30 March 2020

News round-up March 2020 — COVID-19 influence on cyber security, privacy and digital risk

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

First and foremost, we wish all our clients and friends the best in these challenging times. We hope your families are well and that your businesses are finding a way to move forward through the current crisis.

Given the present saturation of COVID19-related news, we considered avoiding the topic altogether in this edition of the news roundup, as a way to help our readers step back from the crisis and dip back into business as usual.

The reality, as we’re all appreciating, is that our collective response to the pandemic is unprecedented. It dominates all spheres of our lives – work, home, socialising, shopping and parenting. “Business as usual”, as it used to be, doesn’t really exist at this moment.

So in this month’s round-up, which takes a slightly different form, we look at how COVID-19 is influencing the spheres of cyber security, privacy and digital risk.

Key themes:

Security and privacy at the heart of changed ways of working

COVID-19 has heralded an unparalleled change in working conditions, most strikingly marked by large volumes of staff working from home, in accordance with social distancing and isolation guidelines issued by authorities.

Working from home isn’t new, but the scale is unprecedented. IT and security teams have scrambled to ensure that the sizeable increase in numbers of staff working remotely – including many that haven’t done it before – doesn’t translate to an unpalatable increase in security and privacy risks.

Recommendations have been widely published online to promote secure working from home practices, including use of secure networking tools such as VPNs and access controls such as multi-factor authentication. Some also see the current circumstances as an opportunity to introduce stringent IT architectures that will promote greater security long after the crisis subsides.

While technical measures are critical, we can’t underscore how important it is for organisations to also speak to their staff. Issue clear advice about the need to maintain secure practices when working from home, and the continuing importance of protecting the information of customers and of the organisation. As executives increase their conversations with staff at this time about how their companies are handling the crisis, security and privacy teams must also strive to have security and privacy priorities included in these communications.


The highs and lows of humanity

The image of people fighting off the elderly for toilet paper crystallises how the pandemic has, sadly, illuminated some of the worst in human behaviour.

So it was in the cyber realm. Very quickly after the pandemic took hold, authorities observed a spike in COVID-19 themed phishing and scam emails. Also discovered were coronavirus health-apps laced with malwarehijacked routers steering users to malicious COVID-19 sites and the disrupting of online services that the public will increasingly come to rely on.

The expansion of cybercrime infrastructure – such as the registering of new domains, and burgeoning pool of potential money mules – further suggests we could face these new risks for a sustained period.

All the more reason for businesses to start educating their staff now, not least because a state of heightened fear, anxiety and constant desire for new information likely increases susceptibility to threats such as phishing.

For a while, it did seem that cyber-criminals might have an attack of conscience, with some peddlers of ransomware vowing to lay off health care companies. A series of hospital-related attacks showed that to be a false dawn.

While there may be no honour among cyber thieves, there is valour in our industry worth celebrating. Many security researchers are volunteering to support healthcare providers fighting hackers, while a number of security vendors are providing free tools to help their customers be more secure. Some professionals have even set up an online cyber school for flustered home-schooling parents to help teach their kids cyber security.


Cyber workers are essential

As healthcare staff fight valiantly on the frontlines of this pandemic, it’s not unlikely that many of us in professions far removed from hospitals and health clinics are second-guessing how important our jobs are today.

Of course, PM Scott Morrison has declared that all workers are “essential” workers. But for those wanting something more specific , US President Trump also issued guidance this month on exactly what roles make up the essential critical infrastructure workforce.

A number of cyber security roles were defined the list, including workers performing cyber security functions at healthcare facilities and energy providers. The inclusion of these roles in this list affirms that cyber security functions play a critical role in the functioning of society, even in the event of a pandemic-related lockdown.

A stoush between public health and privacy?

If the importance of cyber security was re-affirmed in the previous section, privacy may have taken a backseat, at least momentarily. Various governments, seeking to arm themselves with the information needed to contain the pandemic, have turned quickly to our personal data.

In some countries, like the US, this at least kicked up an ethical conversation. In other jurisdictions, like SingaporeTaiwan and Israel, the public health imperative appears to have overridden any appetite for discussion.

But one should never be too quick to declare privacy dead. Privacy was built for this. Principles such as necessity, proportionality, reasonableness and transparency are more important than ever for governments that will need to maintain public trust throughout a sustained state of emergency.

One of the first tasks for privacy advocates on the other side of this crisis will likely be to ensure that privacy concessions made in the name of necessity are rolled back as the emergency subsides (as signaled here). Beyond that, there will also be an opportunity to re-assess and refine prevailing attitudes to privacy and seek to reframe conversations where the discussion is framed as a choice between privacy and health.