By Francesca Mundy, Lawyer and Senior Legal Editor at Sparqa Legal


Amid the COVID-19 pandemic, the National Crime Agency (NCA) has identified a surge in ‘coronavirus-themed’ malicious apps, websites, phishing emails and messages that seek to steal confidential or sensitive information.

Whilst the Government recently warned about cyber criminals specifically targeting organisations involved in the pandemic response (such as healthcare organisations), the National Cyber Security Centre (NCSC) has warned that individuals and businesses of all sizes are vulnerable to attack.

To help, we’ve taken a look at how your business can keep ahead of the curve by identifying and addressing any potential cyber vulnerabilities.


What should businesses be looking out for? 

In joint advisories published with the United States, the UK’s NCSC has identified the following key types of COVID-19 cyber attacks to look out for:

  1. Francesca Mundy


Email, SMS, or WhatsApp messages with COVID-19 related content that encourage people to click on links to phishing websites where personal or financial information is stolen.

  1. Registration of new domain names

Phishing emails or messages may lure people to click on links to websites that will take them to a ‘spoofed login’ page designed to steal user credentials.

  1. Malware distribution

This will usually be an email asking recipients to open an attachment or download a file, which contains malware or ransomware and therefore compromises their device.

  1. Attacks on remote working systems 

Cyber criminals are exploiting vulnerabilities in systems such as Virtual Private Networks (VPNs) and videoconferencing systems; for example by sending emails with links to malicious files that claim to be links inviting someone to join a call.

  1. Password spraying

Malicious cyber groups try commonly used passwords to gain access to and compromise accounts.


What steps should your business be taking to protect itself? 

  • Review your policies and procedures 

There are different HR policies that your business can put in place to ensure smooth and secure home working. Although these are not strictly legally required, they are best practice and can help to safeguard against potential cyber attacks.

A working from home policy can set out your expectations for your staff, including in relation to data security and confidentiality. This should be complemented by a separate data protection policy outlining what duties your staff are under when they are handling personal data, including ensuring that it is always processed securely.

An IT security policy can include requirements relating to passwords, the physical security of devices and protocols around installing software. If you already have an IT security policy, you should review it to make sure it is fit for purpose and consider that the NCSC recommends the use of two-factor authentication wherever possible.

If you allow staff to use their own devices whilst working remotely, consider a ‘bring your own device’ policy. This will help you to ensure that staff appropriately secure those devices and protect your business’s sensitive information.

It is also sensible to have a personal data breach policy setting out your business’s response plan if a data breach occurs following a cyber attack.

  • Provide training and support for staff

Cyber criminals often target individuals, so make sure your staff are aware of the risks to look out for. It may be beneficial to recirculate your policies, refresh their training on relevant security procedures or to circulate specific examples of COVID-19 cyber attacks. Make sure your staff know what to do if they identify a cyber attack or they think there might have been a data breach.

Your staff will also still need IT support whilst working from home, so check whether your normal services will continue. If support is easily available, IT vulnerabilities are likely to be identified sooner.

  • Back-up!

Make sure staff regularly back up their work and save it separately from the original (e.g. by using a cloud service). Any back-ups should also have strict security measures in place; for example, access should be restricted to specific people within your organisation. If important data is backed up, you won’t lose it if devices are lost or stolen and you can protect your business from ransomware attacks (which make your system or data unavailable until you pay a ransom).

  • Check your remote working systems 

If your business is used to having staff work remotely, check that your remote working systems are updated with the most recent security patches and firewalls. If home working is new to your business, make sure that the systems you are using are fit for purpose and that you have applied appropriate and up-to-date security functions (e.g. ensuring that virtual meetings require password entry).

  • Secure your devices 

Make sure you take steps to secure devices whilst they are outside the workplace. For example, ensure encryption is turned on and that you can remotely lock devices and erase or retrieve data that is stored on them in case they are stolen.

If staff are working on personal devices, make sure they save work remotely, check that their antivirus software is up-to-date and remind staff to ensure the physical security of their work by locking their screens when they are not working.

  • Remember GDPR!

Any data that your business handles that contains personal information will trigger data protection law.

If there has been a personal data breach due to a cyber attack (i.e. a breach leading to the destruction, loss, alteration, unauthorised disclosure of or access to personal data) and that breach carries some risk to individuals, you will have to notify the ICO (Information Commissioner’s Office) within 72 hours of becoming aware of the breach. You may also need to notify affected individuals. Even if you do not need to report the breach to the ICO (because you don’t think there is a risk to individuals) you should keep a written record of it.

These legal obligations are a reminder of the importance of businesses having appropriate cyber security policies in place to ensure that they can both protect their business from attack, and comply with their legal obligations if an attack does occur.


Sparqa Legal is an online platform providing expert legal guidance and autogenerated documents for all businesses. Founded by a team of senior barristers and tech executives, Sparqa Legal is on a mission to make law accessible and recently launched the Sparqa Post to provide free expert advice to SMEs on all their legal needs. 

The content in this article is up-to-date at the date of publishing. The information provided is for information purposes only, and is not for the purpose of providing legal advice. ©Sparqa Limited 2020. All rights reserved.



Explore more