COVID-19: Now Infecting Cybersecurity
This article analyzes examples of some of the most recent attempts of cybercrime (either through phishing scams or VPN intrusions), as well as recommendations for how to mitigate risk.
April 10, 2020 at 11:45 AM
7 minute read
In the blink of an eye, COVID-19 has taken center stage in almost every facet of operations in governmental offices, businesses, schools and homes in the world. And the ripple effects of this pandemic are invading more than our home lives and the economy. This crisis has required most of the country's work-force to reinvent operations and require every non-essential worker to work from home. It is in this type of paradigm-shift that cybercriminals look for opportunity. In the wake of the COVID-19 outbreak and response efforts, there has been an escalation of cybercrime and cyber intrusion attempts. While we each adjust to this new way of life and, more importantly, help our clients adapt, it's important that we remain vigilant. Below are examples of some of the most recent attempts of cybercrime (either through phishing scams or VPN intrusions), as well as recommendations for how to mitigate risk.
|Phishing for Something New
To begin, phishing emails have evolved to adjust to the virus outbreak and response efforts. We long for the days where the most threatening phishing email is from a fake email address purporting to be from the CEO of a company "needing immediate assistance." Instead we are hit with new and various waves of malicious emails in the form of phishing attacks that even the most sophisticated recipient could fall prey to in light of the speed at which business is transacting and reacting, and the shift to working from home.
Recently, the FBI issued a warning related to fake emails purporting to be from the Center for Disease Control (CDC) or other health care organizations, but the attachments or links within the body of those emails contain harmful malware or malicious ransomware that could cripple your organization. Other examples of new phishing scams include emails pretending to be from a company's Information Technology department with instructions for setting up computers for remote working, or from co-workers that appear as though they have a link to an internal database document but instead link to a domain outside of the company's network intended to unleash malware that could infiltrate the company's network within seconds.
Still prevalent are phishing scams purporting to come from human resources. These scams have also adapted to take advantage of the new paradigm, now claiming to attach guidelines for safe distancing or revised work schedules. A closer look at the email address of the sender, however, would reveal that this is not from the company's domain address. Here again, the attachment might instead include ransomware intended to hold an organization's data or computer systems hostage until a ransom is paid (usually in the form of Bitcoin, which is generally untraceable once paid). Compounding this risk, consider that hospitals and other health providers have been consistent targets for ransomware attacks. The impact such a ransomware attack could have on any of the mission critical hospitals currently working so hard to treat the incredible volume of COVID-19 patients is indeed frightening. Also concerning is the thought of malware infecting a computer system that life sustaining ventilators rely on, because software was missing a security patch or a version behind on a hospital network. If there is a silver lining in the fact that our healthcare system has consistently been such a popular target of ransomware attacks and other cybercrimes is that our hospitals and healthcare facilities are better prepared and more vigilant than ever to deter such attacks or, at least, mitigate the damage stemming from such attacks.
|What's an Organization To Do?
Now is the time to reconsider your information security plan, business continuity plan, and disaster recovery plans to evaluate if enough safeguards are in place. For example, does the business continuity or disaster recovery plan include a pandemic response plan? As many companies are learning now, how one responds to a pandemic might be very different from how one response to other more common disasters.
Not only do many applicable data privacy and security laws require such diligence, including New York's SHIELD Act (cybersecurity mandate effective March 21, 2020), but proper information security and business continuity plans mitigate the impact of an attack on an organization. This is not a simple box-checking exercise. Remaining current on information security and business continuity plans may be the difference between continuing operations remotely or having to completely shut down as a result of a successful malware or ransomware attack. Remember, "Compliance Does Not Equal Security." Compliance is only a segment of a suitable cybersecurity program.
|Time for Mitigation
So what else can an organization do to mitigate some of these risks and vulnerabilities? To start, refresh training content and retrain employees to remain vigilant, including training on the newest trends and, as always, to pay close attention to the details in every email. Even if it takes more time to review and/or respond to the email than one might prefer, the diligence is warranted. Train employees to expand the sender's name to confirm it is a legitimate sender. If it is an email from a known vendor or customer requesting an important change (e.g., account for wiring purposes), advise employees to call the vendor or customer using already known contact information (and not contact information from the email) to confirm they are requesting this change. It is far less risky to make that call, then to blindly make such a change. Consider developing relevant procedures to ensure such matters and consistently handled properly.
Simply put: Vigilance, absolute vigilance, is key. While many employees are more adept at spotting a phishing email that purports to being from their CEO asking for assistance, we need to retrain them to spot this new round of phishing attempts, such as those allegedly from Human Resources, Information Technology or even an outside vendor or customer offering advice or reporting a problem amid COVID-19 concerns.
Additional safeguards, though slightly more technical in nature, include ensuring that networks, including Virtual Private Networks (VPNs), are current and that all patches have been deployed with updated security configurations. As VPNs allow access from outside of a network, it is critical to maintain proper multi-factor authentication for all VPN access to networks, especially with the dramatic growth of employees working from home. Consider also how rights are provisioned to users. Ideally, computer systems should be designed by the principle of least privilege, meaning that the access rights of each user is reduced to the bare minimum permissions they need to perform their work.
Taking safeguards to the next level, organizations should consider restricting VPN access only through company-issued internet communication channels, such as MiFi cards or other company-issued devices with data plans. This measure would tighten security even further. While home networks are typically more secure than public networks, there are still likely more vulnerabilities in a home network environment than in an organization's network. For example, while an employee may be diligent about the websites and apps they use, the other members of their family may not be. For example, use of Apps like Facebook, Tik-Tok, YouTube, Snapchat and similar social media platforms invites risk. These types of sites are known for vulnerabilities and providing a conduit for cyber intrusions. If such apps or websites are accessed on a shared home WiFi network, a door could be opened to a company's network that otherwise would have never been accessible.
|Cyber Survival in the COVID-19 Pandemic
In sum, the COVID-19 pandemic continues to have a devastating ripple effect around the world, across the United States and locally. Direct loss and economic hardship aside, this crisis has unfortunately created more vulnerability in cyber frameworks, which should not be taken lightly and instead become a priority for organizations, even in the midst of this pandemic. Take the steps outlined above to mitigate those risks and endeavor to overcome this pandemic with minimal impact on your information technology systems and data security.
Jessica L. Copeland is co-chair of the cybersecurity and data privacy practice group of Bond, Schoeneck & King in Buffalo and New York City.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFrom ‘Deep Sadness’ to Little Concern, Gaetz’s Nomination Draws Sharp Reaction From Lawyers
7 minute readDeposing Former Mayor Bill de Blasio; Misrepresentations To Induce Investment: This Week in Scott Mollen’s Realty Law Digest
Post-Pandemic Increase in Live Events Prompts Need for Premise Liability Action
7 minute readLaw Firms Mentioned
Trending Stories
- 1Read the Document: 'Google Must Divest Chrome', DOJ Says, Proposing Remedies in Search Monopoly Case
- 2Voir Dire Voyeur: I Find Out What Kind of Juror I’d Be
- 3When It Comes to Local Law 97 Compliance, You’ve Gotta Have (Good) Faith
- 4Legal Speak at General Counsel Conference East 2024: Virginia Griffith, Director of Business Development at OutsideGC
- 5Legal Speak at General Counsel Conference East 2024: Bill Tanenbaum, Partner & Chair, AI & Data Law Practice Group at Moses Singer
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250