Data Protection: Why the pandemic means you need to be doing things differently
COVID has had an enormous impact on cybersecurity. Here, we look at four things that could be compromising your security. And they all relate to one vital area: protecting your data.
As well as outlining the risks, we share the steps you can take to keep your data out of harm’s way.
No. 1 – COVID-themed phishing emails
The coronavirus may now be the biggest phishing topic ever, so you probably don’t need us to tell you that email scams are off the charts this year. By some estimates, phishing emails have increased by a whopping 600%. Back in April, Google was blocking 18m coronavirus scams emails every day.
Luke Kiely manages our CSOC (Cyber Security Operations Centre); his job is to protect our clients and us from cyber-attacks. He’s witnessed the massive spike in phishing emails and has a keen sense of why – despite growing awareness – people continue to be duped.
“Threat actors are quick to latch onto the latest news,” says Luke. “So, when Boris Johnson announces the government is implementing new measures, a phishing campaign could mimic that within hours. And in their hunger for advice, people are more likely to open emails with topical subject headings, as they think they’ll be legit.”
And perhaps surprisingly, senior executives are up to 12 x more likely to fall for a phishing scam. CEO fraud (or CXO fraud) is a type of phishing email – known as whaling, where attackers impersonate a high-level exec in the company, say, the CEO or CFO. The aim is to trick the exec into carrying out an instruction by them – an urgent money transfer, for example.
And in an era when we’re growing accustomed to believing the unbelievable, it’s understandable your guard may be down. Alas, this is what threat actors play on.
To help you or your team spot Covid related phishing emails, catch Luke’s blog – Coronavirus: Be Vigilant to the Cybersecurity Risks.
How can you reduce the threat of phishing emails?
It’s all about taking a layered approach, and we can’t say it better than Pravesh Kara, our Security and Compliance Product Director:
“At the top, you’ve got your email security functionality; the ability to detect phishing emails right at the perimeter. And then it flows to your next layer of defence – your employees. This is your user awareness and the training you provide, so your users learn how to spot phishes and know what to do.”
Pravesh continues: “And if it falls through that layer and users click, you need the ability to detect and contain any resulting threat activities. That’s where a CSOC and monitoring come in.”
No. 2 – Over-collecting employee information
Most of us are familiar with H&M; maybe you have something from the high street fashion retailer in your wardrobe. But did you know that H&M landed in hot water with the information commissioner? It also has the dubious distinction of incurring the second-largest fine by a single company under the GDPR.
H&M copped a €35.3m (£32.1m) penalty for intrusive data collection and analysis of the activities of hundreds of its employees. You can read more about the case here: H&M fined for breaking GDPR over employee surveillance.
While H&M’s big brother tactics pre-date the pandemic, we’re seeing many companies ramp up their employee monitoring. As workplaces become decentralised and employees are away from their managers’ gaze, perhaps you could argue reasonable cause.
But it all depends on what side of the fence you sit on. Would you be comfortable with constant surveillance? ‘I monitor my staff with software that takes screenshots’.
How can you avoid becoming the next H&M story?
To monitor or not to monitor? That is not the question. It comes down to one thing: your policies.
Maybe you have someone on furlough and want to be sure they’re not logging in to your systems. Or perhaps you have a new remote employee and would like to check they’re working their allotted hours.
Let’s take the person on furlough first. If you have always monitored them and communicated this in your policies, that’s fine. But if you’re making any changes to this, then you must be upfront about your plans and get their acknowledgement.
Ditto your newbie – see that you make your policies clear to them from the start. But aside from covering your derriere – legally speaking – and not landing up in some ugly employment tribunal or GDPR investigation, isn’t it just the right thing to do? We believe it is.
No. 3 – Shadow IT
Shadow IT – tech adopted by your users without your organisation’s approval or knowledge – has long been the bane of IT managers’ lives. Typically, Shadow IT comes in the shape of cloud or web-based solutions.
Since the pandemic, evidence shows that Shadow IT, like phishing emails, is rising. More remote working may mean that – for any number of technical reasons or altered user behaviours – your IT team has less visibility of what’s going on.
And the possible consequences of Shadow IT aren’t pretty. Sensitive data in unsafe environments, information leaking into the wrong hands, non-compliance of the laws and regulations, reputational damage. Altogether, an unholy mess for your long-suffering IT team – and possibly your legal people – to unravel.
How can you control Shadow IT?
This starts with the ability to detect the use of Shadow IT in your organisation. Then you need the appropriate response mechanisms to do something about it.
“What that action is depends on your policies around Shadow IT,” says Pravesh Kara. “Either you go through a process where there’s a business need and you onboard it properly as an official supported application, or it’s unsanctioned.
“If it’s unsanctioned, you find a way to block and remove it, and limit any damage caused in terms of how much data went into that platform.”
So, what technologies would help with Shadow IT? Automation will make your life easier and ensure a more consistent approach.
“What we’re looking at is the ability to monitor and control web traffic. For us, this is Microsoft Cloud App Security, and to a lesser extent the web content filtering built into Microsoft Defender ATP (Advanced Threat Protection),” continues Pravesh.
“Then understand how you’re going to get that data off that piece of Shadow IT and back into a controlled system. You could automate the process with something like MCAS (Microsoft Cloud App Security).
“With MCAS, you do the initial piece of work to understand what applications are unsanctioned or sanctioned and then automate your response.
“Say you don’t trust the app because it’s hosted in a region not covered by the GDPR or it doesn’t fit your compliance regime for other reasons. Then you may decide to block it. But if the app contains benign, public, non-impactful data, then you may allow it but control how information moves to that piece of Shadow IT.”
And a one-page policy guiding your users on their use of Shadow IT, together with a spot of training, is a good shout. Some clarity will serve them – and you, better.
No. 4 – Insider risk
Insider risk is considered one of the biggest threats to businesses. In our experience, this is usually down to negligence, not malice. But it only takes one disgruntled insider to impact your organisation, so it’s wise to be ready.
Vast numbers of people are enduring furlough. Sadly, some are now facing redundancy, never to return to their roles. So, let’s assume they’re on heightened monitoring and they’re aware of it. The monitoring exists for mutual protection; to ensure they’re logging in for essential email with you only, and not working. And on the other side of the fence, that they’re not overstepping the boundaries by entering environments they shouldn’t.
Let’s take an extreme example. Jay has held a sales role for five years and has a reputation for loyalty and hard work. But Jay has taken the news of potential redundancy badly, seeing it as a smack in the face. Financial worries may be clouding his judgement too. Jay’s now contemplating becoming a freelance consultant and feels entitled to take your contact database with him. After all, he worked hard to build those relationships.
If you then find that Jay has taken those records, it’s too late – the damage is done. You must be alerted to the risk before anything happens.
How you can stop your employees from taking your data?
After policy, your second layer of security is the ability to predict potential data exfiltration. Identifying the potential for something to happen is better than trying to manage the aftermath.
- Detect user sentiment – what is the tone of their messages? Are they giving off a negative vibe? Are they criticising your organisation?
- Run retrospective queries on a user’s behaviour, say in the 30 days before their redundancy notice (over the consultation period).
- You can even link the Insider Risk feature to your HR portal. As soon as an exit date is set, IR will automatically run a retrospective investigation, to see if there are any changes in the individual’s actions. For example, downloading more than they typically would.
The picture delivered by IR will show you if that person may have a propensity to do things they shouldn’t, giving you the time to take preventative measures.
The IR data is anonymised, ready for a human investigator to examine. If – and only if – the investigator finds just cause is the individual’s identity revealed. This anonymisation protects you from defending your organisation from the accusation of heavy-handed or invasive monitoring in any legal action or tribunal case.
Learn more about safeguarding your organisation in these unprecedented times
Join us for Digital Revolution Live in November, and hear from Pravesh Kara, Luke Kiely and our other cybersecurity experts. Join them for these two interactive sessions:
- You versus the cyber threat: how do you win? (10 November)
- Cybersecurity in lockdown and beyond: how to stay ahead of the cyber criminals (11 November)
And there’s a bunch of other topical sessions, addressing common organisational headaches like remote collaboration, ageing tech and employee engagement. For an at-a-glance overview of Digital Revolution Live, click here. To view all the content on demand, register below.