According to Karl McDermott, head of connected solutions at Three Ireland, there is not just one thing you need to do to tackle the cybersecurity threat, it’s the culture of the entire organisation, big or small.
“Hackers don’t care what size you are, if they get a catch, they get a catch. Ironically, while SMEs are just as likely to be attacked as larger brands, the results can be catastrophic with the SME not having the required IT or protection in place to survive,” says McDermott.
“There has been a seismic shift in the way companies look at cybersecurity over the last 18 months and in part the attack on the HSE fed into that. There are a couple of very simple things that companies can do to mitigate against a lot of the challenges out there.
“Keep your software up to date – on your mobile, on your laptop, on your servers. Password exploitation is very common, and company policy should force password updates on a regular basis. Everyone should be familiar with multifactor authentication – you have to engage with this when accessing a bank account for example online,” he says.
McDermott advises businesses to take a hard look at their data and figure out what they cannot afford to lose or lose access to. Some data has GDPR implications and resultant possible fines.
“Once you understand what is important to your company then you can start to build a strategy around the protection of that data. If something is not so important, then do you still need it? And, conversely, if some data is vital then it needs protecting almost regardless of cost.”
McDermott stresses that security threats can arrive at all levels – from mobiles to servers.
“Typically a company will have antivirus software and a firewall to protect data and accompanying passwords etc. However, many employees will have access to the self-same data on their phone and possibly no protection whatsoever. As a mobile company we spend a lot of time speaking with our clients about protecting the mobiles.”
The Small Firms Association (SFA) has been working with the Banking Payments Federation on the FraudSmart campaign and last year devoted time to helping companies help protect home workers. One of the key recommendations has been to ensure all devices are fully up to date with antivirus software and that two-factor authentication is in place.
Elizabeth Bowen, SFA public affairs lead, advises: “We advocate limiting people’s access to sensitive information while working remotely from the office. During the Covid lockdowns people had to get allowances to come into the offices to do essential services like payroll because there is no way something as sensitive as payroll should be accessed outside of the secure office environment.”
Another thing to consider is how secure the workspace is, especially in a home environment, where the physical security of the space needs to be considered.
Raluca Saceanu is chief executive of Smarttech247, a global cybersecurity organisation. On occasion it is called in after a hack, as was the case with the HSE ransomware attack in 2021.
While that work was extreme, companies approach Smarttech247 with compliance requirements where they have been tasked with handling sensitive information or financial data and they cannot afford not to be up to speed, such as brokers or insurance firms dealing with large financial institutions. “Going with a boutique site such as Smarttech247 means we can offer a solution tailored to their needs and costs.”
Saceanu echoes McDermott’s comment that companies are approaching cybersecurity differently, with about 60 per cent of all new business coming from companies who are unhappy with their current cybersecurity provider.
“Cybersecurity only really matured in the last three years as a result of these global attacks. We are engaged not only in the technology but also in the training. Before it was just IT staff that were trained, now it is everyone from doctors to receptionists to CEOs.
“It is not a once-off exercise and users will always try to bypass security to keep on working. Consider the use of chatGPT – people need to know if they upload sensitive data on to the platform then it is no longer confidential but available on the platform. Everyone is a target and everything is hackable,” says Saceanu.