As a result of the COVID-19 outbreak, many organizations must modify the way they do business. The pandemic and increased reliance on technology to facilitate “business as usual” pose heightened cybersecurity risks that threat actors are attempting to exploit.
Below are five key considerations for your organization to help you remain “cyber-safe” during the pandemic and beyond.
Phishing attacks. There have been numerous reports of increased phishing attacks relating to COVID-19. A common mode of attack is for the threat actor to send a phishing email purporting to be from the World Health Organization or other public health authority that invites the recipient to click on a link to receive further information relating to the pandemic or provide their personal information in order to receive notifications. Some phishing emails will embed links to malware that will be downloaded if the recipient clicks on certain links in the email. Threat actors may also look to exploit workers who are distracted or anxious and, therefore, more susceptible to clicking on a malicious link. This is a good time to remind everyone in your organization to be vigilant in identifying suspicious emails and reporting them to the appropriate IT contacts.
Vulnerabilities caused by remote working. Many organizations are transitioning to “work from home” arrangements to promote social distancing. An increasingly remote workforce may introduce vulnerabilities to your IT infrastructure as a result of employees connecting to your networks via unsecured internet connections or using their own personal devices, among other activities. Threat actors may also focus on unsecured remote desktop protocol connections or the absence of multifactor authentication (MFA) as potential attack vectors. It would be prudent to take steps to not only ensure all remote connections to your network are secure and antivirus/antimalware software is up to date, but also implement MFA as broadly as possible and remind everyone in your organization about best practices in using Wi-Fi networks.
Business email compromise (BEC). BEC is a cybercrime in which the threat actor gains control of a business email account and impersonates the executive or employee who uses that account. BEC has become a more prevalent cyber-threat and is often used to commit wire fraud by instructing an employee, supplier or other business partner to divert payments to an account that is controlled by the threat actor. A request or instruction that a wire transfer be made, rather than paying by cheque, due to a COVID-19 closure of physical premises may appear genuine. In addition, a remote work model will often be an additional barrier to checking the validity of wire transfer instructions from threat actors (e.g., by walking over to a colleague’s desk to validate an internal request). This may leave organizations particularly vulnerable to this type of fraud. Organizations should continue be on guard for BEC attacks and use best practices to prevent wire fraud, particularly confirming any new or altered payment instructions by telephone.
Strained IT resources. Many IT departments are busier than ever as they are meeting increased demands on technological resources and helping employees transition to remote working. Some organizations may choose to defer other IT-related projects, such as system upgrades, as other issues take precedence. You can expect threat actors to be aware of these challenges and try to take advantage of the crisis. Organizations of all sizes should continue to treat cybersecurity as a top priority and ensure adequate financial and human resources are allocated to stay on top of data security even during this challenging period.
Regulatory compliance and breach reporting. While the Office of the Privacy Commissioner of Canada and some provincial privacy commissioners have scaled back their services as a result of the COVID-19 outbreak, organizations must continue to comply with their obligations under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and all other applicable privacy statutes. Organizations should continue to make every effort to report breaches to the appropriate authorities as required by law and comply with any notification requirements.
Have more than five minutes? Contact Nicole Henderson
, Imran Ahmad
, Cathy Beagan Flood
or any member of our Cybersecurity
group to learn more.
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at firstname.lastname@example.org.
© 2020 Blake, Cassels & Graydon LLP