Protecting against cyber attacks may be costly but a business’s cyber security preparedness is priceless, say experts in the field. Globally, cybercrime is now estimated to cost $600 billion and global trends suggest even smaller firms are at increasing risk.
In recent weeks, the National Cyber Security Centre and Garda National Cyber Crime Bureau took the step of specifically warning small and medium business owners of the increased threat of ransomware.
In a letter sent to Ibec’s Small Firms Association, the organisations noted that there have been several smaller Irish businesses impacted by ransomware, heralding a change in the tactics of cyber criminals who had typically focused on larger organisations.
Mike Harris is Grant Thornton’s head of cyber security and has been working in cyber in Ireland for over two decades. He has observed a sea change in the perception of cyber security.
“Cybersecurity was previously seen as a financial services issue, where money is at stake for banks, for example. But in the past five to 10 years, what’s happened is that other industries have been increasingly targeted.”
Although organisations have become increasingly more adept at protecting themselves from the low level cyber attacks, automated attacks that a firewall or antivirus software will easily deflect, the more sophisticated targeted attacks are more difficult to prevent, Harris notes.
“This is where there is a person sitting at the other end of the computer specifically targeting your organisation. And many organisations in Ireland may think they are too small, that Ireland is not an obvious target, but that has all changed, we have seen major attacks here in Ireland.
“The reality is that any organisation that has access to money they can pay to criminals will get targeted and this can have a devastating impact on their business.”
Jacky Fox, who leads Accenture’s Security practice in Ireland, agrees with Harris. While awareness of cybercrime in general is growing, she says people are probably less familiar with some of the motivations these criminals have.
“While people think that they are typically after money, they don’t realise that intellectual property theft is another motivator, as is data theft.”
This means businesses in all sectors are potential targets, she says.
The highest-profile attack in Ireland in recent years was of course the HSE ransomware attack in May 2021. This attack woke people up to the reality of what cyber attacks mean, Fox believes.
“They are not just mildly inconvenient. We saw that they can have an impact on life, as well as livelihoods, and we saw it impacting health and patient safety.”
Many people in business did not adequately appreciate the nature and extent of potential impacts that can be caused by a cyber incident, says Eoghan Daly, director of cyber security with BDO Ireland.
“They assumed that the main issue was theft of money, and that cyber-insurance could be used to cover the risk. The HSE incident demonstrated that cyber incidents can cause immediate and significant operational issues that can stop organisations in their tracks for weeks and months.”
This means that other sectors can be behind in terms of cyber awareness, he adds.
“Financial services have a mature and well-established approach to cybersecurity [but] the picture in other sectors is mixed, and it is difficult to say some are more at risk than others.”
Daly also says that public sector organisations have been constrained in their investment on IT infrastructure and many are using dated equipment and software that is more difficult to keep secure. Like many organisations, they are also struggling to recruit security professionals.
This is echoed by David Cullen, partner and head of William Fry’s technology department, who says cyber attacks are not only becoming more common but are often more aggressive and disruptive in nature.
While the direct financial cost of the attack and dealing with it can be substantial, for many, the reputational damage is what can keep executives awake at night if the situation is not appropriately managed, he notes.
“Threat actors will exploit every means at their disposal to seek to make a lot of money as fast as possible,” says Cullen.
With ransomware now the most common form of breach, whether to deal with threat actors at all is a difficult decision for management, as it obviously involves dealing with criminals, he adds.
“They can’t be trusted. We’ve seen them apply pressure not just to the organisation itself, say via a ransom demand but they will also target others such as customers, personnel and even regulators with threats, such as releasing data stolen in the attack, unless monies demanded are paid.”
Harris also points out that even when the ransom is paid, organisations find that they do not get their precious data back.
Although organisations are now coming to terms with cyberattacks no longer being a matter of ‘if’ but ‘when’, their preparedness can often be subpar, admits Dani Michaux, EMA Cyber Lead at KPMG.
A KPMG survey last year of over 1,300 chief executives showed that almost two-thirds (65 percent) indicated that they have a plan to address a ransomware attack if faced by one.
“This is a positive, but often organisations are ready for yesterday’s attack, not tomorrow’s,” warns Michaux.
She advises firms to make attacks real, by conducting simulations.
“For most executives, a ransomware attack simulation is an eye-opening event,” Michaux says.
“Not only do these simulations reveal how their companies lack sufficient safeguards to defend against the latest techniques, but they also uncover vulnerabilities – or assumptions made – that can reduce the company’s ability to recover. When huddled in the simulation war room, business leaders suddenly realise they don’t have sufficient information to quickly identify the business impact of an attack on end-to-end services.”
According to Daly, even if businesses are cognisant of the risk, often the practical understanding of what the risk means in practice is missing.
“Addressing ‘cyber risks’ can be complicated by the gap between a risk and the practical measures implemented to address the risk. Resources are limited and it is impossible to address all risks – businesses need practical approaches that deliver tangible outcomes,” he advises.
Companies need to understand their “time to survival”, advises Fox.
“Every business has a timeframe that they live without their systems or that they can use back-up manual processes,” she explains.
“They also have a time where if they don’t get back to some sort of normality that the business simply dies because their customers just go elsewhere. If they know their time to survival is three weeks, then they can plan their incident response plan accordingly.”
This ability to bounce back is key because, even with perfect preparedness, cyber attacks can and will still happen, Fox warns.
“No matter how much effort you put in, your risk profile will change all the time as new vulnerabilities crop up. You can never be 100 per cent safe and if someone is determined to get into your organisation, they will play the waiting game. You just have to get it wrong one day and that’s it, they’re in.”