Cyber Crime & Corona: BSI sees increased threat level for companies

How companies can protect themselves during the crisis

Cyber-risks during the corona crisis – Why IT security remains important

The German Federal Office for Information Security (BSI) sees an increased threat to the cyber-security in companies during the corona-crisis. Besides reports of an increase in phishing-mails in which the receiver is asked to enter personal data and the growing concern about cyber attacks on system-critical facilities such as hospitals or pharma companies our experts have received an increasing number of enquiries from companies that have been victims of cyber attacks in recent days. The risk of cyber attacks is particularly caused by the inexperience of many companies and employees in dealing with new technologies in times of increased work from home, the high time pressure and the resulting error-proneness of the implementation of technical solutions in the current corona-crisis.

Cyber attacks can not only trigger the obligation to report relevant transactions to the responsible regulatory agency or the notification to interested parties. Unfortunately, in many cases they also lead to system failures, the loss of data and high costs for the elimination of the consequences of such attacks.

Especially during the corona-crisis, all companies are strongly advised to take all necessary measures to protect themselves effectively from cyber attacks and not to neglect the IT security of the company.

How can companies protect themselves against cyber attacks?

The best protection against cyber attacks is the implementation of adequate IT safety measures.

Each company is obligated to maintain an adequate standard of IT security for its own systems and those of its service providers in line with the state of the art - even in times of greatest hardship.

A first guideline is provided by the requirements of Art. 32 GDPR, which among other things requires measures to ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing in the long term.

In the absence of more concrete legal requirements, companies are often faced with the challenge of determining the adequate level of protection and the measures to be derived from it. The required measures are to be evaluated within the framework of a risk-based approach and depend on the way in which personal data is processed. The more sensitive the data, the more risky the business activity, the more secure the relevant systems should be.

Assistance is provided here by the handouts of the BSI (see below) and the various German and European supervisory authorities. Against the background of the growing professionalism of the attackers, also and especially in the corona crisis, it makes sense to fall back on the advice of external IT security specialists who know the specifications, solution approaches and industry standards and can effectively support companies in the conception of suitable IT security standards.

IT security in the Home Office – What needs to be done?

These days many employees are working from home. Maintaining IT security under these circumstances is a major challenge for many companies. At the same time, new and for many companies still unknown dangers are lurking in the home office.

The employer remains responsible for data protection in the home office and compliance with the GDPR and providing for sufficient technical and organisational measures for IT security. Employees are to be provided with appropriate regulations in order to uniformly define the framework conditions and obligations in connection with working from the home office.

Individual measures are particularly important for working from home:

The use of business systems as well as access to company data and e-mails should only be made possible via secure access (e.g. VPN access) with robust access verification. In addition to encryption "in transit" of communication with the company network, the company terminals should have reasonable protection mechanisms (password protection, encryption). The company must ensure that employees are unable to deactivate or circumvent default protection mechanisms without further ado, especially in the "turmoil" of the corona crisis.

If third parties (e.g. family members, flatmates) have access to the home office of the employee, the employee should ensure that the risks of unauthorised access to data by third parties are minimised, e.g. by

• locking the computer when leaving the workstation,
• locking the study when absent,
• only make confidential telephone calls when it is impossible to listen in.
  
  

Personal and confidential data should only be processed directly at the employee's home office. If this is not possible, the data to be protected should in any case be stored in a lockable cabinet. Finally, the employee should ensure that all documents that are no longer required are destroyed in a manner that complies with data protection regulations (e.g. by shredding the document into small pieces).

Further necessary measures can be found in the overviews published by the BSI on the subject of "telework". In addition, our experts have designed a special FAQ on the legal requirements in the home office, which you can find in an updated version here.

Raising awareness – What do employees need to know?

Experience has shown that the greatest risks to IT security arise where employees act carelessly or are not sufficiently sensitized to the corresponding dangers. Training and sensitization of employees is therefore one, if not the most important part of an efficient IT security strategy.

Employees must be given a clear understanding of what is possible and what is taboo when it comes to IT security - and what dangers lurk in the corona crisis! Especially in times of corona, attackers take advantage of the employees' insecurity. Also during the crisis, it is helpful to inform employees about the essential security measures, e.g. in a short instructional video or online briefing.

Particularly against the background of the growing danger of cyber attacks by phishing and ransom/malware, among others, employees should be clearly advised of the corresponding risks and the proper handling of these sources of danger, especially during the Corona crisis.

The following recommendations, which the BSI also makes, are essential:

• E-mails from unknown senders should be checked carefully and both the sender and the links contained in them should be thoroughly scrutinised.
• Caution is advised before opening unknown files, especially if their origin is not clear.
• Email addresses should be examined carefully before opening the emails; often, spelling mistakes indicating fraudulent intentions only become apparent on second glance.
• The same applies to email texts. Often spelling and grammar mistakes as well as unusual salutations or formulations indicate harmful content.
• Beware of emails from external senders that contain links to alleged programs for home office work or video telephony. Corresponding applications can only be obtained after checking and consultation with company IT and if so, only from the original sources (e.g. the appstores).
• In cases of doubt, the correctness of corresponding requests should be checked by calling or otherwise asking the relevant decision-makers. Do not use any of the contact data (such as telephone numbers) from the e-mail, but rather the contact data already known to the employee, which can always be researched using the company's internal telephone books or intranet information.
• The use of private devices for home office work should be prohibited as far as possible or only permitted under special restrictions. Since the security of the respective devices can no longer be controlled centrally, this often results in risks that are difficult for companies to control.

Further tips and information on the use of private devices in the home office ("Bring your own device" or BYOD for short) can also be found on our website.

What other preventive measures can companies take?

Even before the (possible) incident, companies should continue to prepare for the emergency. For all companies currently struggling with the corona crisis, it should be a great challenge to draw up further plans for e.g. cyber attacks in addition to dealing with the crisis. However, a certain amount of planning ahead will pay off in the event of an emergency, so that at least the most important steps can be carried out quickly and effectively in the crisis. Essential points of such a plan are:

• Definition of responsibilities
• Escalation paths for the integration of the Management
• Development of flow charts and emergency measures
• Implementation of a system for internal reporting of such incidents
• Identify a team of external experts who can provide rapid support in the event of an attack, consisting of IT experts, legal advice and communication specialists
• Definition of contact points with competent authorities in order to be able to make any notifications in good time.
  
  

Last but not least, cyber-insurance can also be a useful component in the protection package before and after cyber-attacks - also and especially during the corona crisis. Depending on their design, they not only mitigate the financial consequences of a cyber attack. Based on their experience, insurers can also provide further valuable assistance in the event of an incident: through appropriate contacts with specialists, but also before that by providing appropriate checklists and further instructions.

What needs to be done if the company has been a victim of a cyber attack?

Should a cyber attack occur, the following steps should be taken to mitigate the risks:

1. Eliminate the danger – call in experts!

IT security incidents are extreme situations that can sometimes lead to great psychological stress for the persons involved. A contingency plan helps to ensure that no essential steps are overlooked and also provides a certain amount of legal security when it comes to finding and eliminating the sources of danger and closing possible gaps in the first few hours.

In times of corona and the associated challenges such as staff shortages, absence of the responsible employees and increased cost pressure, this is an even greater challenge for many - if not all - companies, but one that can be mastered with appropriate preparation.

Experts can help to quickly find the causes of a cyber attack and to quickly and efficiently contain the risks and possible resulting damage to the company. IT experts give advice on which measures are particularly important in the first few hours to protect company systems (e.g. changing passwords, virus scans, resetting systems and hardening IT security for future threats).

2. Document the incident and the reaction adequately

All findings about the detected or suspected cyber attack must be thoroughly investigated and documented. This is essential, among other things, in order to be able to inform authorities and affected persons adequately in the event of an incident. Since the facts are often diffuse, the advice of experts is usually indispensable. Evidence such as log files must be secured in time before they are (automatically) deleted. Subsequently, a comprehensive documentation helps to analyse the processes and to draw conclusions for process improvements and measures to prevent future attacks.

3. Involve law enforcement authorities

Law enforcement authorities can sometimes achieve more than the injured parties themselves in prosecuting the perpetrators. For example, follow-up data can be obtained, search measures can be initiated, or information can be obtained from other sources that are otherwise not accessible, which can be helpful in the subsequent prosecution of civil law claims. As such measures lose their effect over time, it is important to act quickly and in close coordination with the authorities - even if in practice such measures will unfortunately be successful in the rarest cases.

4. Check for notification obligations and act if necessary

Depending on the operation, notification to data protection authorities and/or the data subjects will be required. First of all, the relevant deadlines must be determined immediately upon discovery of the attack. Reports to data protection authorities must be made within 72 hours (for the requirements see Art. 33, 34 GDPR). Whether such a report is actually to be made often requires a forecast decision with regard to the existing risk for the persons concerned, because the situation will be clear in the rarest cases. In order to avoid unnecessary reporting and to ensure a legally strategic approach, specialised legal advice should be obtained. Points to be clarified in this context are regular:

• Data access by the attackers yes/no
• Sensitivity of the categories of data concerned (payment data, health data, etc.)
• Consequences for data subjects (e.g. risk of fraud)
  
  

In any case, the communication and defence strategy should be clearly defined before a notification is made. It must be reported “in advance”. Depending on the process, reporting can be the first step in a lengthy communication with the authorities, which can later also involve the investigation of legal violations by the reporting company. For this reason alone, a report should always be preceded by at least a brief examination of the company's data protection compliance in order to be prepared for any inquiries. In many cases, however, it has proven to be a good idea to work together with the authorities in a cooperative and constructive manner!

5. Don’t forget data protection during the corona-crisis!

Particularly in the stressful situation of a cyber attack, elementary (data protection) legal requirements are often overlooked in internal and external investigative measures, which in an emergency can lead to a subsequent ban on the use of evidence and separately sanctionable data protection violations. Especially before employee screenings or the personalized control of log files, the measures should therefore be legally reviewed. In times of corona, these requirements are particularly challenging for companies, but remain essential in order to be able to act in a legally secure manner.

What we can do for you

In general, and especially in times of Corona, it is best to remain calm in case of a cyber attack. Inconsiderate measures can often deepen the damage. Professionals can help to avoid such mistakes. For dealing with future incidents, companies must learn from mistakes and be (legally) prepared for the next attack, be it by further hardening IT security or by further improving processes.

We regularly support companies in connection with cyberattacks, regulatory reports, information of affected persons and the "clean-up" after a corresponding incident - even during the corona crisis! We have a large team of experts who have extensive experience in dealing with cyber attacks and can support you quickly and efficiently.


We have compiled on our website comprehensive information and recommendations for action in response to the legal implications arising from the coronavirus pandemic: Coronavirus - legal issues