As part of attempts to control the spread of COVID-19, businesses are increasingly relying on a remote workforce. Businesses should operate in a heightened state of cybersecurity posture during this time. Bad actors are taking advantage of COVID-19 fears, rapidly evolving environments, a distracted workforce, individuals’ good will, and unprecedented changes in business operations in all industries, hoping to trick individuals into visiting websites or opening allegedly helpful files and documents that contain malware. The current state of uncertainty, increased patient volume for health and life sciences entities, and unprecedented remote workforce creates a heightened risk of cyber exposure.
Where Is the Risk?
The increased threats come from a variety of sources, including phishing campaigns, ransomware attacks, targeted attacks against the health and life sciences industry, bad actors posing as CDC or WHO, and increased risk from a remote workforce. Threat actors play on public fears and viral news stories to trick individuals into providing sensitive information, donate to fraudulent charities, or spread malicious software disguised as important news alerts, COVID-19 monitoring, and pleas for donations.
For example, Jonathan Krebs reported on March 12 that cybercriminals have been disseminating websites and emails designed to look like the Johns Hopkins University’s interactive COVID-19 dashboard. These links contain accurate information, but credential-harvesting malware is embedded in a download required for access. Johns Hopkins University released a statement noting that the map on the University’s website is safe to use.
We are aware of an increased number of phishing campaigns aimed at hospitals, public health agencies, and other health and life sciences entities, hoping that, during the pandemic, businesses will pay ransoms without question in order to regain access to mission-critical patient care systems. In addition, the U.S. Department of Health and Human Services confirmed that it suffered a cyber-attack on March 15, reportedly aimed at slowing its COVID-19 response. On March 16, HHS issued a statement noting that, despite the increase in activity on HHS cyber infrastructure, the agency remains fully operational.
The unprecedented spike in remote workforce also increases cyber risk for businesses. As noted above, relatively untrained or inexperienced workforce members are now accessing data and systems remotely using unsecure internet connections and external IP addresses. Along with this increased workforce comes increased additional access points to your business, and identifying inappropriate access is harder.
Practice Good Security Hygiene
The good news is that vigilance, diligence and basic security hygiene in your workforce training materials can be among the best ways to combat cyber risk. A distracted and stressed workforce is less likely to employ appropriate vigilance. This is a prime opportunity for employers to remind their workforce of appropriate precautions and diligence, including:
- Do not open attachments in unsolicited emails (review U.S. Department of Homeland Security Cyber and Infrastructure Security Agency (CISA) guidance on email attachments).
- Do not click on links in unsolicited emails.
- Do not provide personal or financial information in response to an online solicitation or unsolicited email.
- Be wary of generic greetings and senders they do not know.
- Understand how to spot social engineering and phishing attacks, including well-crafted and sophisticated messages and spoofed emails (see CISA guidance).
- Understand how the IT department and CEO will and will not communicate with remote workforce members (e.g., user emails requesting credentials, wire card transfer requests).
- Central points of contact for requesting wire transfers, check requests, etc. to limit internal confusion.
- Use trusted sources like legitimate government websites for COVID-19 information.
- Do not donate to charities without verifying authenticity (review Federal Trade Commission guidance on charity scams).
- Do not download unauthorized or unsupported software on company or personal devices used to work from home.
- Update software and settings of home devices used for remote work (e.g., updating home Wi-Fi routers to the latest firmware and using strong Wi-Fi passwords).
Companies should also remain up to date on patches, updates and security fixes but remain cognizant of timing of releases to disrupt work as little as possible.
Streamline Communication from Reliable Sources
With non-centralized functions, businesses should also develop an enterprise strategy and decision-making protocol in order to provide consistent messages to workforce members. Businesses should use this opportunity to send consistent updates to workforce members with identified or common cybersecurity questions. If possible, an internal landing page with reliable and updated information (e.g., correct contact information and resource enter) should also be made available to avoid workforce members turning to unreliable websites for COVID-19 updates.
Manage Third-Party Risk
As businesses shift to an increased remote workforce, businesses also become increasingly reliant on vendors, including IT software and services. This presents an opportunity to confirm one’s vendors fit with one’s business continuity, emergency operations and incident management plans. When considering redundancies and backup capabilities, consider whether third-party vendors provide appropriate reliability and which vendors support critical functions.
Standard operations may not be feasible as the COVID-19 situation unfolds (e.g., vendors’ ability to meet response time SLAs or maintain all data access to on-site at their facilities). Companies should work together to ensure access to critical services can continue in accordance with legally required security standards and allow for the health and safety of vendors’ workforce members. This will require coordination and may require evolving standards as the situation unfolds.
Monitor Technical and Administrative Safeguards
Security monitoring solutions may indicate increased false positives as workforce members access company systems remotely. Businesses may see an increased demand for additional security support to monitor, filter and respond to false positives and actual incidents. Businesses should be particularly vigilant in monitoring unauthorized access and exfiltration hidden among increased workforce activities.
In addition to technical safeguards, it is likely that standard administrative safeguards and policies are not fully appropriate for the COVID-19 pandemic. This is an opportunity to review and revise policies, risk management strategies and historical tabletop exercises to consider priority updates to support incident response capabilities; to consider drafting a temporary COVID-19 policy outlining exceptions to usual and customary practices (e.g., remote access, transmission of data) and confirming that applicable legal requirements (e.g., HIPAA, PCI DSS, state law, CCPA) are still met; and to consider whether existing insurance coverage is adequate for changes the business is making to address the pandemic response.
Meghan O’Connor and Simone Colgan Dunlap are partners at law firm Quarles & Brady LLP. For more comprehensive, free-to-access COVID-19 resources, please visit https://www.quarles.com/covid-19-guidance-for-clients/.