For many organisations, home working has become the new normal. Digital technologies offer businesses huge benefits in these unprecedented times – but the increased scale in remote technology working has also raised new cyber security and data protection questions and risks. It can also be daunting for employees who haven’t worked from home before.
What’s the latest information and insight?
It’s common for criminals to take advantage of emergencies – and coronavirus is no exception: evidence has emerged that criminals are trying to prey on people’s fears about COVID-19 to steal money and sensitive data. Since the beginning of March, there has been a 667% spike globally in fraudulent attempts to obtain sensitive information, known as ‘phishing’. For more information, see the CBI’s factsheet on phishing.
With stretched resources and staff who might be more stressed than usual or unfamiliar with remote working, ensuring good cyber resilience and data protection standards could be challenging. But action must be taken: the average cost of a breach was £4,180 in 2019, and the real price to pay could be much higher due to longer-term consequences like reputational damage.
How should your business respond?
Managing the cyber risks introduced by homeworking at scale
Maintaining good cyber hygiene and data protection practices is vital, both on the technical side and when it comes to engaging employees to prevent attacks.
The UK’s National Cyber Security Centre (NCSC) is a world-class advisory body, with free resources for firms and employees.
- Start with the basics: introduce a cyber strategy. If you are attacked, what’s the most important thing to protect? How will you respond? Who is responsible for each action in your response plan? The NCSC’s 10 steps to cyber security is a good place to begin
- Adapt your policies for home working: even if you already have strong cyber security policies and protocols in place, think about how they might have to adapt if you’ve introduced or scaled up home working. The NCSC’s home working guidance recommends steps you can take
- Protect your business from phishing: Phishing is the most common type of cyber attack. It’s impossible for users to spot every phish – but there are simple steps your business can take to protect your people and business. The CBI’s factsheet on phishing contains more tips and resources.
- Refresh your knowledge: to boost your confidence or simply refresh your knowledge, try the NCSC’s free, 30-minute e-learning training packing, ‘Stay Safe Online: Top Tips for Staff’
- Think before you click: Phishing can be difficult to spot. Read the NCSC’s advice on phishing, with information on what to look out for and what to do if you’ve already clicked.
Protecting your data
Data is at the heart of the fight against the spread of COVID-19, helping scientists and officials to conduct the analysis and make the decisions that keep us safer. But some businesses are worried that their data protection practices might not meet their usual standards during the pandemic due to increased remote working and reduced resource.
The UK’s data regulator, the Information Commissioner’s Office (ICO), has stressed that it understands these exceptional circumstances. It has updated its guidance and has a hotline to help firms navigate tricky questions.
- The ICO has answered FAQs (including for healthcare companies) in its advice on data protection and coronavirus: what you need to know
- If the FAQ page doesn’t answer your questions, call the ICO hotline on 0303 123 1113.
For more advice, watch the CBI’s coronavirus webinar, with a special focus on cyber security.
Frequently asked questions
- What are the most important things to think about when improving our cyber security as we scale up home working? Many businesses are taking positive steps to improve their cyber security, but just 16% have a plan for dealing with a cyber attack. Start with the basics – what do you want to protect? – and build your strategy up from there
- What kinds of attacks should we be looking out for? Phishing attacks are the most common, and businesses have seen a rise in those related to the coronavirus: for example, claiming to have a cure for the virus or impersonating authorities like the WHO or HMRC
- What if our data protection practices don’t meet our usual standards or our response to information rights requests take longer during the pandemic? The ICO has made clear that it won’t penalise organisations for prioritising other areas or adapting their approach due to limited resources during the pandemic.
As well as the resources listed above, CBI members are also offering cyber services and resources.
- Cisco has free remote working tools. UK&I Director of Cyber Security Mark Weir joined the webinar and shared some of his top tips for businesses looking to improve their cyber security, including: start with the basics – plan a cyber strategy; think about physical security (for example, if you’re using your laptop on a patio); keep up to date with the latest patches to fix security vulnerabilities
- ELEMENTARYb is launching to help medium-sized businesses manage their financial and risk needs and are offering cyber advice to help protect businesses in need of support resulting from COVID 19. If you have any queries please email firstname.lastname@example.org with the details of your issue, full company and contact information, and the nature of the ask
- KYND uses an organisation’s website address to instantly identify any critical cyber risks they may be facing. It is offering this service for free to small businesses or charities affected by COVID-19 who don’t have cyber insurance to protect them
- Microsoft UK have launched their 'Supporting Resilient Operations' report and hub, which houses 10 solutions to help businesses adapt as quickly and effectively as possible. It contains advice and content with themes ranging from remote working and remote learning to intelligent security, digital inclusion and technical support
- Sophos are offering a number of free services, including Sophos Intercept X for mobile (an app to protect phones and iPads) and Sophos Home, free security software for Macs and PCs
- UK Finance’s Take Five campaign offers simple, impartial advice that helps prevent email, phone-based, and online fraud – including a simple checklist to help spot fraud and avoid scams.