Zara Yusuf assesses the risk of cyber-crime during the Covid-19 pandemic.
As the Covid-19 pandemic continues to evolve, cyber criminals are exploiting this crisis globally for their own objectives. While there may not be an increase in the levels of cybercrime, there has certainly been a change in direction. This article will explore the shift in cybercrime that is occurring due to Covid-19, along with the methods used by the cyber criminals and the resultant legal implications for businesses.
The sudden and unprecedented shift to mass remote working has exposed many businesses to unforeseen cyber threats to their organisation. Most of their activity has had to move to the digital world without the opportunity to implement all of the necessary IT security measures, thus increasing the risk of cyberattacks. Employees are having to grapple with working in both a familiar and unfamiliar environment, meaning they may not be as prepared or alert enough to spot Covid-19 associated phishing emails and scams. According to the UK’s National Cyber Security Centre (NCSC), cyber criminals have been ‘scanning for vulnerabilities in software and remote working tools as more people work from home during the pandemic,’ likely aided by the use of susceptible services like Virtual Private Networks (VPNs). The use of unsafe home Wi-Fi networks and personal devices, which will not have the same level of security as business devices, along with the lack of firewalls will facilitate cyber-attacks too. While companies adapt to the situation and use cloud-based connectivity services and software as a service (SaaS), cyber criminals will be focusing their efforts on accessing these remote services by extracting the required credentials. One method used could include voice phishing, also known as ‘vishing’, whereby the cyber-criminal mimics the technical support of the company, in order to trick those who are not used to working from home.
Avoiding cyber-attacks is important in particular for businesses as they need to comply with their various legal obligations, including the requirement to protect personal information, as per the General Data Protection Regulation (GDPR). Of course, it is crucial also so that these organisations are not faced with overwhelming legal liabilities. Osborne Clarke note how ‘whilst data regulators will be sympathetic to any company that suffers a data breach or cyber-attack during the Covid-19 crisis, they will be looking to see what technical and organisational measures it took to adjust security and incident response procedures to cope with new ways of working.’ In these extraordinary times, it is also unlikely that many companies will have prepared crisis plans in the event of a cyber-attack incident and so the current situation may influence companies to consider this for the future.
A growing appetite from the public for up-to-date information about the virus had led to an increasing use of Covid-19 associated themes by cyber criminals. As per the advisory article published by the NCSC, along with an article written by Forbes, phishing emails that appear to have come from the Director-General of the World Health Organisation, but instead contain malware, are an example of scams that are being deployed. In place of the notorious ‘Nigerian Prince’ schemes, scammers are tricking individuals into giving away their credentials or downloading malicious software, in return for what they believe to be updated government guidance, fake cures or offers of face masks to fight the virus. Since the pandemic has led to huge levels of unemployment, it is likely that job-themed plots, mimicking actual job vacancies, will be utilised by cyber criminals to lure people into providing their personal details.
The change in targets by cyber-criminals to predominantly focus on the remote working force and on the healthcare sector, illustrates how cyber-crime is heavily influenced by economic and social patterns, in this case by the Covid-19 outbreak. The way in which cyber-crime activity mirrors the movements of people and businesses also shows how intertwined technology is with our lives. The constantly present risks brought about by this connection make it clear that cyber security and educating people to avoid cyber-attacks is crucial. Post Covid-19, cyber risk management procedures implemented by organisations will likely be examined and altered accordingly.
By Zara Yusuf