Special Reports
A special report is content that is edited and produced by the special reports unit within The Irish Times Content Studio. It is supported by advertisers who may contribute to the report but do not have editorial control.

Protect, respond, resolve, recover – the cybersecurity playbook

Cyberattacks are rising but Irish companies can help up your guard

Enterprise Ireland hopes to make the country a cybersecurity hub
Enterprise Ireland hopes to make the country a cybersecurity hub

The 2021 HSE cyberattack was a stark reminder of the damage that can be wrought by cybercriminals. With many experts warning that it is no longer a case of if but when organisations will suffer a breach, guarding against an attack is now a priority for firms of all sizes across all sectors.

The reality is that as our digital societies become more evolved, this increased dependence on digital infrastructure makes society more vulnerable to cybercrime, says Gearoid Terry, product area lead in cybersecurity with Fidelity Investments. According to Terry, advances in interconnectivity and technological innovation have served to dramatically increase the risk of cyberattacks. He notes that last year, cyberattack attempts reached an all-time high.

“The worldwide digital system, as well as people’s privacy, are under constant threat,” he says. “This increases the need for more understanding and knowledge of cybersecurity. Recent years saw some of the largest, most sophisticated cyberattacks on record. We can expect cyberattacks on all businesses, but particularly small to medium sized businesses, to become more frequent, targeted, and complex.”

Ciara O’Reilly, head of products, propositions and customer value management for Three Business, agrees. She says that “phishing” and “smishing” (cyber-breaches by email and text, respectively) attacks have been part of the threat landscape for a long time, but the frequency of them has rocketed in recent years.

READ SOME MORE

“Criminals use classic tactics to create a sense of urgency, and different people will have varying degrees of tech-savviness,” O’Reilly says. “Unfortunately, because of this, fraudsters are constantly looking for opportunities and they will often target the more vulnerable, so that’s why communications and awareness are key.” For these fraudsters, making a huge number of attempts is worthwhile if just one attempt is successful.

Ultimately what this means is that cyberattacks should by now be a core priority of any enterprise resiliency planning. Terry points out that regulatory changes in Europe and the United States that require businesses to enhance the protection of personal data have also pushed companies to examine and enhance cybersecurity measures. “These regulations have forced companies to formulate and enact new or enhanced policies, procedures and response structures, should an attack or data breach occur,” says Terry. But he adds that recent changes in work practices - the advent of remote working, for example - have probably pushed companies beyond their comfort zone in this space.

O’Reilly says that cybersecurity and the impact of bad practices are at the forefront of businesses’ minds, “which can only be a positive thing”. But she agrees that remote and hybrid working practices served to expose businesses’ vulnerabilities.

“Because there has been so much going on in recent years with the pandemic, people had to get connected as quickly as possible so they could work from home, and the opportunists went for it,” she admits. Yet she believes that these recent high profile attacks have ensured that companies are now more aware than ever of the risks.

Companies need clear planning not just to guard against threats but also to respond and resolve quickly, Terry says. He suggests that businesses should implement a framework to drive cybersecurity maturity. “Some frameworks include the National Institute of Standards and Technology’s (NIST) cybersecurity framework or SysAdmin, Audit, Network and Security (SANS) top 20 controls. Implementing a defence-in-depth strategy will provide additional layers of protection.”

An effective asset inventory is also key “because you can’t protect what you don’t know about”. Patching (timely updating of software) and technology life cycle management are two other important controls that should be considered. “While some may consider these basic, staying current and patching regularly mitigates a significant number of vulnerabilities,” Terry explains. Education and awareness for employees is also critical, he adds.

Businesses regularly ask 3 how they can ensure that their company devices such as phones, tablets and laptops are protected, O’Reilly says. “We would always advise customers to adopt some basic steps to ensure their protection from password best practice, implementing cybersecurity training for employees and educating them on what to do if they believe they’ve shared compromising information, as well as rolling out threat protection on devices and ensuring sensitive data is encrypted.”

The good news is that simple and highly effective mobile security is easily available and easily inexpensive. 3 offers its customers 3 Mobile Protect, which is an easy-to-use business mobile security solution that protects mobile devices from phishing and malware, preventing data loss on company smartphones and tablets.

“It detects and disables malware, protects against phishing attacks and also offers a remote lock and wipe facility,” O’Reilly explains. “It also doesn’t collect any personal data, only corporate security critical data.”

It’s unsurprising that the cybersecurity market is growing by 12 per cent each year - roughly doubling every six years, says Kevin Buckley, senior development adviser in high potential start-ups with Enterprise Ireland. “Anywhere there is data, there is a cybersecurity risk,” Buckley says. “It’s a bank vault that you have to protect because people want to steal from it.”

With the growing demand for cybersecurity services and support, a major focus for Enterprise Ireland is helping emerging new technology in the cybersecurity sector. Buckley says there are over 50 cybersecurity product companies in their portfolio and he believes that Ireland could be a major global hub for cybersecurity.

“There are almost 500 different firms offering cybersecurity products or services in Ireland and, of these, 56 are Enterprise Ireland clients,” he says. “These companies all offer high quality products that make it easier for companies to protect themselves from bad actors. Ireland could be leaders in this area, and this is certainly our ambition.”

Obstacles to this include the paucity of talent and the skills gap in this area. Enterprise Ireland is striving, therefore, to “get people excited about careers in the cybersecurity industry,” Buckley says. They are also helping to address the skills gap by introducing conversion courses. “This will benefit not only indigenous Irish companies but the US multinationals who have made their home here. We are all in lockstep on this.”

Danielle Barron

Danielle Barron is a contributor to The Irish Times