Covid-19 related security attacks have taken a number of forms, including credential phishing, malicious attachments and links, business email compromise, fake landing pages, downloaders, spam, malware and ransomware strains and phone scams. In a time where most people are having to rely on e-commerce, people have fallen victim to online shopping scams and fake cloned pages, where they have ordered protective face masks, hand sanitisers and other products that are never delivered. Cyber criminals have gone as far as impersonating the World Health Organization and even the U.S. Centers for Disease Control and Prevention. Further, cases have been reported of criminals posing as neighbors, health care professionals and even council officials, stealing bank information from the elderly under the pretence of helping them.
Amidst all of this, there is growing concern for the essential services sector, which needs to seamlessly function even through lockdowns. A number of deeply disturbing campaigns have emerged that appear to be targeting critical health care, manufacturing and pharmaceutical industries. Security companies have even observed a campaign originating from 'advanced persistent threat' group TA505 (considered to be one of the more significant financially motivated threat actors currently operating) using coronavirus loads in a downloader campaign. Downloaders are particularly dangerous threats because once they have been delivered and installed, they can download additional types of malware. Other campaigns reported include emails offering coronavirus cures or vaccines in exchange for payment.
Mindful of the dire consequences of security attacks, the European Union Agency for Cybersecurity (ENISA) has published a report advising operators of essential services as well as digital service providers on the process of identifying appropriate security measures based on the provisions of the General Data Protection Regulation (GDPR) and, importantly, the Network and Information Security Directive (NISD). This is in addition to the guidance ENISA has previously published to support the NISD, which identified various measures that operators of essential services and digital service providers should undertake. Some of these measures include establishing and maintaining a sound information security policy, assigning security roles among staff, providing security training, establishing controls for accessing information and having appropriate incident handling and disaster recovery procedures. ENISA has even developed a tool that maps security measures for operators of essential services to international standards, available through an online platform dedicated to such operators.
The NISD lays down "measures with a view to achieving a high common level of security of network and information systems within the EU". Operators of essential services must comply with the several binding provisions defined nationally. To aid compliance, the UK's National Cyber Security Center (NCSC), created to keep the UK safe online, has published its Cyber Assessment Framework, which provides guidance to operators of essential services, setting out 14 cyber security and resilience principles and how to use and apply them. These have four objectives: a) managing security risk, by ensuring organisational structures, policies and processes are in place to understand, assess and systemically manage security risks; b) protecting against cyber attack, by ensuring measures are present to protect the network and information systems; c) detecting cyber security events to ensure security defences are effective and detect actual or potential cyber security events; and d) minimising the impact of cyber security incidents by response and recovery planning and learning from such incidents.
During the current times, the NCSC is urging businesses and the public to consult its online publications, including 'How to spot and deal with suspicious emails' as well as 'Mitigate and defend against malware and ransomware'. It is also taking measures to automatically discover and remove malicious sites which serve phishing and malware.
In an additional attempt to safeguard the public from cyber criminals, the Information Commissioner's Office, along with the Surveillance Camera Commissioner, has updated the data protection impact assessment template. The update further protects the public against unnecessary intrusion by those who operate surveillance cameras in public places.
It is important to step up awareness of digital security during this time and be extra wary, especially for operators of essential services. Organisations should remind their staff of information protection policies and practices and appropriately support them to ensure they also become the front line against cyber security attacks. We recommend that organisations increase the monitoring of their critical data and information security systems. Organisations, particularly those in the essential services sector, should also continue to monitor compliance and threats to their security.
In relation to working from home, staff should be reminded by their organisations to be extremely careful when clicking on links. ENISA has published its top tips for cybersecurity when working remotely - a secure WiFi system, fully updated anti-virus software, being cautious while working in a shared space, installing appropriate encryption tools and backing up data periodically.
Criminals will continue to leverage coronavirus as the crisis develops globally - everyone must continue to build resilience strategies and remain vigilant. While most people’s attention is on keeping the virus at bay and stopping its spread, it is important to also keep cyber attacks at bay. There are various obligations on organisations if they have a security breach, from reporting obligations under the national implementing legislation of the EU Member States under the NISD and/or the GDPR to obligations arising from potential damage to the organisations. Stay diligent and stay safe!
Our Reed Smith Coronavirus team includes multidisciplinary lawyers from Asia, EME and the United States who stand ready to advise you on the issues above or others you may face related to COVID-19.
For more information on the legal and business implications of COVID-19, visit the Reed Smith Coronavirus (COVID-19) Resource Center or contact us at COVID-19@reedsmith.com.
Client Alert 2020-042