Protect, prevent, comply

The worldwide WannaCry attack in May of this year put internet security and cybercrime at the top of the public agenda, with major institutions, including the UK's National Health Service, Spain's Telefonica, and global organisations such as FedEX and Deutsche Bank all hit. Describing the attack as "unprecedented", EuroPol reckoned more than 230,000 computers in 150 countries were affected.

IT security experts, such as Magnet Network's James Canty and Three Ireland's Karl McDermott, say ransomware attacks of this kind, where cybercriminals prevent access to data stored on computer hard drives and network drives, are much more commonplace than most of us would imagine.

“Most companies quietly find an IT specialist who can source the bitcoin to pay the ransom demanded and they don’t report it because of the potential damage to their public reputation,” says Canty. “The ransom demanded is usually in the region of €500, an amount most companies can afford to pay, though the sums can be higher if you are a larger corporate and you think they have full control of your data.

“However, paying the ransom and getting back access to your data may only be half of it. Some of that may be confidential information about the personal details of customers or employees and the cybercriminals may have sold copies of that to other criminals. Your customers or employees could get hit by an electronic banking fraud months down the road.”

Failing to protect personal data can leave a company open to severe penalties, says Brendan Gavin, a senior associate in the corporate law department of ByrneWallace. The EU general data protection regulation, GDPR, will become effective in mid-2018 and carries heavy financial penalties. A two-tier structure for sanctions includes potential fines of up to €20 million or 4 per cent of global annual turnover, whichever is the greater amount. It is essential that Irish companies start planning their approach to GDPR compliance as early as possible, including implementing steps to keep data secure from cyber-attacks."

Larger organisations will be expected to introduce more advanced security measures than smaller organisations and to update those measures more regularly, but all businesses should ensure that staff are aware of the security measures that are in place and of the need to protect personal data from being compromised.

“If your business uses a third-party to process its data, this should be covered by a contract stipulating minimum security measures that the data processor must have in place,” Byrne advises. “Your business is still responsible for the data, even under an outsourcing agreement and should have some way of ensuring that the data processor is complaint with the GDPR.”

WannaCry serves as "a vivid illustration" of our dependence on IT systems and the risk to businesses, and to lives, if these systems fail, says Accenture Ireland's security lead Chris Davey.

“The main cybersecurity solutions are basic IT hygiene – keeping software patches up to date, limiting local workstation administration rights, and tightening the security configuration of controls such as anti-virus software, firewalls, etc,” says Davey. “These defences provided good protection from WannaCry. The best organisations take a holistic look at their assets, and deploy a mix of technical and process controls to limit the risks of attacks. This includes new advanced technologies that use artificial intelligence and other techniques to identify and prevent previously unseen attacks.

“If the worst comes to the worst and you are infected by ransomware, the first thing to do is to disconnect the system from the network. However, good IT and security practices can greatly reduce the likelihood and impact of an attack. Steps you can take to limit the risk of infection and minimise the damage include: making regular back-ups that are physically separate from the source system; testing your recovery processes; using anti-virus software; and keeping all software up to date.

“A strong training and awareness programme is critical to train users to be highly sceptical of any unexpected emails or other contacts and to teach them how to recognise phishing or fraudulent emails.”

One employee training exercise that Canty regularly uses at Magnet Networks is to send bogus, but otherwise benign, emails from domains or Gmail addresses especially acquired for testing purposes. "We'll use, for example, a Gmail address that is very similar to the name of one of our suppliers or customers and will see if any members of staff open the attachments," he says.

According to Canty, secure websites present one of the biggest headaches for Irish companies looking to protect themselves from malware and cyber criminals. "Most traditional firewalls allow all traffic coming from secure websites straight into your network, presenting a huge opportunity for cyber criminals. Unfortunately, secure sites, which would include the likes of Gmail and YouTube, account for between 60-70 per cent of all internet traffic for Irish businesses today, leaving network access open to attack and making most firewalls unfit for purpose.

“If cyber criminals have potential access to your network and staff are not cyber-aware, then the potential is there for disastrous consequences such as we recently saw with WannaCry,” he adds. “Companies need to have a next-generation application-aware firewall along with advanced endpoint protection and local real-time analysis on each machine.”

It should be noted, of course, that Magnet Networks is a supplier of the type of next-generation firewall recommended by Canty, but it is also true when he says: "No business using this system would have been affected in any way by the recent WannaCry attack. The malware was identified three weeks before it hit the NHS. Those that had adequate protection in place were not affected."

After ransomware, Chris Davey says the two main cybercrime threats faced by businesses are spear-phishing and CFO fraud, both of which are types of electronic confidence tricks. Spear-phishing is a focused form of phishing, where before an attack the cybercriminals will study the target group closely, perhaps monitoring their social media usage beforehand, before launching their attack.

Spear-phishing

The criminal plan is that the spear-phishing email will appear more convincing because it contains personal details. CFO fraud is a further step up from this, with the cybercriminals spoofing company email accounts in order to trick someone in the accounts department into making a bank transfer. Good anti-malware software will help prevent these frauds, but companies should also have policies in place limiting how and when funds can be released, particularly funds over a pre-determined value.

But it’s not just the accounts department who are in the firing line, says Davey. “All of us – as users – are in the firing line of attacks. A critical part of every solution therefore is end-user training and awareness.”

It’s crucial that employees are on the alert for suspicious-looking emails and know they shouldn’t open them, he adds. “Similarly, they should know that if they find a USB key, they shouldn’t just stick it into their laptop and open it up to see what is on it. When they are out and about, they shouldn’t use public, unencrypted Wi-Fi to send confidential company information.”

At Three Ireland, Nicola Mortimer, head of business products, says: "Your employees should think of passwords like their underwear: don't leave them on the desk, don't show them to other people and change them regularly."

Her point is well made: online and in the real world, no matter how good your locks and protections, they aren’t worth a damn if someone leaves the front door wide open or gives away the keys.

It is for this reason that, as a matter of policy, staff at Three Ireland are required to change the six-digit password on their mobile phones at regular set intervals, according to Karl McDermott, the company’s head of ICT. “Over time, passwords become less and less secure: there is a risk that you start using one password for all your devices or that you start sharing them with your kids so they can play online games and then they go and share it with their friends.

“If you have a firewall, anti-virus, anti-malware and application firewall is up to date and you are keeping your operating systems up-to-date, you are in a fairly good place when it comes to cybersecurity. In fact, 99 per cent of cybercrime attacks exploit known vulnerabilities, so if your protection is up-to-date you shouldn’t be exposed to these vulnerabilities.”