IndyBar: Cybersecurity Recommendations in Response to COVID-19

By Adam Ira, Kightlinger & Gray LLP

Hackers and cyber extortionists utilize emergent situations like the novel coronavirus (COVID-19) pandemic to prey upon unsuspecting consumers and businesses.

Skeleton crews at the office and the general distraction of the developing COVID-19 situation create windows of opportunity for social engineering tactics such as phishing. Now is a good time to remind your team that they are the first, and in some cases, the only line of defense against social engineering.

If you haven’t already, please take time to recognize the hard work your IT team has done to keep your firm running remotely. Their work is far from over, as these times require constant vigilance in attack detection and log review, not to mention the increased demands on your help desk as folks settle in to working remotely. As firms continue to telework for the foreseeable future, it is important to continually reassess your firm’s cyber risk profile. Please consider the following recommendations and best practices in light of the increased cybersecurity risks caused by our world’s response to COVID-19:

• Avoid clicking on links in unsolicited emails.

• Avoid opening attachments in unsolicited emails.

• Know the common indicators of phishing attempts:

• Suspicious sender’s address. The sender’s address may imitate a legitimate business by closely resembling an email address from a reputable company by altering or omitting a few characters.

• Generic greetings.

• Spoofed hyperlinks. If you hover your cursor over the link and the hyperlink does not match the text that appears when you hover your cursor over the link, the link may be spoofed.

• Spelling and grammar errors.

• Suspicious attachments or requests to enter login credentials.

• Watch for emails purporting to be from the Centers for Disease Control and Prevention or experts purporting to have information regarding COVID-19.

• The safest way to access information on COVID-19 is to visit the CDC or Indiana State Department of Health websites directly through your own browser.

• Do not reveal personal or financial information in emails, and do not respond to email solicitations for this information.

• By way of example, a common tactic is an email purporting to originate from a file sharing site that may appear to have been initiated by an otherwise legitimate law firm or perhaps even an attorney you may know of in Indiana. The email will invite the recipient to “create an account” to access the documents by entering a username and password. More often than not, an unsuspecting recipient has just given the same username and password they use for multiple accounts that may contain financial, private and sensitive information. Keep in mind that sophisticated actors may be able to search information on publicly available dockets to specifically target an attack by referencing a case you may be working on.

• Ensure anti-malware and anti-virus software on your network is up to date.

• If your firm is still using Windows 7 as an operating system, strongly consider updating to a newer version of Windows. Windows 7 reached its “end of life” on January 14, 2020 and Microsoft is no longer providing software updates to protect Windows 7 PCs.

• If someone solicits a donation in the form of cash, gift card, or wiring money, do not do it.

• As your organization explores alternate workplace options, consider implementing the following security measures:

• Ensure Virtual Private Network (VPN) and other remote access systems are fully patched;

• Enhance system monitoring to receive early detection and alerts on abnormal activity;

• Implement multi-factor authentication;

• Ensure all machines have properly configured firewalls.

This article was originally published on the E-Discovery, Information Governance & Cybersecurity Section page. See more from the section at indybar.org/edisc.