The exceptional situation that the world is living in the light of the COVID-19 pandemic has come with an increase in the exposure of companies and public institutions to cyber-attacks. Taking preventive (ex ante) and repair (ex post) measures is the key to a proper response to the cyber-risk, mitigating the potential harm of an inevitably vulnerable system.
COVID-19 not only is testing the strength of our national system, but also the whole welfare state and the social and market economy that supports it. From the social services, through food supply chains, spares logistic and equipment assets, to the education sector, the entertainment industry and information… the severe crisis produced by COVID-19 is to create changes in the goods and services production model within the European Union that strives to overcome, even with its own contradictions, the brutal crisis opened by Brexit.
Indeed, within the cyber framework, the COVID-19 impact has quickly shown its effects. There are several international indicators that highlight the significant rise in the cyber-attacks to critical public and private infrastructures.
In these times of emergency, according to the kind of detected cyber-attacks, the cybercrime triad may be outlined as: ransomware, phishing and fake news.
The main type of cyber-attack is ransomware. As we already stated on “Cyber-risk and cyber-insurance (II): silent cyber, an ongoing revolution?” (March 2020), ransomware is the name of a software that aims to “take data hostage”; given the rising dependency by the companies and public administrations on digital facilities (working from home, virtual meetings, social media…) the possibility of depriving the public and private stakeholders of the access to devices, media, data bases or information sources may have a devastating effect.
Cybercriminals exploit the most vulnerable parts of the system to carry out their attacks. In this regard, one of the most vulnerable points of companies and public administrations is precisely their staff. Ransomware needs an action by a human operator in order to deploy its potential harm. In times of COVID-19, cybercriminals use the user’s fears and insecurities on digital systems as a vulnerability susceptible to attack.
Thus, in our publication of March 2020, we analysed the operating mechanism of NotPetya; the simple malware required the user to click in order to open an email that immediately encrypted files and demanded, in return to unlocking them, a ransom in cryptocurrency. In other words, the ransomware always requires an individual’s participation: to download an application, view a file, open an email…
In this exceptional situation that we are living there is a conjunction of two elements that turn it into the perfect time to carry out a cybercrime of these characteristics: (i) companies and public administrations are overexposed to risk because they can only provide services, due to the compulsory lockdown, via digital infrastructures and (ii) there is an atmosphere of fear and social anxiety around COVID-19 spread that multiplies the system’s vulnerability.
Searching information about preventing COVID-19, acquiring health products such as masks or sanitizer, checking potential treatments for the infection or activities which may be done during lockdown are sociologically understandable behaviours but are a cyber-risk focus, in the event of not adopting the appropriate measures.
Given the severity of the crisis created by COVID-19, some cybercriminal organizations as DoppelPaymer o Maze have announced a “ceasefire” on health institutions, guaranteeing them access to a free decryptor in the event that their data are taken hostage after a ransomware attack; despite of this promise of “non-aggression”, we should highlight that (i) there is no consensus in an uncertain and liquid community such as that of cybercrime and (ii) on the other hand, there is no engagement on preventing the most likely “collateral damage” that this kind of cyber-attacks produce, as we have analysed in previous articles. The hazard of ransomware is, therefore, a current topic.
Other front in the cyber-attacks is phishing, which uses similar parameters as ransomware. Through phishing the user’s vulnerability is used to obtain personal data such as identification numbers, bank account numbers, passwords or other confidential information. Phishing attacks come from allegedly official accounts (usually via email) in order to earn the trust of the user so they enter their data expecting it to be true and secure.
Thus, during the crisis brought by COVID-19, phishing attacks have been uncovered, they have been using the profiles of public organisations, health centres, private organisations that pretend to provide purchase options for health products (masks, gloves…), drugs, pseudo-treatments or, simply, update contact data of bank entities or public administrations (access keys to digital profiles, keys to purchase authorization…).
When the user enters the data required by the alleged trustworthy body, either public or private, the cybercriminal takes them in order to authorise payments, transfers or operations through an identity theft.
Finally, the third party of the cybercrime triad is fake news (misinformation) that, in some cases, may lead to the disrepute of companies and organisations. Usually insurance policies for cyber-risks include the coverage “reputation risk”: coverage of consulting fees, campaigns of image restoration, etc.
What can we do against the cybercrime triad? The guidelines that we suggest are simple and widely known:
- To guarantee that there is a safe digital infrastructure equipped with the necessary technical resources.
- To guarantee that the users of the digital infrastructures are sufficiently aware, educated and trained in preventing cyber-risks: use of official channels, use of double-check systems, measures of “digital hygiene”…
- To inform the employees/users that there is a significant rise of cyber-attacks of different types and to recommend them the use of double-check systems to download emails/files.
- To inform of loss/theft of devices.
- To keep work from home under secure channels: to avoid the use of personal media by the employees and to guarantee that there is an active protection system against potential cyber-attacks.
- To assess the response before a cyber-attack and articulate a system to restore losses and/or damages.
In times of overexposure to cyber-risk, it is recommended not only taking preventive measures (ex ante measures), but also to take the measures addressed to solve the negative consequences for the company/organisation (mitigation/repair measures, ex post).
From insurance perspective, the response to the implications that may arise from a cyber-attack on a company’s business, its image or its staff must be properly assessed and articulated in order to being able to prevent the potentially damaging consequences of cyber-risk.
The increase in the system vulnerability must be taken as an opportunity to improve and update our digital infrastructure, but it is also the right time to start giving cyber-insurance greater importance, being aware of the importance of “digital hygiene” and of the key role which users play while building a security environment to develop an expanding cyber-universe.
AUTHOR: Ian Pérez López. Lawyer. Insurance Law Department, BELZUZ ABOGADOS, S.L.P.