This guide has been prepared by the ICAEW Tech Faculty. Recognised internationally for its thought leadership, the Faculty is responsible for ICAEW policy on issues relating to technology and the digital economy.
Disruption brings opportunity
Unfortunately, criminals thrive in times of uncertainty and fear, and the UK’s National Cyber Security Centre (NCSC) has already reported an increase in cyber threats which refer directly to the coronavirus. At the same time, many organisations have opened up new avenues for attack by suddenly moving all staff to home working. Staff may be using unfamiliar apps and controls may not be configured properly. Staff are also likely to be stressed and worried and may not think about cyber security.
This guide outlines the key steps to basic cyber hygiene and highlights some useful resources.
New threats to look out for
Coronavirus allows criminals to put a new spin on existing attacks. There have already been a number of new malicious websites set up for the purpose of infecting devices with malware. Be careful of newly created websites registered with the word "corona", many of which could be suspicious. Watch out for sites with variants of coronavirus(.)com or corona-virus map(.)com.
Spam emails try to grab your attention through offering goods that are now in high demand, such as masks, hand sanitizers or vitamins, for example. Alternatively, they might feed conspiracy theories about the pandemic.
Phishing scams can appear to come from organisations such as the CDC (Centers for Disease Control) or the WHO (World Health Organisation). The scammers have crafted emails that appear to come from these sources, but they actually contain malicious phishing links or dangerous attachments. There are also emails that claim to have a "new" or "updated" list of cases of coronavirus in your area.
There has been a spike in fake internal HR or IT communication, such as coronavirus surveys impersonating your HR or IT department - the objective here is to steal usernames and passwords. For example, to access the "document" or "survey", the recipient has to provide their Office 365 credentials on a fake site, thereby compromising their account.
Cybercrime is also like to increase. Criminals may set up fake charities and send emails that ask for charity donations for studies, doctors, or victims that have been affected by the COVID-19 coronavirus.
Get the basics right
There are lots of simple guides to help small and medium sized organisations focus on the most important steps, including ICAEW’s 10 steps to cyber security for smaller firms and the NCSC’s Small Business Guide to Cyber Security.
Some of the key points to focus on at this point are:
Working from home
As this guide has highlighted, cyber criminals are targeting businesses and staff with new scams and phishing emails related to the coronavirus. Therefore, organisations should pay particular attention to home working practices to ensure that cyber risks are managed as far as possible. The NCSC has a guide to secure home working which includes a range of issues including:
In addition, ensure that staff have the resources they need to be able to operate securely - provide written guidance on any new software that staff are having to use, test that the software works as intended and produce a series of How Do I? guides for staff if needed
Help users to be vigilant to phishing emails
Staff should be particularly vigilant at the moment when looking at emails and clicking on links. Phishing emails can be very convincing and professional-looking but there are some key things to look out for. NCSC guidance gives the following general tips around phishing emails, which you could share with your staff:
It is also useful to hover over a link to see the actual hyperlink address that you are being directed to, not just the text in the email. Finally, if in any doubt, double check any claims made in the email, for example calling colleagues or banks to check whether they have sent the email in question.
Protecting sensitive data
Businesses need to take additional steps to protect sensitive and personal data and working at home may change the way that data is handled. Established procedures may not be appropriate and therefore consideration should be given to sending out new guidance to staff who are handing such data at home. This could include:
The Information Commissioner’s Office has published some guidance related to coronavirus if further information is needed.
Resources
The NCSC has a wealth of resources to help businesses of all sizes. As well as the Small Business Guide, they provide a free cyber security training course for staff that can be watched online. The NCSC also sends out a weekly threat report which highlights new or particular important threats or attacks.
ICAEW has a wide range of support for members on cyber which can be found at icaew.com/cyber. Free resources from the Tech Faculty include a short video giving an overview of the topic, as well as the 10 steps guide. We also have over twenty evergreen cyber security tips of the week on Tech News.
Finance in a Digital World
Make sure you're ready for the changes that digital technologies are bringing to finance functions and accountancy work. Complete eLearning, watch webinars and read bite-sized summaries on the opportunities and challenges brought by automation, artificial intelligence and big data.
Coronavirus cyber security PDF
PDF (168kb)
If you'd like to save or print a copy of this guidance, click on the link below.
Download