As the world continues to deal with the economic and operational challenges from the global COVID-19 pandemic, cyber criminals are seeking to exploit new work practices and capitalise on uncertainty. Organisations should be conscious of the general data, privacy and business risks associated with COVID-19.
In response to multiple requests from clients for guidance, the Australian cyber team have prepared a two part series of updates titled 'How to address the privacy and cyber risk facing your organisation' which provide a comprehensive roadmap of responses to frequently asked questions about how organisations should respond to COVID-19 from a privacy and cyber perspective.
If you have any questions or issues that you would like us to address in further updates, please get in touch with one of the team. In particular, future updates will be focussed on "the road to recovery" with a focus on assisting organisations endure these challenging times.
The speed at which organisations are being forced to respond to social isolation restrictions as a result of COVID-19 could be leaving many organisations vulnerable to attack by threat actors rushing to exploit the situation.
There are increased risks associated with remote working. These generally include:
How can these risks be managed?
While technology controls can assist with mitigating risk, increased staff awareness around cyber/data risk and developing procedures for securely sharing personal information and conducting financial transactions is critical.
In particular, employees should be advised to remain hyper-vigilant to phishing campaigns, and think twice before clicking on anything relating to COVID-19.
As a quick non-exhaustive checklist, organisations should consider implementing the following:
The Australian government has prepared some helpful resources about how to manage data risk through the pandemic response:
You can also read the OAIC's guidance on conducting Privacy Impact Assessments in changed working environments, which provides a list of considerations relevant to protecting data (see here).
Video conferencing is a useful way to remain in contact when working from home. However, video conferencing software must be used with care, as these tools increase exposure to cybercrime and inadvertent disclosure of data.
Cyber criminals are seeking to exploit the popularity of communication applications including one application in particular (which has received significant media attention). Security intelligence suggests that no one particular application is being targeted, which means that all applications should be carefully reviewed.
To reduce the threat of the above, organisations should be:
Critically, organisations should inform employees to:
You can read the Australian Cyber Security Centre's April 2020 guidance on the use of web conference facilities here.
Cyber criminals are targeting organisations and individuals with COVID-19 related material with the aim of gaining access to systems, sensitive information and money. We have previously written about the threats of COVID-19 phishing campaigns including:
A link to that article is here.
In short, the answer is yes. We have highlighted the top two risks that we have identified recently.
As many organisations currently depend on remote access for their day-to-day business, exposing critical services on the internet makes them vulnerable to service disruption by distributed denial of service (DDoS) attacks.
There are a number of notable recent DDoS attacks:
Organisations should maintain a heightened state of cyber security, including testing system preparedness for operational disruption. This is particularly important for those organisations that are more reliant on their internet facing systems and platforms as a result of COVID-19.
For those that haven’t done so already, organisations should be looking to implement and test DDoS protection plans.
Fake and malicious applications
Cyber criminals are also attempting to use mobile, computer and web applications to fool victims into installing spyware and other forms of malware on their devices under the guise of providing COVID-19 related information. Recently reported examples include:
Organisations should have protections in place to prohibit the downloading of unauthorised applications on work devices. Further, organisations should be informing employees of the risks of these fake applications and not to download applications on work devices without the prior approval of the IT team.
Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team have dealt with over 700 data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.
From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients in Asia Pacific across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:
We thank Chris Chivers, Chloe Sevil, Gary Bayarsaikhan and Emily Wood for their contributions towards this series of updates.