As many businesses face major business interruption and heightened cyber risk through working from home at scale, Osborne Clarke's international Cyber team, combined with S-RM Intelligence and Risk Consulting, hosted on 8 April 2020 a webinar covering 10 key cyber security questions that companies have been asking during the current COVID-19 crisis. We have made an audio recording of that webinar available online. This document sets out a high-level summary of some of the issues discussed during the webinar.
The key security standard under the GDPR is whether companies have taken "appropriate technical and organisational measures" to protect personal data. A similar standard applies to companies that are caught by the European Directive on security of network and information systems (the "NIS Directive"). Whilst data regulators will be sympathetic to any company that suffers a data breach or cyber-attack during the Covid-10 crisis, they will be looking to see what technical and organisational measures it took to adjust security and incident response procedures to cope with new ways of working.
1. How have cyber attackers sought to take advantage of the Covid -19 pandemic?
It's too early to say whether Covid-19 has resulted in an increase in cyber-attacks but there’s certainly been a shift in targeting. Attackers are taking advantage of interest in COVID-19 and playing on fears and the desire to remain current. Of particular concern are themed phishing and malware campaigns as well as impersonation of COVID-19 authorities to quickly engage targets. The deployment of ransomware against critical infrastructure is now more critical than ever.
2. How secure are the devices that employees are using to work from home?
The rapid shift to remote working has resulted in the growth of personal devices being used for business. This is compounded by supply-chain impacts, specifically from China and India, and further so by the use of home networks, which often include poorly-secured devices and wifi networks. It’s vital to ensure that sensitive data is separated from personal IT equipment and to encourage the use of secure systems for remote work, the most effective control being dual-factor authentication. Be sure to train all users to use whatever solution is chosen.
3. Is the IT team set up to deploy remote access systems?
The readiness of IT teams to work remotely will vary from business to business. Enabling your IT team to move quickly is important to ensure the continuity of operations. Extra attention will need to be paid to shipping/ordering logistics and be sure to document lessons learned – both good and bad – to improve processes. Providing a critical security checklist for new systems and system changes can help. This is especially important if personally-owned devices are to be used. Testing all remote access systems is even more important than ever - just because remote access “works” doesn’t mean it’s working properly.
4. How will incident response be managed technically with a completely remote workforce?
Incident response playbooks should be checked to see if they can still be applied remotely. It may be necessary to draft a short-form, temporary version to deal with the current situation. Consideration should be given to how technologies are being deployed to clients if travel is suspended, whether additional infrastructure is necessary to support deployment, remote storage, and secure data transfer, how team members will coordinate response and analysis in a distributed fashion, whether the infrastructure is set up for remote use of relevant technologies, whether the same logging data will still be available, how the IT team and staff generally will communicate securely if systems go down, and how hardware such as laptops, drives, and storage devices will be moved around securely to meet staff needs.
5. How can incident response be practised remotely?
The IT team should test out its new playbooks from a technical standpoint (e.g. deployment of back-up systems). But it's also important to test out the lines of communication between the IT team and key decision-makers in other parts of the business, for example by carrying out virtual table-top exercises. It will be really important that technology enables fast and efficient communication, which will inevitably be challenged by the inability to meet face to face.
6. How should companies be exercising oversight on their staff in relation to the heightened cyber risks?
The method and style of communication to staff is just as important as the content. A lengthy email about cybersecurity may go unread by many. Consider the most important points (most likely phishing awareness and device security) but think of the most engaging way to get the message across. It’s also worth considering carrying out some phishing testing to raise awareness. Responsibility for this issue needs to be led by the board and not just the IT team. And companies need to consider bottom-up communications and not just top-down communications so that employees can raise alarms quickly.
7. What actions should companies take vis-à-vis their suppliers and contractors to minimise cyber risks?
Companies should be proactive in asking their suppliers and contractors what they are doing to bolster their cyber defences and to be able to respond remotely to incidents during these times. In many countries, such actions are required by law but companies shouldn't just sit back and rely on their contractual frameworks; they should engage with their suppliers and contractors to obtain further assurances and guarantees in this respect, including how incidents will be managed remotely. How will information be shared? Will audit rights be exercisable? Is it a controller/processor relationship or a joint controller relationship and how will this impact remote communications and incident response?
8. Do any crisis plans and policies concerning the use of information, equipment and remote working need to be amended?
Most companies will not have drafted crisis plans and info security policy documents with mass, prolonged working from home and potentially widespread illness in mind. It's important to remember that failure to apply policies is often seized upon by regulators when investigating data breaches. Whilst they may show some leniency during these times, it would be a good idea to revisit relevant crisis plans and cyber incident response plans to see whether they are fit for purpose and whether any short term additional policies need to be put in place. Many crisis plans and cyber incident response plans focus on responsibility, escalation, and communication. Companies should ask themselves how each of these elements are impacted by the current situation.
9. How will the crisis team communicate and share documents without compromising confidentiality or legal privilege?
Face-to-face meetings can be invaluable in crisis situations to avoid misunderstandings that occur via email. Whilst multi-person video calls can be a helpful alternative, they can also be cumbersome and suck up valuable time. This puts a premium on the clarity of written communications and also places into focus the need to consider legal privilege issues very early on. Use a project name to separate communications, consider a one-page summary of key issues, messages and actions to be circulated daily to the crisis team, and constantly update the fact sheet and make it available (securely) from any device. In-house lawyers should be involved as soon as possible.
10. Will the approach of European regulators be any different during the COVID -19 crisis?
Some European regulators have acknowledged the compliance challenges of the current situation. For example, the ICO in the UK was quick to acknowledge that finances and people may be diverted away from usual compliance or information governance work. However, our experience in recent weeks demonstrates that regulators continue to respond quickly to serious data breaches and will ask the usual questions. In Europe and many other companies, timeframes for reporting to regulators and data subjects are laid down by statute and so cannot be varied but regulators are likely to show leniency and so it's important to be able to explain all actions and decisions.