We recently learned that Easyjet experienced a sophisticated cyber-attack which exposed customers’ credit and debit card details. Sadly, this has become a common occurrence during the pandemic. Google has recently stated that it is blocking some 18 million coronavirus scam emails every day and reported a 350% increase in phishing (the practice of illicitly inducing individuals to reveal personal information for fraudulent use) websites and emails.
In particular, cybercriminals are exploiting opportunities presented by mass migration to working online. The proportion of attacks targeting home workers increased from 12% of the UK’s malicious email traffic before lockdown to 60% 6 weeks later. This makes sense:
- online and home working systems are being used in numbers and for amounts of time which their designers never could have predicted;
- given how quickly things have changed, some employees may not have read working from home or information security protocols in sufficient detail; and
- software and hardware are not being subjected to usual standards of testing.
Common examples our clients’ employees have reported seeing are:
- emails or website links offering COVID-19 facemasks, testing equipment or drugs in bulk;
- emails and texts from the UK Government, HMRC or NHS demanding payment of fines for failure to observe lockdown rules;
- fake investment opportunities (particularly pharmaceutical and technological);
- fraudulent online meeting sign-up pages;
- spoofing or phishing emails purporting to be from a colleague; and
- most commonly, information falling into the wrong hands due to human error.
It is important that you are adequately prepared for these eventualities. If you experience an incident, you are normally required to formally notify the ICO (the UK data privacy regulator), who will expect you to be able to show that you have thought about the potential effect of the pandemic on your data security obligations under the GDPR and implemented safeguards accordingly. Being adequately prepared will help you to avoid regulatory liability (i.e. a large fine). Broadly, common safeguards the ICO expects to see can be categorised as follows:
- Do your employees know how to recognise, and respond to, an incident?
- Organisational (i.e. designed by and specific to your organisation) security measures, such as security breach / information security / home working policies; password complexity requirements, administrative oversight and code names for client work.
- Technical security measures, such as anti-virus software, regular sweeps to check for any incidents or irregularities, and using secure virtual private networks to provide remote desktop servers.
- Is there an effective and understood governance structure to report incidents?
- Are effective procedures in place to contain incidents and mitigate against their effects?
- Do you understand when and how the ICO or individuals affected by the incident must be notified?
- Do you know how to formally document your organisational response in case of regulatory investigation?
If you need any help to prepare for and mitigate against online crime and data security breach get in touch with Priya Thapar on +44 (0)20 3691 2063 or email firstname.lastname@example.org