"In 2020, once we moved to working from home, we saw an increase in things like spear-phishing where cybercriminals gather social media information to send targeted emails to ask people to share passwords, transfer money, click on links or open files and so on," says Sarah Hipkin who leads Mazars Technology Consulting in Ireland.
"We have seen a real spike in ransomware attacks this year," she adds. "The most notable have affected critical national infrastructure such as health and education systems." But there have even been examples in the UK of small companies such as hairdressers targeted with payments of €1,500 demanded.
No organisation is too small or too large, or insignificant to escape the attention of the cybercriminals. "Many organisations are asking why they would be targeted," notes Mazars IT Audit & Security director Alex Burnham. "The key message is that the threat of a cyber attack impacts organisations of all sizes from a one-person operation all the way up to global multinationals.”
The fact that people do not necessarily hear about these attacks does not mean they are not happening. "Prior to the pandemic, I worked in the retail sector," Hipkin recalls. "In one case I saw, a website was taken down for a few hours costing the organisation thousands of euros in loss of sales. These things are a lot more common than people realise. There is still certain secrecy around reporting a cyber incident with businesses not wishing to reveal they have been a target of cyber attack."
Financial loss is just the beginning, according to Burnham. "We recently investigated an Irish organisation in the financial sector where cybercriminals had obtained the password for an online email account belonging to a member of their administration team as a result of a phishing attack. The first action the cybercriminals took was to take a copy of the entire mailbox; an auto-forward was then put on the email account to ensure that the criminals obtained all future emails sent to the organisation. That gave them the ability to profile both the organisation and their customers. Over time the criminals were able to understand the organisation's processes and obtain copies of their documents and develop templates as well as details of investors. They launched an attack asking for a customer's bank details to be changed before a request to draw down funds. The attack was identified at that point."
No ransom was paid. However, the full cost of the remediation of the incident was still in excess of €75,000.
"This included the cost of the external cyber expertise required to investigate the cyber-attack and quantify the level of data that was exposed, restore the systems, review the system, and the internal resources that were required to deal with the incident," Burnham explains.
The financial impact excludes any estimate of the reputational damage caused. "People tend to quantify the impact in financial terms, but the reputational damage can also be massive.
Cyber attacks can damage your global reputation and impact the trust of current and future customers in the services and products that you provide."
There are other consequences. “Where personal data is compromised because of a cyber attack, an organisation is required under the GDPR to report the data breach to the Data Protection Commission within 72 hours. Failure to report may result in fines and regulatory sanctions,” says Burnham.
With increasing security regulations such as NIS 2 on the horizon. Hipkin says the new cyber rules will mean more critical sectors, including postal services, food, and manufacturing of pharmaceuticals, will have to comply with the directive and must have enhanced security requirements such as incident response plans integrated with external third parties.
According to Hipkin, organisations need smarter ways to assess the cost and reputational impact of attacks. "Unless you can look at an impact on a company's share price, it is very hard to quantify. How many people stopped booking hotels after the Marriott breach? How many people stopped booking flights with BA after the breach there? Without better ways to assess and measure impacts like those, there will always be a challenge to justify investment in cybersecurity."
Cybersecurity is no longer an IT issue. Responsibility starts at the top and must pervade the entire organisation
Let's not forget the impact of the individual victim of a cybercrime; not only are cybercriminals encrypting data and causing widespread disruption, but they are using the stolen sensitive personal data to target individuals with ransom threats, which could lead to the publication of embarrassing and private information, which is why people often feel the need to pay the ransom. "Ultimately Ireland needs to take a coordinated cross-industry, government-wide approach to combat cyber crime, and to work with international and European counterparts, to seek justice for the perpetrators of cyber crime," says Hipkin.
Defence starts at the top. "Cybersecurity is no longer an IT issue," says Burnham. “Responsibility starts at the top and must pervade the entire organisation. You need to understand the risks, quantify them, and put a remediation plan in place.”
The evolving nature of the threat landscape means defence and response need ongoing attention. "It's an ever-changing climate," says Burnham. "The risks are changing continuously, so it's not a once-off fix. The whole organisation must be kept up to date, and you need to have the processes in place to keep people informed of the threats."
Having an incident response plan is critical, according to Hipkin. "Put a response plan in place with one person responsible for leading it and everyone on the response team knowing what their role is. You need to identify early on the key players who will be involved in the response, both internal and external. If you do not have the expertise, in-house make sure you have a contract in place with a third party. You also need to test the plan, do drills, and make sure the response processes are stacking up. It's all about being ready for an attack when it happens."
Incident response plans may seem complex to develop and implement, but there is help at hand. "Each organisation should have its own incident response plan tailored to its top three to five most likely incidents, size and sector," says Hipkin. "No one size fits all, but Mazars has done quite a bit of work on that. And we have been working with our clients to update their plans and to assist them in running drills. For organisations just starting out with developing their incident response plans, we have prepared a high-level incident response playbook that offers advice on the key things an organisation needs to do to prepare for a cyber incident and develop a response plan."
Cyber incident response playbook guidance
This playbook guidance provides organisations with five high-level practical tips in preparing for a cyber incident and developing a response plan that enables staff to take immediate action.
- Identify your top 3-5 most likely incidents
- List who to contact
- Understand the systems and environment
- Document the response procedures
- Develop strategic communication procedures for cyber incidents
[ Visit www.mazars.ie for more informationOpens in new window ]