[RedirectPrompt_en-US]
It's hard to believe, but some cybercriminals are trying to take advantage of the coronavirus crisis.
They seek to exploit IT weaknesses and use our fears and insecurities to obtain passwords, infiltrate company networks or launch cyberattacks. We have therefore put together a short overview of measures to decrease cybercrime risks in the current extraordinary situation.
The following forms of cybercrime are very common right now:
Victims receive requests from a supposedly trustworthy entity to use a link leading to a deceptively real-looking website of this entity and to log-in. In doing so the user unwittingly discloses secret credentials.
Employees receive very professional fake e-mails which appear to be from the CEO or another high-ranking person in the company with the urgent request to make an emergency payment due to the exceptional situation and to temporarily disregard compliance requirements. In some cases, employees are also threatened with dismissal or other measures if they refuse to comply. As a result, large amounts of money are often transferred to accounts abroad that cannot be recovered.
The recipient is asked to open an attachment in an e-mail or to click on a link, which then installs malware on the device. This allows the perpetrator to obtain passwords and confidential data. In light of the COVID-19 pandemic, even the WHO had to warn about cybercriminals masquerading as the WHO to steal money and sensitive information (Link).
The system or data in it will be encrypted and the user threatened with deletion of all data unless they pay a ransom (e.g. in Bitcoins).
Although many companies have switched to home office now, it is doubtful they all have adequate technical and organisational measures in place to protect from cyberattacks. Many employees are not used to this form of work and use private devices, which increases security risks. All companies should therefore develop individual strategies and organisational measures to counter cybercrime risks. But even simple measures may help decrease cybercrime risks. These can include:
Raising awareness
Employees should be informed about and sensitised to the forms of cyberattacks. A common approach should be discussed with the IT department. Even simple Do's & Don'ts for employees can help:
Check and adapt IT infrastructure
The new security risks resulting from home office work should be discussed with IT and appropriate security measures should be taken.
Checklists
To take the right steps in an emergency in a coordinated and effective manner, it is advisable to draw up checklists with clear instructions and guidelines, such as what emergency measures are to be taken and in what order and by whom, and who is to be informed by whom (e.g. lawyer, IT, etc.).
The Austrian Criminal Code ("ACC") provides for various provisions against cybercrime, such as:
Affected companies are well-advised to assess possible actions under criminal law, especially as criminal proceedings provide the following advantages:
Criminal proceedings are therefore a good way to limit damages and to clarify the situation.
To initiate criminal proceedings, victims would in practice file a statement of facts (Sachverhaltsdarstellung) with the public prosecutors' office to encourage it to open an investigation. It is crucial that such a statement includes strong evidence, as the initiation of criminal proceedings requires sufficient initial suspicion (Anfangsverdacht). Therefore, companies affected by cyberattacks should in any case document the attack as well as possible and involve legal and IT experts from the start.
Cyberattacks may also affect the company's contractual partners or third parties. Therefore, it should be assessed if the relevant contracts provide for specific (information) obligations in such cases. Further, also general civil law provides information and protection obligations in certain cases and a general duty to minimise damages. If private data is affected by the attack, obligations under applicable data protection laws also need to be assessed.
In case of a cyberattack, the affected company should immediately consider and clarify the following:
Please do not hesitate to contact us if you have further questions on this topic or if you are affected by a cyberattack.
This article is part of our coronavirus-focused legal updates – visit our coronavirus infocorner to get more info!
Michael
Lindtner
Attorney at Law
austria vienna