Cybercriminals don’t need sophisticated technical knowledge: they can be old-fashioned confidence tricksters who lure people into divulging sensitive information or downloading malware through clicking on seemingly innocuous links.
The good news is that there are steps that individuals and organisations can take to protect themselves from these bad actors.
The risks are serious, according to Justin Moran, head of governance and security at Three Ireland, and include ransomware, social engineering and threats against data, including data theft and availability.
“An increasing global trend is the targeting of organisations via supply-chain attacks where the threat actor seeks to compromise key supply-chain vendor software which is core to business activities to exploit or disrupt businesses on a global scale,” he says.
‘A gas emergency would quickly turn into an electricity emergency. It is low-risk, but high-consequence’
The secret to cooking a delicious, fuss free Christmas turkey? You just need a little help
How LEO Digital for Business is helping to boost small business competitiveness
‘I have to believe that this situation is not forever’: stress mounts in homeless parents and children living in claustrophobic one-room accommodation
To mitigate the risk, business owners must first identify and prioritise their key assets and protect them in order of priority.
“Then organisations should focus on identity management, reduce the potential attack surface available to the hacker through strong system and network hardening, apply up-to-date patch management, minimise privileged access levels and ensure up-to-date backups are performed and stored off-site in the event of a significant system breach or compromise,” he adds.
In today’s digital and mobile environment, it is no longer the case of employees working solely at desktops in the office. “Businesses need to recognise that smartphones now represent computers in people’s hands and these also need to be adequately protected,” says Moran.
“Protections for mobile devices, including 3Mobile Protect which is available to Three’s business customers, include anti-malware, smishing and data-protection measures to help safeguard your key business assets, including people and data.”
It isn’t all about technology. Personnel play a crucial role in protecting against cybersecurity risks. “In many ways they are the first line of defence often targeted by hackers through methods such as phishing in order to gain a foothold in a business network and thereafter, elevate their privileges to execute their ultimate aims, which often includes ransomware deployment. For those reasons, it is crucial that both business and employees invest in end user information security training, education and awareness,” he adds.
Criminals often target individuals by what is often termed as social engineering. This refers to the method of gaining information from someone, or getting them to perform some action for the fraudulent hacker or criminal.
Phishing is a common method of social engineering, often delivered via email, with the objective of gaining or stealing individual credentials, for example, system passwords to use in an attack. Smishing is a similar method except the delivery method is via SMS.
At their heart is an understanding of how easy it can be to manipulate human behaviours.
“Similar to many fraudulent schemes, one of the key features is seeking to gain trust of the individual, for example by way of an unexpected offer which seems too good to be true, or unexpected communication presented as an urgent problem or opportunity to avail of,” he explains.
It’s because of the central role of our personnel that companies must evangelise about the need for constant vigilance from all personnel.
“The complexity and sophistication of cyber threats means that this challenge cannot be left solely to the tech team,” says Moran.
“Attacks often seek to exploit multiple potential vulnerabilities, both technical and non-technical, so a layered approach is required, including user education and awareness, end-point device protection, zero-trust-based architecture when it comes to accessing networks, systems and devices, strong password management, the means of detecting threats and the skills to monitor and analyse. For organisations and employees alike, it is crucial that they recognise that security is everybody’s responsibility and you are only as strong as your weakest link.”
A scam is any trick a criminal uses to get something from you that they can use to their own advantage, mostly to take money from you, says AIB’s head of financial crime, Carol Lawton.
“Although often used interchangeably, a scam technically only becomes a fraud once it is successful, in other words as soon as the criminals get the information they need to start stealing your money.”
In terms of banking, what scammers want to get from you could be details of your bank card numbers or login information. Or it might be a request to pay a small amount of money for something like a customs or excess postage charge. “Whatever it is, it’s a way for them to gain access to – and potentially drain – your bank account,” she says.
“Cyber criminals may seek to get your money by sending fake links or asking for your personal identification number [PIN] or login details. They may pretend to be someone else, they may create fake websites or they may offer you free stuff. They often make things sound urgent.”
Lawton’s key advice to individuals and organisations to protect themselves from these fraudsters is to do nothing in the first instance, until you have double-checked. “Odd as it might sound, the best thing to do first is don’t do anything,” she says.
Don’t click on that link and don’t be taken in by messages that claim to be urgent. “These are designed to make you panic and rush into doing something you shouldn’t,” she says.
Organisations must be equally vigilant.
“As the nature of cyber threats continues to evolve, global businesses continue to see a rise in malware, leading to ransomware or other destructive scenarios,” says James Baldwin, head of enterprise architecture and cybersecurity at PepsiCo Ireland.
“Typically at a global level the delivery of attack is through email phishing, social engineering via SMEs or, more recently, initial contact is being made via social chat apps. Business email compromise sophistication is accelerating with the emergence of capabilities to create trustworthy email requests or even deepfake voice messages leading to payment redirection campaigns,” he warns.
PepsiCo Ireland has undertaken a robust response, both in terms of investment and through partnering closely with global technology leaders.
“For example, it is critical for any global organisation to invest in a world-class email security solution which can minimise the risk of malicious email reaching their employees. Maintaining solutions for detection, employee self-reporting, containment and response is key, while also selecting systems that can rapidly learn of new threats which occur at a global level,” says Baldwin.
All stakeholders must be aware that cybersecurity is a shared responsibility.
“Employees, contractors or even third parties who operate within an organisation need to be aware of how to maintain the security of company data, their credentials and the system resources they use,” he adds.
“Everyone in an organisation during their workday must be aware of the potential risks of their actions. We believe that an empowered workforce that is aware of security threats is the strongest link PepsiCo has to combating cyberattacks.”