According to specialist research firm Cybersecurity Ventures, global cybercrime is predicted to cost $8 trillion this year alone. To put that in context, if cybercrime was a country, it would be the world’s third-biggest economy behind the US and China.
And costs continue to grow. The scale of cybercrime is simply breathtaking. Cybersecurity Ventures predicts growth in cybercrime damage costs of 15 per cent annually over the next three years, reaching $10.5 trillion by 2025, up from $3 trillion in 2015.
These costs include everything from money stolen from individuals’ bank accounts through scamming attacks to the loss and destruction of data, lost productivity, theft of intellectual property, embezzlement, data theft, business disruption, post-attack forensic investigation, restoration of hacked data and systems, and reputational harm.
Challenging times ahead for Irish Stock Exchange as big companies look to the US
It is not surprising in this context that an industry has grown up to combat cybercriminals. Business consulting firm Grand View Research valued the global cyber security market size at $202.72 billion in 2022 with a projected average compound annual growth rate of 12.3 per cent from 2023 to 2030.
The main cyber threats are familiar to most people and include ransomware, social engineering and threats against data, including data theft and availability, says Justin Moran, head of governance and security at Three Ireland. “An increasing global trend is the targeting of organisations via supply chain attacks where the threat actor seeks to compromise key supply chain vendor software which is core to business activities to exploit or disrupt businesses on a global scale.”
And there’s more. “The rise of generative AI and its usage to craft more sophisticated and quicker, larger-scale attacks continue to evolve,” says Dani Michaux, head of cybersecurity with KPMG. “We also continue to observe the evolution of emerging technologies such as blockchain, biometrics, industry 4.0 hyperconnected systems, and virtual reality just to name just a few. We do note that all of these can pose new security, privacy and ethical challenges and raise fundamental questions about our trust in digital systems.”
BDO cybersecurity director Eoghan Daly points to the technology supply chain as a risk area. “Cybercriminals are targeting technology suppliers, seeking to exploit any weaknesses in third-party vendors or support companies to gather information on clients, or in worst case, gain access to customer networks,” he says. “Therefore, strong controls need to be designed and enforced for areas where there are interactions with suppliers.”
Another threat is zero-day vulnerabilities, where software vulnerabilities are present before a patch is available. “Attackers are ready and prepared to take advantage of these vulnerabilities to compromise systems and steal data,” says Daly. “This is difficult to defend against while the patch or fix is not yet available, but good planning and technical controls can assist in limiting the risks, such as network segmentation to prevent lateral movement across the network, and a robust patch deployment process, both to keep systems up to date, and to be able to deploy emergency patches as soon as they are available.”
The increase in remote and hybrid working has also led to heightened vulnerability. “With the rapid move to hybrid and digitalisation, identity management is key,” Moran advises. “Organisations need to be focused on protecting their key assets including customer data and systems, IP and so on, and implementing adequate identity management systems and protection. Remote working has led many organisations to increase their investment in software as a service and an increase in the use of productivity applications so multifactor layer authentication is critical to minimise the risk of compromising user identity and access to systems. Similarly, organisations need to educate end users with regular information security training which focuses on strong password management and conduct regular phishing tests where practicable.”
Michaux recommends the adoption of a “zero trust” model. “This can help reduce the blast radius in the event of an outage or breach and limit the impact so the incident can be better managed and contained.”
Among other measures, Daly recommends organisations update their acceptable use policy (AUP) to include the procedures for working remotely. “Staff need to understand the threats and risks, such as physical security, weak wireless security,” he points out. “Include incident reporting in the AUP. Encourage staff to report any real or suspicious incidents as staff working remotely may sometimes be reluctant to report an issue. Implement a virtual private network to encrypt traffic and secure the communications between remote workers and the organisation’s network.”
Resilience strategy
How an organisation responds to a cyber breach can be just as important as the security measures employed to prevent it. That’s where resilience and the ability to recover comes in. “It’s critical for cybersecurity teams to engage with the business early and often to help ensure a clear, yet flexible resilience strategy is properly set ahead of time, rather than testing it in the middle of a crisis,” Michaux advises. “Security teams have a strategically really important role within the organisation but should also help you in the effort to engage with the board and business stakeholders on the overall objective of resilience. It is a hard but necessary conversation.”
Calling in the authorities should be the first step following a breach, says Small Firms Association Public Affairs lead Elizabeth Bowen. “If your business is breached, notify the Garda straight away. They may be able to get your money back and they can put out warnings to other businesses. They may also be able to catch the fraudsters.”
It is also very important not to apportion blame to individuals for the breach. “The fraudsters are so clever, no one is to blame if mistakes are made,” she adds. “Businesses need to step up training to reduce the risk of it happening again. Also, never pay a ransom. There is no guarantee you will get your data back or have your systems restored.”
Insurance has a role to play as well. “Many organisations should be considering cyber insurance to help protect against the risks associated with cyber threats,” says Moran. “Many of these insurance offerings include specialist incident response and digital forensic teams who can help in the event of an incident. Similarly, there is a wide variety of specialist cybersecurity professional organisations who can help advise in responding to a breach.”