IT considerations during the COVID-19 outbreak

Updates – May 2020

Video conferencing programmes

Funded partners should prepare for a long-term remote working scenario, which should include a risk assessment of the security issues associated with video conferencing software. Popular video conferencing platform Zoom has faced security issues where unauthorised users accessed conference calls, while identified vulnerabilities in Microsoft Teams allowed attackers to take over the entire roster of organisations’ Teams accounts.

Microsoft Exchange critical patch

Funded partners should also ensure that all critical security patches have been applied to remote access systems and that secure configurations have been used. In February, Microsoft released a patch to resolve CVE-2020-0688. An independent global survey was conducted in April which highlighted 350,000 Exchange servers as unpatched.


IT considerations during the COVID-19 outbreak

Increasing numbers of malicious cyber actors are exploiting the current Coronavirus (COVID-19) outbreak, using related themes for scams and phishing emails. New working arrangements brought about by social distancing have also changed and increased the risk environment. IT systems are under threat, but can also be used to keep organisations running as effectively as possible. 

We suggest the following key steps that organisations can take in order to continue operating successfully: 

Develop coherent crisis management and planning

Funded partners should establish a response team with representation from senior leaders and customer-facing services. Response plans should be developed to outline how key business processes will be continued. Plans will need to be tested to ensure feasibility. Capacity planning will also need to be revisited. Incident response plans should be reviewed and, where necessary, updated to reflect remote working practices.

Maintain clear communications 

Funded partners need robust communication channels to meet the external needs of customers and suppliers, as well as the internal needs of staff. It’s important to provide accurate and meaningful information to the right people at the right time. Automated template messages will increase efficiency, while staff training in video conferencing will improve productivity. 

Protect against phishing emails

Phishing attacks devised to exploit the COVID-19 outbreak have already been seen in action. Phishing emails are being sent that purport to come from credible sources (e.g. the NHS, Department for Work and Pensions or World Health Organization). When opened, such emails can either initiate the execution of malware or encourage users to disclose private information. Clear and regular user awareness training is the most effective way to defend your organisation against this type of attack. Additional technical controls could also be implemented, including advanced email filtering solutions to identify and block suspicious emails and filtering technology to whitelist the file types users can download from the internet.

Maintain network security

Applying security updates, also known as patching, and making regular backups are two key ways to protect organisations from malware. Using cloud as your backup is suitable as long as you have procedures in place to prevent your backup being corrupted or compromised during an incident. Two-factor authentication is recommended in all instances.

Protect data privacy

The Information Commissioner’s Office has confirmed that the following practices are allowed by all UK organisations:

  • keeping staff informed about COVID-19 cases in your organisation (but if names are disclosed there must be a legitimate need)  
  • asking staff to tell you if they are experiencing COVID-19 symptoms, while ensuring you do not collect more data than you need for the purpose of protecting employee health. 

Protect physical security and mitigate remote-working risks 

The move to remote working means that any potential disruption by cyber security attacks or IT outages will be significantly bigger. It is essential to ensure adequate hard drive encryption on any devices being used by staff. If funded partners cannot provide staff with managed devices and need employees to use their own personal equipment, a bring-your-own-device (BYOD) policy should be established and agreed to by staff. Business data should not be stored locally on personal devices and VPN solutions should be used. 



Key Contacts

Partner - Head of Public Sector
BDO Southampton


Partner - Technology Risk
BDO London