But unfortunately amongst the generosity, there are cyber criminals working to exploit this situation.
This article looks at what your organisation can do to protect itself against cyber attacks at this unprecedented time with 5 key tips:
1. Be Vigilant
It's easy to fall victim to a scam when your mind is understandably on other things, or you feel pressure to act quickly to protect yourself. Cyber criminals know this and will take advantage by designing bogus communications on topics that people care about. For example, the World Health Organisation (WHO) has warned that criminals are impersonating it to steal money and sensitive information.
Provide your staff with practical guidance on how to spot suspicious communications. These 'phishing' attacks usually ask for information, or encourage the recipient to open an attachment or click on a link. Tell-tale signs include the sender's email address not looking quite right, a request to act urgently or the appearance of an official source (eg. a bank) asking you for sensitive information, such as login details.
Staff should be reassured that they won't suffer adverse consequences for questioning the validity of an email even if it turns out to be genuine. It's better to be safe than sorry. Make sure that staff know who to speak to if they have any questions or think that they might have inadvertently compromised your security.
2. Maintain Your Usual Standards
Your organisation should have measures in place around online security already. Now is not the time to let your standards slip, because that is what the cyber criminals are betting on. Continue with your usual processes, such as, promptly updating security software and downloading patches. But also tighten up any areas where you think you might be vulnerable, for example, introduce two factor authentication for remote working.
Staff should be reminded that they continue to play a vital role in your organisation's security defences. Now, more than ever, they should follow your guidance eg. around not using public wifi unless your organisation has taken steps to make its use secure, making passwords strong and not using personal email accounts for work. If staff are permitted to use personal devices for work, they should be provided with guidance on how to do this securely.
3. Test New Software and Online Services
Organisations have been forced to adapt quickly to a new way of working and this has led to the adoption of new software and online services without the usual run in time. Thoroughly test the security of any new application before it is rolled out to your staff and keep a record of your testing. Don't let the need to do business as usual compromise your online security, because a cyber attack could have serious financial and reputational consequences for your organisation at this already difficult time.
4. Are Your Processors Compliant?
When a third party service provider uses personal data on your behalf, they become your 'processor' under data protection law. Common examples include payroll and cloud storage providers. If personal data that you are responsible for is compromised (eg. lost or stolen) when one of your processors holds it, you are still responsible under data protection law. This is why the GDPR requires you to carry out sufficient due diligence on your processors' data protection compliance and have a contract in place with certain mandatory provisions. If you haven't taken these steps then you could be liable if one of your processors suffers a cyber attack.
5. The Usual Rules Still Apply Regarding Data Breaches
Cyber attacks often lead to personal data breaches, for example, if a hacker gains access to your client database. The Information Commissioner's Office (ICO) is taking a pragmatic approach to certain aspects of data protection compliance at the moment, but there is no sign that it will relax its high standards around data breach reporting and information security. Certain personal data breaches remain reportable to the ICO within 72 hours.
Make sure that your data breach procedure still works when the key staff involved are working remotely. If you do have to report a breach to the ICO, they will expect you to evidence what you had done to prevent the breach from occurring eg. network security and staff training. This is why it is essential to document what measures you have in place around cyber security.