Technical advice on how to avoid falling victim to a coronavirus-based digital scam is everywhere; sadly, it does not seem to be helping. Knowing that, better advice might be for a company to have all its legal ducks in a row, just in case.
In the May 2020 JD Supra article Cybersecurity and Incident Response In A Time of Coronavirus, Saad Gul and Michael Slipsky, attorneys at Poyner Spruill LLP, who specialize in cybersecurity, said attacks touting something related to the pandemic have been plentiful enough for them to see what needs shoring up. Here are their suggestions.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Review your incident-response plan: The implementation of an incident-response plan is a good idea and now required by regulatory groups ranging from the SEC to the New York Department of Financial Services. Gul and Slipsky also believe incident-response plans are a proactive practice opportunity for those who could wind up involved in an actual incident, especially now when certain assumptions no longer apply due to COVID-19. “For example, a key individual may be quarantined,” the authors said, “or the plan may require physical access to a facility that is out of bounds for one reason or another.”
Gul and Slipsky added, “Whatever the concern, the first step is to review the plan. A review may yield assumptions that no longer hold true. At that point, the organization can develop workarounds.”
Review expert guidance: Multiple government agencies are collecting and publishing data on pandemic-induced attacks, along with recovery recommendations, on the agencies’ websites—CISA, DHS, and NIST, for example.
The authors suggest it’s best to learn from others’ mistakes and use information provided by the agencies. They offer the following advice that has surfaced strictly because of the pandemic and its forcing experts to rethink:
“The CISA discovered that the COVID-19 phishing emails were a new and effective ploy for attackers. Employees expect such emails and react accordingly. Once warned, their response rates improved. A simple technique, but one that pays disproportionate dividends.”
Have several ways to locate employees: The authors discussed the importance of having backup communication systems. This is good advice as, more often than not, a business wanting to save money integrates everything into a single package from a lone service provider, which could leave the business vulnerable if some kind of denial-of-service attack occurs.
“The business should identify alternative modes of communication, such as landlines or personal cell phones,” the authors said. “Each employee should have a hard copy phone directory that includes those numbers. Communication may be slower this way, but this ensures an attack will not cripple internal communications.”
SEE: Identity theft protection policy (TechRepublic Premium)
Fix vulnerabilities: For a variety of reasons, those responsible for keeping digital equipment up to date are not always excited about pushing out updates that fix vulnerabilities. However, once again, COVID has changed the score: “In the regular course of business, an attack through an exploited vulnerability might be a nuisance. With the entire business running remotely, however, such an attack can be devastating.”
Check liabilities: Gul and Slipsky, suggesting a bit of irony, are wondering: Why now? One might think regulatory bodies would ease up on compliance due to the unusual circumstances created by COVID. “The Department of Health and Human Services’ Office of Civil Rights has indicated that it will regulate lightly given the pandemic pressures,” the authors wrote. “But other agencies—from the Federal Trade Commission to the Securities and Exchange Commission—have offered no such suggestion. Moreover, state regulators and legislators, perhaps spurred by California’s example in the California Consumer Privacy Act (CCPA), have been more active in consumer privacy.”
Gul and Slipsky offered the following advice: “In our experience, the day-to-day stresses can sometimes cause businesses to overlook compliance fundamentals. Build your IT around security and compliance. If it is intrinsic, it is less likely to be overlooked, whether the work is performed in the office or remotely.”
Why this matters
Business owners cringe when asked whether their company could survive the pandemic without the internet. The ability to work remotely is keeping many businesses viable, as well as allowing employees to provide for their families. Experts, including Gul and Slipsky, suggest working remotely is not going away. It’s likely to increase when feasible, and businesses should prepare themselves accordingly.