Whether they're investing in security cameras, expensive alarm systems or personnel to patrol buildings, most firms see spending on crime prevention as a worthwhile investment that helps protect their business.
Given this, it is more than a little odd that the same organisations can be incredibly lax when it comes to cybersecurity. Despite a large number of well-publicised attacks that have left companies in the lurch, many firms in Ireland continue to ignore the issue.
Confirmation that doing so is a huge mistake came via a new survey from consulting firm PwC last week, which showed that cyber attacks against Irish companies have almost doubled since 2012.
According to the report, the frequency of such attacks against Irish businesses has risen from 25 per cent in 2012 to 44 per cent currently, a rate that is considerably higher than the global average of 32 per cent. Moreover, of those firms affected by cybercrime, nearly one in five incurred losses of between €92,000 and €4.6 million.
Surge in cyber attacks
The survey came hot on the heels of a new warning for Irish firms to take better precautions after a surge in cyber attacks over the last 18 months.
Det Insp Michael Gubbins, head of the computer crime investigations unit at the Garda Bureau of Fraud Investigation, warned that many small and medium- sized businesses are not taking the issue seriously enough.
“If someone sets up a shop on Grafton Street they are going to put in CCTV, alarms and other security measures. The same concept has to be brought to bear on a company’s online presence, but this generally isn’t happening at present,” he said.
While many companies persist in believing criminals are interested only in targeting large international firms, it is smaller firms that are generally more at risk from cybercrime.
After all, larger organisations have the funds to invest in prevention tactics. Bigger firms are also more likely to have experts at hand who can help keep an eye on things, while in smaller companies the person charged with looking after IT may also have a number of other roles that demand equal if not more attention.
"Overall, there isn't much awareness of cybersecurity risks among SMEs. Some of this is due to the fact that many such companies don't have internal expertise, but a lot of them have also spent the last few years concentrating on staying in business and this has trumped everything else," said information security consultant Brian Honan of BH consulting.
As many companies are discovering, however, not ensuring you are protected against possible cyber attacks is akin to leaving all the lights on and the front door of your premises unlocked overnight.
"It is not a question of if you are attacked but of when. Many organisations just assume that because you're small and appear irrelevant that attackers won't be interested. But there are multiple examples of why attackers would be interested enough in your business to have a go," said Pat Moran, leader of PwC's cybersecurity practice.
Honan agrees. He says that a “Who’d want to attack me?” attitude persists among SMEs that leads them to not take the issue seriously enough.
“Smaller firms tend to see cybercrime as a problem for the banks and the big multinationals but that’s not the way criminals think. They are looking for easy way to make money and the easiest method of doing this is not by trying to overcome massive security obstacles, which most large organisations will have in place, but by engaging in things like CEO fraud and ransomware, both of which are simple social engineering tricks that encourage people to hand over money without any major risk,” he said.
Mr Honan says the way hackers operate has changed beyond recognition, to the point that rather than trying to drum up notoriety they now prefer to go incognito.
“In the 1990s, hackers were creating viruses to become famous. These viruses were generally easy to detect and for the most part were benign. Over the last 10 to 15 years, however, organised crime has got involved in on the act and are creating viruses that are meant to go unnoticed.
“Such malware can uncover critical information about companies and their employees that can either be sold on the black market, used for blackmailing firms in instances such as ransomware or used to take over PCs in attempts to launch distributed denial-of-service attacks,” he said.
Given the lack of importance given to cybersecurity, it is not surprising to discover that few small businesses have anyone dedicated to looking out for threats. Speaking to The Irish Times last week, Det Insp Michael Gubbins advised SMEs to ensure that at least one person is given responsibility for the area, as they would with issues such as health and safety. Most experts agree, saying that whoever is put in charge needn't be a techie.
“Treat this like any other key risk such as chemical spills, product contamination or fraud and get management to own it, rather than IT. Continually roll-out awareness programmes, have a PC-internet usage policy, ensure back-ups are done regularly and patch up systems frequently,” said Mr Moran.
“Many companies are still treating the issue as an IT one and ignoring the reputational and brand-risk element and most are blissfully ignorant of internal threats, which are the where the biggest vulnerability to them exists. Firms are very trusting of their staff and aren’t training them frequently enough on the risks involved,” he added.