Accelerated digitisation and cybercrime in a post-COVID-19 world

Accelerated digitisation and cybercrime in a post-COVID-19 world

Original news

UK Finance says coronavirus has fuelled spike in impersonation scams, LNB News 16/09/2020 39

UK Finance is urging people to be aware of criminals exploiting coronavirus to target their victims, after figures revealed a sharp rise in impersonation scams in the first half of 2020. According to the trade association, almost 15,000 impersonation scam cases were reported in the first half of 2020, up 84% compared to the same period in 2019.

How has the pandemic accelerated digitisation and, consequently, opportunities for cybercriminals to exploit?

Without doubt, the pandemic has accelerated digitisation and, as a consequence, created opportunities that cybercriminals can use to their advantage.

The global pandemic forced us to reinvent the way we work and live. During the lockdown, we all turned to the internet for a sense of normality: shopping, working and learning online at a scale never seen before. Traditional, paper-heavy industries were forced hastily into the digital world. Sectors that were holding on to the old-fashioned ways of working with pen and paper were made to rethink. It meant that most started using systems and networks that had been secured as an afterthought rather than after in-depth planning.

Running parallel to this, the government’s support and intervention programmes (which were put together with more emphasis on ease of access and speed, rather than security) offered a raft of opportunities, both for direct fraud and for impersonation. Then came the targeting of those whose jobs have gone or are at risk.

The combination, regrettably, led to a rapid evolution of opportunities for the cybercriminals to exploit. So much so that in May 2020, in one of the government’s daily briefings, Home Secretary, Dominic Rabb, gave a stark warning to the risk faced by cyber criminals saying:

‘There will always be some who seek to exploit a crisis for their own criminal and hostile ends. We know that cyber criminals, and other malicious groups are targeting individuals, businesses, and other organisations by deploying COVID-19 related scams and phishing emails.’

In these extraordinary times, the goal is surely to ‘stay safe’ but also to ‘stay cybersafe’, particularly as in these exceptional times the internet is providing so many of us with access to the world and the means by which our businesses can hope to survive.

What trends are we seeing in criminality?

An INTERPOL assessment of the impact of pandemic on cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure.

With organisations and businesses having to rapidly deploy remote systems and networks to support staff working from home, criminals are taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption.

In one four-month period (January 2020 to April 2020) some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs (all related to pandemic) were detected by one of INTERPOL’s private sector partners. During the same period, Action Fraud reported that 18.5% of all fraudulent emails were directly pandemic-related. In contrast, there was a 32% reduction in total crime during April 2020 and May 2020, compared with a two-month average in the pre-lockdown period.

Despite this increase in reporting of cybercrimes, we know that the percentage of prosecutions will be considerably less. We have not yet seen 2019 figures but, in 2018, of the 17,900 incidents of computer hacking reported in the UK, there were only 65 prosecutions; a prosecution rate of under 1%. This reflects the scale of the problems faced by the authorities in tackling cybercrime when perpetrators are difficult to identify and pursue.

What is at the top of the cybersecurity agenda in the wake of coronavirus?

The top of the cybersecurity agenda in the aftermath of coronavirus is how to work safer at home. So many staff now work from home. This is a change that is likely to stick and many businesses must recognise the vulnerabilities that exist in this situation. There is likely to be a distinct lack of security awareness among staff and it is possible that many will have adopted an ‘out of sight, out of mind’ attitude; having deviated from their usual office ways of working where they were under the watchful eye of compliance officers.

It is likely that the early months of lockdown were dealt with flexibly regarding compliance, as employers had little time to prepare for the pandemic’s effects. The risks that businesses face, therefore, are not only external ones—there are very real insider threats posed by employees working from home and making mistakes. Looking into the future, there needs to be ongoing and robust employee training and awareness raising about cyber risks for all staff who work away from the office.

What are the biggest regulatory challenges inherent in these changes?

If the 2008 financial crisis is anything to go by, we can expect a focus on financial institutions having to account for any failures and regulatory breaches. Following the 2008 crash, we saw decisions made by firms come under close review, with record-breaking fines and stringent remediation programmes ordered by regulators. Financial institutions, therefore, must ensure that decisions made and conduct taken throughout the crisis can be supported by documentary evidence and stand up to scrutiny.

There is also a regulatory risk with regard to those who fall victim to cybercrime. Businesses suffering cyberattacks may be vulnerable to legal or regulatory penalties. For any cyberattack that affects a business, it must be considered whether that business has a legal or regulatory obligation to inform the relevant regulator and/or the Information Commissioner’s Office (where any personal data has been accessed or obtained).

With so many working from home, there are also issues related to General Data Protect Regulation, Regulation (EU) 2016/679 and the potential for data being transferred outside of the European Economic Area.

As discussed above, compliance was handled flexibly by employers at the start of lockdown. But it should be remembered that regulators did not formally relax their expectations or requirements. Firms should, therefore, be ready and able to explain their decisions and actions (and refer to supporting documentation) in relation to any temporary solutions regarding regulatory compliance. Regulators will be very interested in whether cybersecurity policies that firms have implemented are robust and effective.

Interviewed by Pietra Asprou.

Subscription Form

Related Articles:
Latest Articles:

Access this article and thousands of others like it free by subscribing to our blog.

Read full article

Already a subscriber? Login