The United States Department of Homeland Security (DHS) and the United Kingdom’s National Cyber Security Centre (NCSC) issued new guidance to inform businesses and organizations of the growing use of COVID-19-related themes by malicious cyber actors. Taking advantage of the global emergency and the rapid transition to telework arrangements, cybercriminals are targeting individuals, small and medium enterprises, and large organizations with COVID-19-related scams and phishing emails.
As described in our recent advice, Data Privacy Concerns: Tips for Teleworking During Coronavirus, the transition to telework can leave organizations of all sizes exposed to new cybersecurity threats and vulnerabilities. The threats being observed by DHS and NCSC include:
- Phishing, using the subject of coronavirus or COVID-19;
- Malware distribution, using coronavirus or COVID-19- themed lures;
- Registration of new domain names containing wording related to coronavirus or COVID-19;
- Attacks against newly deployed remote access and teleworking infrastructure; and
- Sophisticated social engineering attacks, often taking advantage of concern around the coronavirus pandemic in order to persuade potential victims to click a malicious link or download a file containing malware.
The DHS and NCSC guidance provides in-depth analysis of these cybersecurity threats and includes links to numerous additional federal resources. All of this information can be utilized by information security staff to patch gaps in information systems or cybersecurity protocols, educate workforce members on current and emerging cybersecurity threats, and anticipate the type and manner of future attacks.
The DHS and NCSC guidance is available in full at https://www.us-cert.gov/ncas/alerts/aa20-099a.
As we expect to see additional cybersecurity guidance issued by federal regulators as the outbreak continues, stay tuned to our Coronavirus (COVID-19) Resource Center for ongoing advice and notifications. If you have any questions, please do not hesitate to contact any member of our Data Privacy and Protection group.