With 80% of Irish firms falling victim to cyber crime last year, Peter O’Dwyer talks to a cyber security specialist who urges problem appraisal and straightforward solutions.
More than eight in 10 Irish businesses have found themselves at the mercy of cyber criminals in the past 12 months while a host of international data hacks have brought the topic to the fore like never before.
Irish companies spend an average of €240,000 a year in an attempt to secure their networks — such is the danger posed by the covert yet omnipresent threat cyber criminality presents; always in the ether yet rarely seen until it’s too late.
Why then, if the threat is as serious as companies consider it to be and with huge sums of money being thrown at the problem, does it persist to such a degree?
While most companies, especially SMEs and microenterprises, will look after their own cyber security as best they can within the constraints of budget and resources, a whole industry has sprung up around the same area.
Major professional services firms such as PricewaterhouseCoopers (PwC) are among those to recognise the growing importance of the sector to their clients.
Head of PwC’s crack team of cyber experts, Kris McConkey has a number of suggestions as to why cyber crime continues to cause such significant headaches for business leaders.
Chief amongst those is that the attackers are an ever-evolving bunch. Keeping tabs on these criminals is becoming increasingly difficult.
The TalkTalk data hack in October of last year, in which 15,600 customer bank details were stolen and a further 140,000 users were affected, thrust the apparent diversity of attackers into the spotlight.
Five teenagers have been arrested in connection with the incident which erased about a third of the value of TalkTalk’s shares and landed it with a potential £35m (€47.6m) bill; four on charges relating to the Computer Misuse Act and the fifth on suspicion of blackmail.
Whether those arrested were responsible for the crime is yet to be determined but young, digitally talented attackers who sit at one end of the cyber crime sophistication spectrum are a very real threat.
At the other end are hardened criminal gangs; hacktivist groups such as Anonymous; and even national governments.
“From an espionage perspective, there’s a lot happening in pharmaceuticals and a lot in oil, gas and high tech. In the more disruptive, hacktivist type stuff, there’s a fair bit in retail and leisure at the moment. Usually those companies have big online audiences for stuff that they do, so taking down a website or defacing a website and sticking up your own logo on it is always going to get a fair bit of attention,” Mr McConkey explains.
If the range of possible attackers is of concern so too is how these groups are becoming increasingly fluid.
“If you rewind a little bit, all of those categories were quite distinct from each other, so you had espionage groups who only did espionage, you had groups of hacktivists and all they did was try to make nuisances of themselves and there were crime gangs; all they did was try to get stuff they could monetise very quickly.
“One of the big changes over the last couple of years is some of the bleed across between those groups. Now you’ve got State-sponsored espionage groups who are starting to look at how they do some stuff [that is] a bit more sabotage focused. You’ve also got crime groups which are acting more like espionage groups in terms of the information they’re gathering and what they’re doing with it. Some of the lines are blurring a little bit compared to where they were two, three [or] five years ago.”
So, what does all of that mean for the likes of Kris and, more importantly, for business leaders?
“It’s certainly tougher on us. There’s a mountain of stuff that’s always changing, it always keeps us on our toes. It also means that it’s going to be more difficult for organisations to defend [themselves]. So, if they were previously defending against espionage groups, for example, that meant one thing in terms of how they protect specific bits and what information they protect but if that group also happens to have a sabotage capability then they need to think about a whole set of different defences.
“How do you protect your entire network from being torn down like a Sony-style attack? It’s certainly going to make life a little more difficult for organisations trying to defend their own network.”
As has always been the case, when faced with a fearsome adversary, however, the trick is to box clever — something many firms aren’t currently doing.
Luckily, following a few simple steps can yield huge improvements and prevent up to 90% of attacks, according to PwC’s 33-year-old cyber whizz kid.
Rather than ploughing money into cyber defences with little thought, organisations need to start at the ground level with the basics, identify the key areas they need to enforce and educate their staff as to how best to do so.
“There’s often a rush at the minute to invest in the latest shiny gadget and a lot of IT guys like the latest shiny gadgets and are quite happy to blow the security budget on what’s fanciest. In reality, something in the region of 80%-90% of cyber attacks can be prevented by just having some of the basic controls in place.
“So, things like making sure all patches are applied, that software and the operating systems are up to date and then doing some very basic stuff like making sure not everybody has administrative privileges so that people have enough access to do their work but not enough to go and cause a whole load of damage to the rest of the organisation if they happen to get malware on their systems or something.
“There’s a huge amount of stuff that can be done to fix the security basis and getting those right is really, really important before organisations go and do all the advanced stuff.”
“People are investing somewhere but I think the reality is that they’re not always investing in the right places. Of the mountain of things that people could spend their money on — which is not always technology, it’s a lot around education and awareness as well — they’re not always spending it or prioritising that spend in a way that actually helps them get the most return.”
So it seems the answer, or at least a lot of it, is to be found in taking a step back and determining how better to allocate your resources as a company and doing the basics right.
For an SME sector still burdened by all sorts of legacy issues while struggling to keep pace with an ever-changing business environment that much at least must come as a relief.
If your business is among those to have already fallen victim to cyber criminality, the message is clear too: learn your lesson.
“You have to take a step back and say how did this happen? Were we simply underprotected or were there some other reasons an attack was successful? It’s hugely important to learn from those incidents so they can understand what happened, how did it happen and how they can fix the root causes.”
© Irish Examiner Ltd. All rights reserved