As the rate of cyber attacks and data breaches grows apace globally, Irish businesses and State agencies have experienced first-hand how cybercriminals will target victims, irrespective of size or geography.
In April 2015, Ryanair was hit by a hacking scam when around $5 million was electronically transferred from one of its bank accounts.
In January of this year, the websites of the Central Statistics Office, the Department of Justice and the Courts Service all suffered distributed denial of service (DDoS) attacks which took them offline, and the National Lottery site was also targeted.
Irish organisations are reporting DDoS extortion attacks in greater numbers than ever, according to figures from IRISSCERT, a non-profit computer response team which compiles annual cybercrime figures. Reported cybersecurity incidents grew from 6,534 in 2014 to 26,137 in 2015.
“What these attacks all have in common is that they’re high-volume quick wins for criminals who are looking for a quick return on their investment of time and resources. One of the most effective ways to do that is to extort money from victims,” says Brian Honan, a director of IRISSCERT.
Ireland faces many of the same threats as global organisations, says Jacky Fox, cyber security and IT forensic lead at Deloitte. “Ransomware is one of the most prevalent attacks we would be called in to deal with, and we’re seeing a lot of Irish organisations getting badly hit with DDoS. There’s also a lot of phishing scams and fund re-diversion fraud, where the emails involved are getting more sophisticated,” she says.
Many DDoS attacks go unreported, adds Fox. “We’ve seen financial services, utilities, and general online businesses targeted. If it’s a very public service, you may see a notice saying ‘service interruption’ when it’s often a DDoS attack. There are a lot of soft targets out there and so many organisations are so reliant on their online services as part of their business model. Quite often, it’s only when someone’s hit that they realise the impact it has if they’re crippled.”
Criminals have ready access to online tools they can buy or rent to attack organisations, adds Nicola Mortimer, head of business product, marketing and operations at Three Ireland. “Criminals treat this is as a business. They are making money and because of that, you’re going to see continued investment and evolving sophistication.”
The increase in security threats has moved the issue out of the IT department and onto managers’ desks. “There’s much more focus on this issue at director level. Many bodies recommend the chief information security officer role at board level as a means to make sure that risks are understood and actioned,” says Chris Davey, cybersecurity lead for Ireland at Accenture.
Crown jewels
Just as organisations now treat cybersecurity as a business issue rather than a technology problem, they’re also shifting strategy from security controls on individual IT systems to a more holistic view based on risk to the business. “A risk-based approach is where you understand your IT estate, the risks and threats you’re exposed to, and you implement accordingly. This allows you to focus on your crown jewels, whereas some parts of your IT estate are less critical,” says Davey.
“With a slightly ad hoc approach to security, there’s no science behind it. If you’re working to comply with a standard or a to-do list, you’re only as good as that list but inevitably that’s a bit behind today’s threats. And you might not be focusing on the key risk for your business,” Davey adds.
Irish businesses are investing more on security as a proportion of their overall IT budgets, says Dermot Williams, managing director of Threatscape. “However the clever organisations can try and combine a modest increase in spending with some judicious allocation.”
Until now, many businesses took a “set and forget” approach to implementing IT security tools which were designed to keep attackers out. This doesn’t keep up to date with newly emerging threats, and an increasingly popular approach is to combine data feeds from a company’s existing security systems like a firewall or antivirus software and check it in real time for suspicious patterns. This way, organisations can identify threats faster instead of dealing with the fallout after a security incident.
Gartner, an IT market research company, forecasts that the threat detection and response market will be worth $23 billion by 2020. “Organisations are not able to keep all attackers out, so there has been a shift in resources towards detection and response. You need a plan B: the faster the time to detecting a breach, the sooner you can decrease your risk and the total potential costs associated with it,” says Williams.
A general technology trend of mobile working is also affecting security. “If a company is looking at implementing flexible or mobile working, it needs to take into account the security threats that that opens up. It needs device management and secure file sharing. The protection needs to be specific to the type of user and specific to the type of information they have access to,” says Mortimer.
Data protection
In addition to technology developments, new European data protection rules that will become law in May 2018 will have an impact on many businesses’ information security plans. “Because the EU General Data Protection Regulation has come out recently, people are taking security and data protection much more seriously at management level. We’re already starting to work with clients in setting out roadmaps for compliance,” says Darren Daly, partner and head of technology law at solicitors ByrneWallace.
Daly also expects to see an increased uptake in cyber insurance protection. “It depends on the nature of the organisation. It’s mainly aimed at larger institutions like financial providers where a cyber attack could result in a significant financial exposure. Smaller organisations might need more of a cost-benefit analysis but if they are applying for public sector tenders, cybersecurity risk insurance may be a minimum requirement,” he says.