24 April 2020

Cybersecurity Risks In A COVID-19 Pandemic

Published on 24 April 2020

As we navigate our new COVID-19 reality, the legal industry (alongside other industries) is in crisis management. Cyber criminals are seizing the opportunity to exploit our lack of preparedness for a wholly online working environment. Those that seek to exploit our fears are capitalising on our vulnerability - and wreaking maximum destruction, to their personal profit.

Fake Government Representatives

One such scam has seen hackers and scammers moonlighting as government health departments and officials to steal a person’s identity. The scammer sends a recipient an email advising them that they have been in contact with a confirmed case of COVID-19 and requesting the recipient provide private identification details.

Fake Employees

In larger organisations, hackers are pretending to be employees experiencing remote access issues and preying on IT staff to give them access or disclose log in details. There has been an increase in opportunistic exploitation of programs such as Zoom requiring organisations to scramble to increase security settings to protect users. It is incumbent on us, as users and as businesses, to ensure access is scrutinised, to be aware of the potential risks to our businesses, and to take preventative steps to ensure such programs are safe to use.

Increased Security Risks

As we migrate from physical offices to a virtual work-from-home environment, we face an increased risk of cyber-attack. Law firms in particular had little time to prepare, to implement appropriate infrastructure and to ensure security measures were up to the task. This opens us up to risk of ransomware and phishing attacks. It also refocuses on the importance of making sure the cyber risk aspects of a firm strategy, risk management and business continuity planning are up to date and if they are not, it is a prime time to be looking at these in light of the business environment pre and post Covid-19.

We are putting our business assets, confidential client information and privacy details on the same Wi-Fi networks we use to log in to social media and internet streaming services such as Netflix, potentially exposing us to further hacking.

The COVID-19 storm is likely to last for several months, if not longer. This increases the time cyber criminals and phishing gangs have to undertake reconnaissance and deploy elaborate scams.

One thing that hasn’t changed regarding cybersecurity is how we respond to increased risks. Prevention is still the best strategy. We need to utilise this time and opportunity to fine tune preventative planning, policies, protocols, systems and procedures.

What You Should Do:

Law firms should be continuing to adopt the following strategies and revisit them in light of the change to remote working:

  • Passwords should be long, strong and unique: at least 12 characters that are a mix of numbers, symbols and capital and lowercase letters. Consider utilizing password managers.
  • Employ multi-factor authentication or two-factor authentication particularly when dealing with the transfer of money
  • Use secure connections and VPN (virtual private network)
  • Encryption of data sent via a wireless network
  • An awareness of suspicious links and emails – train staff to check emails before opening links
  • Malware detection tools to monitor systems and identify and halt malicious activity. This includes installing antivirus software on all computers, tablets, smart phones and other devices, whether you use them for business or personal use.
  • Verify client details, bank details, and changes to information already held by your firm
  • Enforce screen locks. Do not leave computers and phones unattended, even while you’re at home
  • Instil robust incident response planning including 24/7 access to help and support in the event of a suspected or actual breach and how best to connect with your insurer
  • Security awareness training is critical to protecting your practice. Training provides your employees with the knowledge and skills they need to protect themselves from cyber threats or breaches of data privacy.

This current pandemic has highlighted the need to bolster communication and coordination of our incident response plans. We need to develop policies, protocols, systems and procedures that identify where our vulnerabilities lie so resources and responses are deployed swiftly and effectively. We’re operating businesses and delivering our services slightly differently now, so we need to make sure our planning and operations management reflect these changes.

If there is a silver lining to be found in this current crisis, it is this: when the next pandemic rolls around (and make no mistake there will be a ‘next’ one), we will have learnt valuable lessons from our experiences with COVID-19. We will be better prepared as a nation, as a profession, and as a work force.

About the author

Leisa Flatley is a lecturer at the College of Law Queensland, lecturing students in practical legal training and risk management in the Practice Management Course. She has a keen interest in cyber security risks and has a qualification in Cyber Security Risk and Strategy from RMIT

Further Resources

Please visit the Centre for Legal Innovation-Collaborate (CLIC) free resource hub for a helpful and informative video on tips and traps on how best to protect your digital assets: Cyber security – Can we ever really be cyber secure? And follow us on LinkedIn, Facebook or Twitter for the announcements of more videos and podcasts we will release in the coming months on this important topic.

References

[1] https://www.arnnet.com.au/article/672265/here-some-covid-19-cyber-scams-watch/

[2] https://zoom.us/docs/en-us/privacy-and-security.html?zcid=3738&creative=431305793462&keyword=zoom%20security&matchtype=p&network=g&device=c&gclid=CjwKCAjwvtX0BRAFEiwAGWJyZClcHKtVOfK9ugtpYqDi0deqIfzl4gedDPQAlsSowxMaWLv1Sz992xoC-SkQAvD_BwE