As most financial services firms move to an off-site working model and navigate the “new normal,” it is even more critical that they take steps to mitigate the increased cybersecurity risks arising from the COVID-19 pandemic.
CISA and FINRA have emphasized the need for firms employees to practice intensified alertness concerning cybersecurity risks that will look to exploit human beings as a weak link. CISA and other government agencies have been predicting for the last several weeks about the dangers posed by cybercriminals and other scammers exploiting the COVID pandemic and self-isolation.
Financial services firms, especially, must remember to warn their employees of the threat posed by phishing emails regularly. These emails are becoming more complex and difficult to spot. They are being programmed to exploit the difficulty and anxiety about the pandemic. Here are a few reported phishing attempts already made during this COVID crisis:
- Fraudulent purchase orders for face masks or other supplies;
- Communications made to look like it was sent by the World Health Organization or another health or governmental organization;
- Fraudulent “remote workplace testing” emails that ask for login or other authentication information; and
- Requests for donations that fool genuine relief organizations.
To gain access, a phishing attack only needs to convince one employee to open an attachment, click on a link, or provide essential authentication information, which could then jeopardize the firm’s security or release malware that could make some or all of the firm’s systems unavailable for an extensive period of time. Under the most favorable conditions, a strong phishing attack can cause notable harm and business delays. In situations where firms have moved partially or completely to remote work or isolation, or where on-site IT monitoring and support has been decreased, they can be even more debilitating and painful to address.
Because employees are a significant point of vulnerability, it’s important to utilize these measures:
- Email alerts
- Training (which could be conducted using a webinar or a teleconference), and
- Phishing tests (i.e., conducting phishing simulation emails)
These can go a long way in lessening the risks. A firm’s existing information security training programs and materials can and certainly should be leveraged for this purpose. It’s recommended to now tailored to the extent possible to the current COVID-19 situation.
Important: Create or Have a Plan for Responding to a Cybersecurity Incident
Finally, firms should prepare for the possible eventuality of a cybersecurity occurrence. Firms should immediately evaluate any team and response plan currently in place to ensure that it is capable of responding in our current environment. If a cybersecurity incident were to occur, firms must consider whether any notices are required to submit to personnel, other affected individuals (e.g., customers or clients) or, governmental authorities. For instance, if client information is obtained or extorted from a firm’s systems, it could then trigger reporting obligations under various data breach notifications laws.
If you have any questions, feel free to contact us.