In the blink of an eye, COVID-19 has taken center stage in almost every facet of operations in governmental offices, businesses, schools and homes in the world. And the ripple effects of this pandemic are invading more than our home lives and the economy. This crisis has required most of the country's work-force to reinvent operations and require every non-essential worker to work from home. It is in this type of paradigm-shift that cybercriminals look for opportunity. In the wake of the COVID-19 outbreak and response efforts, there has been an escalation of cybercrime and cyber intrusion attempts. While we each adjust to this new way of life and, more importantly, help our clients adapt, it's important that we remain vigilant. Below are examples of some of the most recent attempts of cybercrime (either through phishing scams or VPN intrusions), as well as recommendations for how to mitigate risk.

Phishing for Something New

To begin, phishing emails have evolved to adjust to the virus outbreak and response efforts. We long for the days where the most threatening phishing email is from a fake email address purporting to be from the CEO of a company "needing immediate assistance." Instead we are hit with new and various waves of malicious emails in the form of phishing attacks that even the most sophisticated recipient could fall prey to in light of the speed at which business is transacting and reacting, and the shift to working from home.

Recently, the FBI issued a warning related to fake emails purporting to be from the Center for Disease Control (CDC) or other health care organizations, but the attachments or links within the body of those emails contain harmful malware or malicious ransomware that could cripple your organization. Other examples of new phishing scams include emails pretending to be from a company's Information Technology department with instructions for setting up computers for remote working, or from co-workers that appear as though they have a link to an internal database document but instead link to a domain outside of the company's network intended to unleash malware that could infiltrate the company's network within seconds.

Still prevalent are phishing scams purporting to come from human resources. These scams have also adapted to take advantage of the new paradigm, now claiming to attach guidelines for safe distancing or revised work schedules. A closer look at the email address of the sender, however, would reveal that this is not from the company's domain address. Here again, the attachment might instead include ransomware intended to hold an organization's data or computer systems hostage until a ransom is paid (usually in the form of Bitcoin, which is generally untraceable once paid). Compounding this risk, consider that hospitals and other health providers have been consistent targets for ransomware attacks. The impact such a ransomware attack could have on any of the mission critical hospitals currently working so hard to treat the incredible volume of COVID-19 patients is indeed frightening. Also concerning is the thought of malware infecting a computer system that life sustaining ventilators rely on, because software was missing a security patch or a version behind on a hospital network. If there is a silver lining in the fact that our healthcare system has consistently been such a popular target of ransomware attacks and other cybercrimes is that our hospitals and healthcare facilities are better prepared and more vigilant than ever to deter such attacks or, at least, mitigate the damage stemming from such attacks.

What's an Organization To Do?

Now is the time to reconsider your information security plan, business continuity plan, and disaster recovery plans to evaluate if enough safeguards are in place. For example, does the business continuity or disaster recovery plan include a pandemic response plan? As many companies are learning now, how one responds to a pandemic might be very different from how one response to other more common disasters.

Not only do many applicable data privacy and security laws require such diligence, including New York's SHIELD Act (cybersecurity mandate effective March 21, 2020), but proper information security and business continuity plans mitigate the impact of an attack on an organization. This is not a simple box-checking exercise. Remaining current on information security and business continuity plans may be the difference between continuing operations remotely or having to completely shut down as a result of a successful malware or ransomware attack. Remember, "Compliance Does Not Equal Security." Compliance is only a segment of a suitable cybersecurity program.

Time for Mitigation

So what else can an organization do to mitigate some of these risks and vulnerabilities? To start, refresh training content and retrain employees to remain vigilant, including training on the newest trends and, as always, to pay close attention to the details in every email. Even if it takes more time to review and/or respond to the email than one might prefer, the diligence is warranted. Train employees to expand the sender's name to confirm it is a legitimate sender. If it is an email from a known vendor or customer requesting an important change (e.g., account for wiring purposes), advise employees to call the vendor or customer using already known contact information (and not contact information from the email) to confirm they are requesting this change. It is far less risky to make that call, then to blindly make such a change. Consider developing relevant procedures to ensure such matters and consistently handled properly.

Simply put: Vigilance, absolute vigilance, is key. While many employees are more adept at spotting a phishing email that purports to being from their CEO asking for assistance, we need to retrain them to spot this new round of phishing attempts, such as those allegedly from Human Resources, Information Technology or even an outside vendor or customer offering advice or reporting a problem amid COVID-19 concerns.

Additional safeguards, though slightly more technical in nature, include ensuring that networks, including Virtual Private Networks (VPNs), are current and that all patches have been deployed with updated security configurations. As VPNs allow access from outside of a network, it is critical to maintain proper multi-factor authentication for all VPN access to networks, especially with the dramatic growth of employees working from home. Consider also how rights are provisioned to users. Ideally, computer systems should be designed by the principle of least privilege, meaning that the access rights of each user is reduced to the bare minimum permissions they need to perform their work.

Taking safeguards to the next level, organizations should consider restricting VPN access only through company-issued internet communication channels, such as MiFi cards or other company-issued devices with data plans. This measure would tighten security even further. While home networks are typically more secure than public networks, there are still likely more vulnerabilities in a home network environment than in an organization's network. For example, while an employee may be diligent about the websites and apps they use, the other members of their family may not be. For example, use of Apps like Facebook, Tik-Tok, YouTube, Snapchat and similar social media platforms invites risk. These types of sites are known for vulnerabilities and providing a conduit for cyber intrusions. If such apps or websites are accessed on a shared home WiFi network, a door could be opened to a company's network that otherwise would have never been accessible.

Cyber Survival in the COVID-19 Pandemic

In sum, the COVID-19 pandemic continues to have a devastating ripple effect around the world, across the United States and locally. Direct loss and economic hardship aside, this crisis has unfortunately created more vulnerability in cyber frameworks, which should not be taken lightly and instead become a priority for organizations, even in the midst of this pandemic. Take the steps outlined above to mitigate those risks and endeavor to overcome this pandemic with minimal impact on your information technology systems and data security.

Jessica L. Copeland is co-chair of the cybersecurity and data privacy practice group of Bond, Schoeneck & King in Buffalo and New York City.