The growing sophistication of cybercriminals means that no organisation is immune from being hacked. Indeed, there is broad consensus among the experts that it is not a question of if an organisation will experience a cyber breach, it’s when. That makes incident response capabilities equally important to, if not more important than, defence measures.
“Cybercrime is the most prevalent and disruptive financial crime facing the business community in Ireland,” says Jackie King, executive director with Ibec Global. “Cyber criminals are becoming increasingly sophisticated in how to break into a company’s systems, so there is no single solution that will protect organisations against attacks to which they are vulnerable on a daily basis.
“To mitigate cybercrime risk, companies must recognise that it’s not just an IT department issue, it is an issue that requires a whole-of-organisation and multifaceted approach encompassing technical, organisational and human factors.”
King recommends regular cybersecurity audits and monitoring to ensure breaches are detected early and that adequate mitigation measures are in place.
“Conduct continuous monitoring and regular security audits to identify and address potential threats promptly,” she says. “Early detection is key, so you need to know your systems are ready to tell you when something is wrong. Use audits to check and challenge – on at least an annual basis – which will allow you assess your cybersecurity maturity and also monitor your risk remediation.
“Every business should also do a business impact assessment to check how vulnerable their systems are and where you are exposed to the greatest risk.”
David McNamara, founder of managed security services provider CommSec, describes a five step incident response plan: “It starts with preparation. You need to prepare for a breach and get people with real world experience of these things to help you with the plan.
“The next step is detection and analysis. How did they get in? What information did they take? How did they get out? Containment, eradication and recovery come next.
“Ill-prepared companies often have poor backups or have them on the same network, allowing them to be encrypted by the hackers. Having backups encrypted and using multi-factor authentication for access to them is key for this.
“Post incident, organisations have to ask what they learned from it and how they can stop it from happening again. The final step is to test your incident response plans regularly.”
McNamara also recommends regular exercises to simulate a breach and its potential impact.
“You need to look at what might happen if something like a ransomware attack gets into your main domain and gets access to the keys to the kingdom,” he says. “What can you do to prevent that?”
There is some guidance out there for companies. “There is the ISO 27001 standard to adhere to,” says McNamara. “Even if you don’t go for certification, you can still apply it. You can also follow the guidance offered by the US National Institute of Standards and Technology (NIST) Cybersecurity Framework. But you really need to enlist outside help from people with real world experience who are doing it on a daily basis. They can guide you in relation to what can happen and how to do deal with it.”
Creating business continuity plans is key, he adds. McNamara highlights two relevant pieces of EU-wide legislation that are about to come into force: the Digital Operational Resilience Act (Dora) for financial services deals with operational resilience; and NIS2 (the Network and Information Security Directive), which is aimed at improving cybersecurity and protecting critical infrastructure across the union.
“[NIS2] is coming into force on October 17 and a lot of companies aren’t aware of it yet. There needs to be increased publicity around it. Fines can be up to €10 million or 2 per cent of global turnover for the largest organisations. And the boardroom can be held responsible.”
The directive places obligations on companies in critical sectors such as energy, transport, banking, health and water.
“It is important that companies coming under its ambit are prepared and aware of their governance and reporting obligations,” King adds.
Companies should also develop and regularly update incident response plans to quickly, and effectively address breaches if they occur, she advises.
“It is critical that roles and responsibilities are clear, and team members know exactly what to do and when, so a threat or attack can be addressed as quickly as possible,” says King.
“It is also critical to test and refine the plan through realistic scenario-based tabletop exercises. Furthermore, it’s not enough to delegate down the organisation. Build in top management approval and oversight in the event of a cybersecurity incident.”