As businesses increasingly shift to remote working environments, the COVID-19 public health pandemic presents new cybersecurity challenges each day.  As we discussed in our earlier post, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit lax cyber-hygiene.  As companies struggle to maintain business continuity, the need for robust cyber security measures is more pressing than ever.

Cisco Talos’ latest threat report warns that three specific types of scams are on the rise: (1) malware and phishing campaigns using COVID-themed lures; (2) attacks against organizations that conduct research and work related to COVID; and (3) fraud and disinformation campaigns and attacks against organizations performing COVID-19 work.  And hackers are in fact making measurable inroads, with early attacks targeting an Illinois public health authority, a hospital in the Czech Republic, and even (albeit unsuccessful) attempts to breach the World Health Organization. 

Although some cybercriminals have vowed not to attack the healthcare industry when it is at its most vulnerable, the threat is hardly neutralized for the vast majority of businesses.  As a growing number of employees work from home in all industries, COVID-related cybersecurity threats are proliferating.

VMware, a global leader in cloud infrastructure and digital workspace technology, has confirmed the dangers.  According to VMWare’s recent Technical Analysis report, COVID-19 has generated a “substantial uptick” in cyber security attacks, leading to “an increased overall risk to corporate as well as personal security.”  The primary sources of threat, according to the report, are phishing schemes, where hackers use techniques such as fake links in emails and attachments to deliver malicious software to unsuspecting recipients. 

Email spear-phishing, which predated the outbreak of COVID-19, is just the tip of the iceberg.  As businesses increasingly rely on the indispensable digital tools of the COVID-19 era—Virtual Private Network (“VPN”) clients and remote meeting software—hackers have started to exploit such tools to gain unauthorized access to companies’ networks.  For instance, “Zoombombing,” where uninvited users share their screens and bombard real attendees with disturbing imagery, has become common in meetings organized via publicly available Zoom links.  The frequency of these attacks has led the FBI to warn of the risks of Zoombombing during the COVID-19 pandemic and the potential disruptions posed by uninvited guests. 

This leaves companies considerably vulnerable to breaches of proprietary and private information—not to mention significant disruption to already fraught business operations and even potential legal action.  In a class action complaint filed on Monday in the District Court for the Northern District of California, a proposed class of Zoom users have sued the company, alleging that Zoom failed to protect consumers’ personal information in violation of California’s Unfair Competition Law, Consumers Legal Remedies Act, and Consumer Privacy Act.  Separately, New York State Attorney General Letitia James announced on the same day that her office was investigating what, if any, new security measures the company had enacted to handle increased traffic on its network, detect security flaws, and ensure users’ privacy.

As we previously detailed, businesses should counsel employees on the need for constant vigilance to prevent unauthorized access.  But the current threats also reinforce the need for companies to implement organization-wide prophylactic procedures and processes to prevent cybersecurity attacks and mitigate the impact of a potential breach.  These measures include:

• Ensure security of remote networks and review breach response plans.  Companies should secure systems that enable remote access and ensure that VPNs and other remote plans are up-to-date and fully patched.  Incident response plans should be reviewed to ensure continuity of operations in the case of a breach and proper reporting to appropriate authorities.
• Manage settings on publicly available remote working platforms.  If free, publicly available platforms must be used for business purposes, settings should be adjusted to ensure maximum security.  Use only the most updated versions of the software.  Turn off file transfer capabilities and restrict attendance to individuals with authorized email addresses.  Hosts should never cede control of their screens, particularly during public virtual events.
• Segregate personal medical information.  Employers should implement measures, such as data encryption and data separation, to protect the sensitivity of any personal COVID-19 medical information collected from employees.  In addition, employers should minimize the data it collects as much as possible and segregate any files in confidential folders.  Federal laws, like the American with Disabilities Act (“ADA”) and the Genetic Information Nondiscrimination Act (“GINA”), may apply to protect the privacy of employees’ health information.

In a piece of encouraging news, cybersecurity professionals recently announced a broad effort to pool resources to combat cyber threats.  Composed of over 450 cybersecurity professionals from across the globe, including from Microsoft, Amazon, ClearSky Cyber Security, and Okta, the Cyber Threat Intelligence League has joined forces to tackle coronavirus-related hacking efforts.  While these professionals may be fighting cybercrime on a global scale, businesses and individuals can and should also do their part to promote good cyber hygiene. 

We will continue to monitor developments in this area.