Thomas Koch, Associate Partner – EY Luxembourg

There is opportunity in every crisis. It is not without irony in the current context that this proverb is derived from the fact that the Chinese refer to both crisis and opportunity by the same word. While this semantic coincidence is actually to display a positive attitude towards challenges, the proverb is unfortunately but particularly true for those who seek to exploit times of uncertainty, panic or outright chaos to gain advantage. We are not talking about the good kind of opportunity here. We are talking about the opportunities for cyber criminals.

 With the Coronavirus being dubbed a global pandemic by the World Health Organization, it is finally time for organizations worldwide to dust off their contingency and business continuity plans, in a constant endeavor to keep business going while their most precious asset – their workforce – is facing a massive risk of infection and consequently more than likely to not be available for extended periods of time. The protection of the health of staff is paradigm, and there’s no single employer not evaluating their continuity options these days.

A common measure taken by corporate structures and public organizations acting responsibly is to send staff to work from home in quarantine, i.e. those who were potentially exposed to the highly contagious virus, be that by having contact to infected people or by visiting specific areas. Teleworking is for them the option of choice, if they are unwilling to sacrifice vacation days or take a leave of absence. 

From a medical perspective this is most probably the right thing to do – segregate, isolate and ride it out, at least until the incubation period of about 2 weeks is over and returning to the office is considered safe for those sharing the same physical work environment.

So how does this now relate to cybercrime? For all we know, there are no reported cases of IT infrastructure being infected with the virus as cross-species transmission from human to computer is truly unlikely. And still the current situation provides an ample playground for cybercriminals to go about their ill-minded activities. So how to contain an increased cyber risk while fighting the global medical crisis? 

Revisit your continuity plan.

Before sending people home for remote working, make sure to have all the technical means in place for them to be able to work in a secure fashion. Are the technical provisions there for an increased number of staff connecting simultaneously via VPN, and is there probably an option to temporarily increase the capacity of the VPN concentrator? While people may actually enjoy working from home for a period of time, they are certainly not enjoying a frustrating experience of poor and slow connections. Furthermore, frustration may lead to poor decisions as resorting to alternative and unsecure means of data and information exchange.

Beware of fake news and click-bait.

What is true during normal times, is even more important to bear in mind during times when headlines and news continuously burst in reporting on the latest and spectacular aspects of the Corona spreading. As it‘s human nature, the likelihood for people to do some unintended clicking on links in e-mails is higher during times of crisis. Address this issue with your staff and reiterate how to identify spam and potentially malevolent messages.

Follow the protocol.

Ensure that well-established procedures and controls remain in place and continue to be followed. No, it is not okay to share your password with somebody who is in the office just because you may not have access to that protected resource while working from the comfort of your home.

And no, taking confidential client documents home is no good idea either, not during the ordinary course of business, and certainly not now. While quarantine is not solitary confinement, those who share their household with other people, family or other housing mates, shall always apply reasonable precaution to keep their corporate technology assets protected.

Be wary of Social Engineering.

If at all possible, individuals should refrain from disclosing the fact that they are sent to quarantine either via social media or by publicly commenting respective news articles. Criminals may well exploit this knowledge to design attacks that are built upon the physical separation of a specific individual, e.g. by sending e-mails pretending that the respective employee has no connection to the corporate account („Stupid VPN is down, but I need this file really urgently. Can you help me and send it to my private address that I‘m writing from?“). And who would let their colleagues down, during these restless times while they are just trying to diligently continue working? For non-critical information, a quick phone call to verify the legitimacy of the request may be the option of choice. But if it‘s not critical – why can‘t it wait?

The law is the law.

Employers are not to start measuring the body temperature of their employees or interrogate them on potential symptoms of Covid19. The CNPD has provided guidelines clearly outlining the boundaries in this regard. Encourage your employees to transparently communicate if they happened to be in a high-risk area – without fear of retaliation. And if they show and experience symptoms, they are not to come to the workplace to begin with.

It doesn’t come intuitively that a virus, as threatening as it may be for humans, might well also put an entity’s cybersecurity posture at risk. Providing clear guidelines to the workforce and transparently communicating on the not health-related risks brought about by this epidemic, however, is a strong asset in the greater resiliency context.