David McNamara, founder of CommSec, has been in business for almost 11 years and is firmly focused on cybersecurity.
“We don’t do anything else and our clients come from sectors ranging from financial services to logistics, health, pharmaceutical and government departments. The client size tends to range from 300 seats up and we offer a range of services including 24/7 monitoring.”
CommSec is currently focusing on the new EU directive NIS2, which will change how cybersecurity is approached across Europe, much like how GDPR transformed data privacy.
The escalating cyberthreat in the EU, with a staggering 2.2 billion records compromised in 556 data breaches in 2023, has spurred the implementation of NIS2.
From IT departments to the boardroom
This new legislation is a significant advancement from the 2016 NIS directive. It now covers more than 4,000 organisations, up from 125, and shifts cybersecurity responsibility from IT departments to the boardroom. NIS2 strengthens defences against cyberattacks and digital disruption.
“However, low awareness among boards of management is a critical challenge,” says McNamara. “This lack of preparedness could lead to a panic for compliance once the directive takes effect in October. There are hefty fines and sanctions for both organisations and their c-suites.”
As part of this new awareness, companies will be required to interrogate their own supply chains and will have to report any breaches to the National Cybersecurity Centre in Ireland.
“This directive has heavy fines attached to unreported breaches, similar to GDPR, and in addition the board will be held accountable, with individuals named and even stopped from doing their managerial functions. It’s going to be very strict,” says McNamara.
The increased regulatory requirement is going to focus the minds within companies to include cybersecurity in the same way that, for example, health and safety is intrinsically managed at board level.
When advising companies in terms of cybersecurity, McNamara takes a practical view: “It’s all about protecting your data but the protection needs to be relative to the type of data you are protecting. The bigger the business, the bigger the target, but smaller businesses also form parts of the supply chain.
“This is where we advocate simple protection that doesn’t cost a whole lot of money, including multi-factor authentication, regular scanning of the infrastructure and encryption used liberally.”
The approach of Puneet Kukreja, head of cyber, EY Ireland, to cyber defence involves strategies. These include: prioritising patching – identifying and deploying software updates to fix technical vulnerabilities – based on threat exposure; focusing on resilience; shifting from rule-based detection to behavioural-based detection; maintaining basic cyber hygiene; and understanding supply chains.
“Vulnerability scanning is a crucial aspect of cybersecurity, involving defining the scope and objectives, choosing scanning tools, configuring the tools, executing the scan, monitoring progress, interpreting and prioritising results, and implementing remediation and mitigation,” he says.
Cybersecurity requires a layered approach, tailored to an organisation’s specific needs and budget, Kukreja suggests. Products and services can include firewalls, endpoint detection and response software, spam filtering, multi-factor authentication, end-user security awareness training, security program development, security architecture review, monitoring services, vulnerability assessment, penetration testing, and compliance auditing, he says.
Nick O’Donovan, head of sales, Europe, Middle East and Africa, at Huntress, believes organisations need to approach cybersecurity scanning as they would home security, watching out for open doors and windows, and for the “human element”.
“Endpoints inside of a company are one area of vulnerability,” says O’Donovan. One way of addressing this is through “the use of technology such as EDR, which stands for endpoint detection and response, which investigates systems and triages”, he adds.
“Another area of vulnerability is identities, where hackers compromise a company’s email. Technology that consistently scans and monitors for threats in real time prevents unauthorised access to email, prevents data loss and email tampering to commit fraud.”
Education
The value of cybersecurity awareness training cannot be underestimated as the humans in any business are its first line of defence. It is vital that employees understand the danger of unknown links, malicious emails and what phishing looks like. Simple checks such as checking email headers, spotting spelling errors and checking directly with websites to see contact details can be highly effective.
But companies need to put security awareness training into place: having engaging videos and training programmes can help to keep employees up to speed on the latest threats and what to look out for, says O’Donovan.
Working remotely
Working remotely has certainly changed the dial for many organisations. Previously employees and equipment were located in single physical premises, behind firewalls and other security defences. Now, working from home poses challenges for company security.
Even the phenomenon behind the revolution in remote working – Covid 19 – meant people were searching for information and could be misled into clicking malicious links.
Rob Behnke, co-founder and CEO of blockchain security firm Halborn, says securing an organisation always requires a holistic approach.
“Focusing on just one area isn’t enough. You must scan for vulnerabilities in code, educate employees and secure all devices, especially those used for remote work. At Halborn we see new security issues and exploits every day, including insider threats and internal risks.
“It’s not rare to see nation-state actors trying to infiltrate big companies and exfiltrate information. All these factors should be considered and proper defence mechanisms should start even before thinking of hiring someone.”
Peter Strahan, director of Lantech, believes that effective cybersecurity requires a blend of approaches across technology, processes and human users.
A trap many organisations fall into is seeking a single tool or focusing on one element, such as vulnerability scanning, and then believing they have done enough or on a road to comprehensive security, says Strahan. Organisations must start with a strategy for cybersecurity rather than just shopping for new tools, he adds.
“A good example of the limitations of a completely tool-based approach is the surge in session token theft attacks,” says Strahan. “Traditionally we have seen users and equipment targeted with malware but in more recent months we have seen a shift to complex malwareless attacks becoming the main threat vector.
“Bad actors have switched to leveraging legitimate systems and tools that IT support teams use for daily activities to launch their attacks; this enables them to go unnoticed for longer, gaining deeper access to corporate infrastructure and confidential data.”
Session token hijacking is when a bad actor steals the digital keys (tokens) that platforms such as Microsoft 365 use to keep a user logged in. Once they have these keys, they can access the user’s account without needing the password
“This shift has seen traditional tools for threat detection become devalued and ineffective, yet many businesses continue to use these outdated protection platforms in the misguided belief they are protected,” says Strahan.
The threat of session token theft and a renewed focus of identity theft has made managed detection and response now a non-negotiable for businesses to have in their cyberdefence arsenal. Unfortunately, however, many still only have traditional antivirus tools and other lax controls that are exposing their business, staff and clients to ever-increasing risk.
“Therefore, leveraging an effective cybersecurity strategy and management system ensures they remain at pace with developments in cybercrime and continually re-evaluate the protections in place to mitigate risk,” says Strahan.