisation has the latest security and software updates installed for the tele/video conferencing facility you use;
- holding tele/video conferences in private rooms, not shared spaces;
- password protecting access to tele/videoconferences;
- only allowing invited participants to join tele/videoconferences; and
- ensuring invitations are sent to the right people.
Critically, organisations should inform employees to:
- take extra care if they receive emails and files from unknown senders, particularly if they contain special deals or discount offers;
- to look for lookalike domain names that try to impersonate legitimate ones as well as spelling errors on websites; and
- use headphones rather than speaker to prevent others listening in to phone calls.
You can read the Australian Cyber Security Centre's April 2020 guidance on the use of web conference facilities here.
Q: What should an organisation do if it suspected it has been victim to a phishing attack?
Cyber criminals are targeting organisations and individuals with COVID-19 related material with the aim of gaining access to systems, sensitive information and money. We have previously written about the threats of COVID-19 phishing campaigns including:
- how COVID-19 phishing campaigns work;
- some of the known COVID-19 campaigns in circulation and what to look out for;
- what to do in preparation for these campaigns; and
- what to do if you think your organisation has been impacted by a phishing attack.
A link to that article is here.
Q: Are there any other risks organisations should be aware of in relation to COVID-19?
In short, the answer is yes. We have highlighted the top two risks that we have identified recently.
As many organisations currently depend on remote access for their day-to-day business, exposing critical services on the internet makes them vulnerable to service disruption by distributed denial of service (DDoS) attacks.
There are a number of notable recent DDoS attacks:
- On 15 March 2020, the US Health and Human Services Department was the victim of a DDoS attack. The Department's servers were overwhelmed with millions of hits designed to slow or shut them down. Fortunately the Department's infrastructure was able to weather the storm and its systems remained functional.
- On or around 19 March 2020, a German food delivery service suffered a DDoS attack. The company's systems entered maintenance mode to ensure data security in the attack. Food orders were accepted but couldn't be processed with Liefrando having to issue customer refunds.
Organisations should maintain a heightened state of cyber security, including testing system preparedness for operational disruption. This is particularly important for those organisations that are more reliant on their internet facing systems and platforms as a result of COVID-19.
For those that haven't done so already, organisations should be looking to implement and test DDoS protection plans.
Fake and malicious applications
Cyber criminals are also attempting to use mobile, computer and web applications to fool victims into installing spyware and other forms of malware on their devices under the guise of providing COVID-19 related information. Recently reported examples include:
- A fake application that claims to notify users as soon as anyone infected with the virus is nearby. The application locks the victim's phone and demands for a ransom to lift the encryption.
- A copy of a legitimate coronavirus tracker application maintained by Johns Hopkins University – only the copy contains trojan malware.
- A fake digital antivirus application that supposedly protects against the actual COVID-19 virus. Upon installing the application, the computer is infected with BlackNET RAT malware, turning the computer into a bot ready to receive commands.
Organisations should have protections in place to prohibit the downloading of unauthorised applications on work devices. Further, organisations should be informing employees of the risks of these fake applications and not to download applications on work devices without the prior approval of the IT team.
How can we help?
Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team have dealt with over 700 data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.
From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients in Asia Pacific across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:
- Australia: + 61 2 9210 4464
- New Zealand: 0800 527 508
We thank Chris Chivers, Chloe Sevil, Gary Bayarsaikhan and Emily Wood for their contributions towards this series of updates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.