At a recent webinar sponsored by Arete Incident Response (AreteIR) and NetDiligence, two experts in the cyber security space discussed how the coronavirus (COVID-19) is changing the way that businesses work and that, as organisations rush to move their operations online, threat actors are preparing to take advantage of this growing attack surface and any inadequate security measures implemented. Director of incident response at AreteIR, Mark Bleicher, was on hand to discuss hacker threats to the remote workforce and he noted that, despite having worked in the digital forensics and IR space for almost 17 years, the current situation is unchartered waters for everyone.
Anybody who has looked at the news over the last month has seen the crisis unfolding, he said, and now, on top of this concern, organisations are faced with the challenge of transitioning from a traditional work environment to a fully remote workforce. This comes with its own complications, particularly for industries such as insurance, legal, and finance which have typically had traditional workplaces.
“A lot of the recent [cyber] activity in the last week,” he said, “has been around taking advantage and preying on the social engineering, or the human aspect of our workers. There’s been such an increase with malicious email attachments during COVID-19.”
Law enforcement agencies have been sending out alerts since the beginning of the crisis about malicious attachments dropping ransomware, Bleicher said, and several of the main ransomware groups have even stated that they will refrain from attacking the healthcare industry during this time. Some of them have already broken that promise, he said, and certain industries are going to see a real increase in activity.
“One of the biggest challenges that I think we all need to really take a look at over the coming months is how we stay aware and protect ourselves,” he said, “and how organisations are going to protect us as workers.”
There are several key things that organisations should be keeping an eye out for as the pandemic unfolds, he noted, highlighting that individuals, as remote workers, also need to be concerned with these factors. Firstly, Bleicher said, while the situation itself is unprecedented, several industries have been working remotely for years and businesses should look to these as good examples of cyber hygiene enacted correctly.
When connecting into an organisation’s VPN, from an IP standpoint this represents an extension of the network, he said, but there are several things which must be considered including how to accommodate everyone that is moving to a fully remote workforce. Businesses must analyse the tools they use daily for collaboration, such as Zoom or Microsoft Teams, he said, to make sure they can deal with the influx of connections that will occur. The IT and information security systems of the business must be prepared, he said, and be ready to assist with support setup.
“The amount of malicious activity is increasing and it’s not going to go away… Right now, there’s a crisis that’s happening and adversaries are taking advantage of it,” he said. “One of the other things to consider too is when all this is over – what are we bringing back into the office and reconnecting? What are we introducing back into the environment?”
When it comes to cyber health and remote working, Bleicher stated, the whole picture must be considered. It is not as simple as just transitioning to remote work as there will be other effects down the road once things begin to calm down.
Partner at Orrick LLP’s privacy, cyber and data innovation practice, Shannon Yavorksy, is a leading authority on US and European data privacy and security issues and outlined during the webinar the imperative of understanding the privacy considerations that are facing firms in relation to COVID-19. So much of the containment and management of the pandemic hinges on the use of personal information, she said, to identify who’s sick, and who those individuals have been in contact with.
“It’s a balancing act,” she said, “and countries have had to make fast decisions about how to collect and use sensitive health data to curtail the impact of the pandemic while at the same time maintaining individual privacy.”
Yavorsky highlighted the specific concerns facing employers at this time and the legal landscape in Europe which must be understood for businesses to develop best practices for protecting privacy while ensuring individual safety. Businesses must look at which data protection laws they must comply with when it comes to COVID-19, she said, and assess the risks posed to public safety, and the risks to individuals, to generate a complete picture of what notice obligations it holds at this time.
Organisations must examine what consent they must obtain when it comes to collecting sensitive health data and sensitive personal information, she said, and must keep abreast of all data minimisation efforts. These concerns are relevant in both Europe, the UK and the US, she said, and businesses must understand the minimum amount of data they should be collecting and also the applications of data anonymisation and de-identification.
Data retention laws must also be considered to make sure that businesses retain this information about their employees or customer only as long as is necessary. Businesses must keep up to date with regulations as the situation is moving very rapidly, Yavorsky said, and be aware of the importance of complying with local law guidance as well as super advisory authorities.
“With that in mind, as we move forward,” Bleicher said, “I think if we all just take a deep breath and keep acutely aware [of these measures] we can get through this.