For many organisations, remote working has become the new normal during the pandemic, with home and hybrid working set to continue in the coming months. Digital technologies offer businesses huge benefits in these unprecedented times – but the increased scale in remote technology working has also raised new cyber security and data protection questions and risks. It can also be daunting for employees who hadn’t worked from home before.
What’s the latest information and insight?
It’s common for criminals to take advantage of emergencies – and coronavirus is no exception: evidence has emerged that criminals are trying to prey on people’s fears about COVID-19 to steal money and sensitive data. Since the beginning of March, there has been a 667% spike globally in fraudulent attempts to obtain sensitive information, known as ‘phishing’.
With stretched resources and staff who might be more stressed than usual or newer to remote working, ensuring good cyber resilience and data protection standards could be challenging. But action must be taken: the average cost of a breach was £4,180 in 2019, and the real price to pay could be much higher due to longer-term consequences like reputational damage.
How should your business respond?
Managing the cyber risks introduced by homeworking at scale
Maintaining good cyber hygiene and data protection practices is vital, both on the technical side and when it comes to engaging employees to prevent attacks.
The UK’s National Cyber Security Centre (NCSC) is a world-class advisory body, with free resources for firms and employees.
- Start with the basics: introduce a cyber strategy. If you are attacked, what’s the most important thing to protect? How will you respond? Who is responsible for each action in your response plan? The NCSC’s 10 steps to cyber security and board toolkit are good places to begin
- Adapt your policies for home working: even if you already have strong cyber security policies and protocols in place, think about how they might have to adapt if you’ve introduced or scaled up home working. The NCSC’s home working guidance recommends steps you can take
- Protect your business from phishing: phishing is the most common type of cyber attack. Phishing typically entails sending an email that directs victims to a site which steals their information. It can also extend to ‘spear phishing’ – more targeted to specific individuals – and ‘whaling’ – directed at high-profile targets like senior executives. It’s impossible for users to spot every phish – but there are simple steps your business can take to protect your people and business. The NCSC has multi-layered strategy guidance on phishing
- SMEs should take action too: Although cyber security can feel like a daunting challenge for smaller firms, with over 6 in 10 SMEs reporting a cyber breach, introducing and maintaining good cyber practices is vital. The NCSC’s small business guidance contains advice for SMEs.
- Refresh your knowledge: to boost your confidence or simply refresh your knowledge, try the NCSC’s free, 30-minute e-learning training packing, ‘Stay Safe Online: Top Tips for Staff’
- Think before you click: Phishing can be difficult to spot. Read the NCSC’s advice on phishing, with information on what to look out for and what to do if you’ve already clicked.
Protecting your data
Data is at the heart of the fight against the spread of COVID-19, helping scientists and officials to conduct the analysis and make the decisions that keep us safer. But businesses have also had questions about data protection during the pandemic – for example, where they want to carry out workplace testing.
The UK’s data regulator, the Information Commissioner’s Office (ICO), has stressed that it understands these exceptional circumstances. It has updated its regulatory approach in response to the pandemic, releasing new guidance and a hotline to help firms navigate tricky questions.
- The ICO has established a data protection and coronavirus information hub to support companies, including health and social care organisations, on a range of issues.
- If the FAQ page doesn’t answer your questions, call the ICO hotline on 0303 123 1113.
Frequently asked questions
- What are the most important things to think about when improving our cyber security as we scale up home working? Many businesses are taking positive steps to improve their cyber security, but just 16% have a plan for dealing with a cyber attack. Start with the basics – what do you want to protect? – and build your strategy up from there
- What kinds of attacks should we be looking out for? Phishing attacks are the most common, and businesses have seen a rise in those related to the coronavirus: for example, claiming to have a cure for the virus or impersonating authorities like the WHO or HMRC
- What if our data protection practices don’t meet our usual standards or our response to information rights requests take longer during the pandemic? The ICO has made clear that it won’t penalise organisations for prioritising other areas or adapting their approach due to limited resources during the pandemic.
- Watch the CBI’s webinar on cyber security during the pandemic with Felicity Burch, Director of Innovation, CBI and Mark Weir, Regional Director UK&I, Cisco
- Read our article, Why your board must be involved in cyber defence
- Read the CBI’s factsheet on workplace testing for more information on testing in the workplace, including data protection considerations.
- The Financial Conduct Authority’s ScamSmart toolkit
- HMRC’s detailed information on phishing and scams
- ICO Check. Share. toolkit, communicating the importance of information security to staff.
CBI members are also offering cyber services and resources:
- Cisco has free remote working tools. UK&I Director of Cyber Security Mark Weir joined the webinar and shared some of his top tips for businesses looking to improve their cyber security, including: start with the basics – plan a cyber strategy; think about physical security (for example, if you’re using your laptop on a patio); keep up to date with the latest patches to fix security vulnerabilities
- ELEMENTARYb is launching to help medium-sized businesses manage their financial and risk needs and are offering cyber advice to help protect businesses in need of support resulting from COVID 19. If you have any queries please email firstname.lastname@example.org with the details of your issue, full company and contact information, and the nature of the ask
- KYND uses an organisation’s website address to instantly identify any critical cyber risks they may be facing. It is offering this service for free to small businesses or charities affected by COVID-19 who don’t have cyber insurance to protect them
- Microsoft UK have launched their 'Supporting Resilient Operations' report and hub, which houses 10 solutions to help businesses adapt as quickly and effectively as possible. It contains advice and content with themes ranging from remote working and remote learning to intelligent security, digital inclusion and technical support
- Sophos are offering a number of free services, including Sophos Intercept X for mobile (an app to protect phones and iPads) and Sophos Home, free security software for Macs and PCs
- UK Finance’s Take Five campaign offers simple, impartial advice that helps prevent email, phone-based, and online fraud – including a simple checklist to help spot fraud and avoid scams.