Mitigating the cyber security and privacy risks from COVID-19
The spread of COVID-19 in New Zealand presents a range of additional cybersecurity and privacy challenges. As organisations implement contingency plans to protect employees and limit the spread of the virus through allowing or, in some cases, requiring employees to work remotely, businesses should be mindful of the heightened risk of data breaches or other cyber incidents – and the potential for substantial financial loss, reputational harm, and legal exposure. Although these risks cannot be eliminated, now is the time to consider reasonable, practical steps to mitigate them.
What are the heightened cyber security risks?
A surge in the number of employees working remotely can create increased network vulnerability, greater risk of inadvertent data loss, and greater financial vulnerability. These risks are exacerbated by cybercriminals seeking to exploit the unique features of the COVID-19 situation (e.g. greater use of unsecured home networks or public networks) to engage in more effective phishing and other methods to gain unauthorised access to network systems.
Increased risks can come from:
Network vulnerability from increased use of remote access
- Use of single factor authentication and/or weak passwords by those not usually working remotely
- Greater difficulty in monitoring, detecting and preventing unauthorised activity
Data loss from removing data from the office
- An increase in employees taking electronic or other data outside the physical, secure boundaries of your office space, or turning to less secure shortcuts such as forwarding emails or documents to personal email accounts
- Use of less secure laptops or other devices at home
- Greater use of portable media to remove files from the office to make them accessible at home (but also more susceptible to theft)
Financial loss due to feasibility of controls
- Employees circumventing security precautions (such as telephone confirmations to execute banking or securities transactions) because they are inconvenient or impossible to follow remotely
Increased scams and phishing attempts making use of the coronavirus outbreak
- Increasing numbers of phishing emails mentioning the coronavirus, posing as business partners or public institutions to lure recipients to open messages, unleashing malware
- Fraudulent emails made to look like a company’s purchase order for face masks, to trick employees into wiring payments to fraudulent accounts
- Fake emails purporting to provide updated health information on behalf of a public health organisation, or promising information about a company’s remote-work plan in exchange for personal details
Practical steps to safeguard against risks
As always, there is no way to eliminate the risks of a data breach or other cyber incident altogether. But there are several practical steps organisations can take right now to mitigate the risks:
- Consider consulting with IT security professionals regarding cybersecurity risks presented by increased remote work and/or changes to standard protocols and explore potential enhancements to existing security measures.
- Update antivirus and monitoring tools regularly – consider ways to remotely limit the impact of a compromised device.
- Advise and remind employees working remotely of relevant policies and restrictions – such as such as around IT mobile working, acceptable device use, password creation, cyber responsibility, and information security.
- Encourage vigilance by all employees against scams and phishing attempts and opening of links or attachments from unknown or suspicious sources. Test for awareness, educate and remind all staff about cyber security best practices.
- Where possible, engage with your employees in advance of working remotely to test the relevant remote access software and applications to ensure familiarity, and address any problems or concerns now.
- Review, evaluate, and update (if necessary) incident response and business continuity plans. If large segments of a workforce are working remotely, ensure the necessary personnel, including IT and IT security, senior management (and/or Board members with the appropriate decision-making authority), external advisors, and other relevant professionals, are accessible and can be contacted quickly even if not physically in the office.
- Consider and evaluate in advance any disclosure or reporting requirements around cybersecurity risks and incidents, including potential disclosures to customers, government agencies, and, if applicable, investors.