With the disruption and uncertainty caused by COVID-19, organisations need to be aware of the heightened cybersecurity risks and take measures to protect their organisation and workforce while working remotely.
Amidst the disruption to everyday life and regular business practices brought about by COVID-19, conditions are ripe for abuse and attack by cyber criminals. Authorities and security researchers in various jurisdictions have reported a surge in cyber-crime during the current COVID-19 situation (See our article Cybersecurity Update: COVID-19). Of particular concern are reports of highly sophisticated and targeted spear-phishing attacks on organisations in badly affected industries like oil production. These attacks stood out for their familiarity and knowledge of ongoing projects and players, as well as the limited amount of grammatical errors and sloppiness that are typical of similar attacks – making the attacks difficult to identify and respond to. Other common attacks have taken advantage of the COVID-19 situation by posing as a government or health authorities (such as sending emails pretending to be the World Health Organization which contain malicious links and/or request certain information) or purporting to share information about COVID-19 or confirmed cases of COVID-19.
Organisations and their officers need to be cognizant of the heightened cyber risks during this period when most if not all of their workforce is working remotely often without full protection of corporate firewalls and other security measures. The immediate risks of direct financial loss, data breaches and reputational damage are often readily understood by organisations; while it is perhaps more difficult to appreciate the potential impact of a seemingly minor probe or breach today which may set the stage for a full attack later (such as credential harvesting, privilege escalation and advanced persistent threats). It is not uncommon that the impact of an attack may only be fully felt long after the initial attack, for example where sensitive data (such as personal data, trade secrets or confidential communications) has been exfiltrated and are further exploited (such as when made available for sale on the dark web or used for ransom or blackmail), or that these attacks may be part of a broader campaign taking the attackers one step closer to the organisation’s customers, contacts and even the industry at large.
As organisations settle in for an extended circuit breaker period in Singapore, corporate officers still need to exercise effective control and management of the business while also discharging their duty to manage the risks, including cybersecurity risks, faced by their organisations. For organisations that have not done so, they should take this time to conduct an impact assessment of their remote working practices against data protection or other risk management policies. Even if organisations have done an impact assessment prior to implementing remote working, it is important to continually monitor and review their remote working practices and how meetings are conducted.
Virtual meetings have come under intense scrutiny recently. Virtual meeting solutions and instant messengers are an almost essential tool for businesses during this period but with the many solutions available, organisations need to be familiar with the settings for each solution to ensure that there are no unauthorised users/attendees (or meeting "bombing"), that motions can be properly discussed, considered and voted on, and that there will not be any unintended disclosures of information. Where possible, organisations should follow the general guidance of using multiple independent channels or factors to conduct verification whether of identities, votes or instructions.
While it would be challenging to implement a sweeping overhaul of an organisation’s infrastructure and practices during this period, organisations can use this opportunity to plan for any improvements once the regular business resumes. In any event, we recommend that organisations develop at least some basic rules on remote working and access to company systems that can and should be implemented as a matter of priority while the pandemic remains. Organisations can take guidance from advisories and guides published by national authorities and various professional cybersecurity and defense organisations. In Singapore, the Cyber Security Agency of Singapore and the Singapore Computer Emergency Response Team have published articles and advisories on how companies can bring their operations online as well as how they and their employees can remain safe while working remotely.
We set out below some pointers and good practices to raise organisations' cyber safety.
(See also our article Singapore Introduces Cybersecurity Labelling Scheme)
(See also our article Signing by Email and other virtual means (including NSW amendments on 22 April) in Australia)
Meetings and Voting
(See also our articles COVID-19: Alternative Arrangements for Meetings for SGX Listed Companies and COVID-19: Holding shareholders’ meetings for private limited companies in Singapore during elevated safe distancing period )
This article is produced by our Singapore office, Bird & Bird ATMD LLP, and does not constitute legal advice. It is intended to provide general information only. Please note that the information in this article is accurate as at 29 April 2020. We will continue to monitor the situation and provide updates on any changes as soon as these are communicated to us. Please contact our lawyers if you have any specific queries.