Client alert: Remote work, data breaches and cybersecurity considerations during COVID-19

Ransomware and phishing attacks are on the rise, as are the significant legal and economic considerations that follow. In 2019, a number of municipalities across Canada faced malicious online attacks that effectively shut-down city operations unless a ransom was paid.^[1]  A recent Carbon Black survey of 250 Canadian CIOs, CTOs and CISOs found that 88% of businesses had suffered a data breach over the past 12 months, largely due to phishing attacks.^[2]

As businesses adapt to the “new normal” of extreme uncertainty caused by the COVID-19 pandemic, countless employees are faced with the prospect of working remotely in a variety of new (and sometimes less-than-secure) environments. Cybercriminals have taken notice.

Phishing attacks related to COVID-19 began in January and have exploded online since, with some reports pointing to thousands of new sites and scams created every day. For example, regulators in the UK have identified a rise in the registration of webpages relating to coronavirus,  which is suspected to be the work of online threat actors looking to exploit the outbreak.^[3]

Perhaps in a bid for self-preservation, a number of hackers have made clear they will not resort to ransomware and other health-related cyberattacks during the pandemic. However, businesses should be wary of these overtures and continue to maintain vigilance across their workforces, especially in light of the recent (and significant) attack on the U.S. Health and Human Services Department earlier in March.^[4]

The minute-to-minute evolution of the pandemic can feel overwhelming and even surreal. However, organizations can consider a number of straightforward best practices when attempting to reduce the risk of phishing and other cyber incidents arising from COVID-19:

1) Implement a clear and consistent process for communicating to employees over the course of the pandemic – to address how the outbreak may impact employees long-term,⁵  to provide updates on IT and other policy issues, and also to ensure everyone remains connected, even if virtually, during this public health emergency.

2) Specifically, IT teams and resources should keep in touch with remote workers to ensure program updates and patches continue to be installed when available, and to quickly deal with any data incidents taking place outside of the traditional office.

3) Speak to employees frankly about using work technology for work purposes only, and reinforce the need to keep devices secure from their own online activities at home (e.g., limit online shopping or other activities that increase the risk of their clicking fake ads). Employees may also consider having these conversations with other family members/close contacts (e.g., to reduce the possibility of the use of vulnerable remote drives).

4) Continue to reinforce online IT security training while employees are working remotely so they stay abreast of the latest phishing and ransomware scams during the pandemic. Of late, these attacks have involved emails with information claiming to be from government-related health agencies offering pandemic advice or fake workplace correspondence seeking sensitive personal information and/or requesting password verification.

5) Employees should also ensure they are maintaining good cybersecurity practices at home by confirming their Wi-Fi is secure, remembering to constantly save and back-up work, and locking their screens when leaving workspaces if in a shared environment.

We are dealing with an unprecedented global event. Cox & Palmer remains available and committed to providing quality advice to all businesses faced with navigating these uncharted waters.

By Matt Saunders, Margaret A. MacInnis, Patrick Fitzgerald, Anna M. Cook and Deirdre L. Wade, Cox and Palmer

Articles referenced in the article above:

[1] ‘Definite uptick’: Global wave of ransomware attacks hitting Canadian organizations – CBC, Oct 14, 2019
https://www.cbc.ca/news/technology/more-ransomware-canada-1.5317871

[2] CANADA | GLOBAL THREAT REPORT | DEFENDER POWER ON THE RISE – Carbon Black
https://www.carbonblack.com/land/canada-global-threat-report-defender-power-on-the-rise/

[3] Coronavirus-themed phishing attacks and hacking campaigns are on the rise – ZD Net, March 16, 2020
https://www.zdnet.com/article/coronavirus-themed-phishing-attacks-and-hacking-campaigns-are-on-the-rise/

[4] Cyber-Attack Hits U.S. Health Agency Amid Covid-19 Outbreak – Bloomberg, March 16, 2020
https://www.bloomberg.com/news/articles/2020-03-16/u-s-health-agency-suffers-cyber-attack-during-covid-19-response

[5] COVID-19 – How Employers Can Manage the Workplace in These Uncertain Times – Cox & Palmer, March 18,2020
https://coxandpalmerlaw.com/publication/covid-19-how-employers-can-manage-the-workplace-in-these-uncertain-times/

• About
• Latest Posts

Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Latest posts by Occasional Contributors (see all)

• Finance is doing a consultation on whether to increase the disbursement quota for Canadian registered charities - September 27, 2021
• Many charities with March 31 year ends need to file their T3010 by September 30 - September 13, 2021
• Reminder from Corporations Canada re: AGMs in 2021 for CNCA corporations - September 1, 2021