As war continues in Ukraine, thoughts have increasingly turned to the potential for cyberattacks against businesses and people outside the country.
And it’s with good reason. Ahead of the invasion of Ukraine, Russia launched a series of cyberattacks on Ukraine, including denial of service attacks targeting Ukrainian government websites, and viruses that wiped data from computer systems.
There have been warnings in recent weeks that an attack could hit Ireland. The risk was laid out in recent days by the Minister for Foreign Affairs, who told the Oireachtas Committee on Foreign Affairs and Defence that the country was at increased risk from cyberattacks because of the war.
“There is an increased cyber threat in our assessment,” Simon Coveney said. “We are taking the appropriate precautions in relation to that in terms of a heightened sense of awareness and concern in that space.”
There is evidence that the threat level is rising elsewhere. Globally, there has been an increase in cyberattacks. And worse is probably to come. Ronan Murphy, chief executive of Irish cyber-security firm Smarttech247, says Russia could target the West with a wave of attacks, a “scorched earth” approach that could destroy systems and data rather than the ransomware attacks that have hit major organisations in recent months.
In recent weeks, security experts have warned Irish consumers and businesses to be on the alert for potential attacks, saying they should “treat the internet as hostile” in the coming days and weeks.
Not only do we have to watch out for direct attacks, but criminals could also try to take advantage of the disruption caused by the conflict. There are plenty of people who could use the crisis to con people via phishing emails claiming to be from international aid organisations, infected videos or emails claiming to provide information on the crisis, and other scams.
Security consultant Brian Honan says there is no evidence of a direct threat to Irish businesses and organisations from a cybersecurity point of view. However, attacks launched on Ukraine-based organisations could spiral beyond that.
“The problem with computer virus attacks is that they are very hard to contain. Cyber weapons are not precise; they’re not easily controlled and could cause damage elsewhere,” he says.
Take the NotPetya attack in 2017 as an example; although it was aimed primarily at businesses working in Ukraine, the resulting attack caused several billion euro of damage globally.
Another potential impact of the invasion, and the West’s sanctions in response to it, is that when these attacks inevitably happen, there will be little co-operation in finding the perpetrators.
Install the updates
An effective way to keep your systems safe is to install the various security updates pushed out by your device manufacturer as and when they become available. This may seem like a no-brainer, but there are plenty of people who delay installing new software on their phones, laptops, tablets and other devices because they are wary of the impact of a buggy update on their system.
That perspective not without merit. Software updates are usually considered to be a good thing, either giving you extra features or patching up potential security vulnerabilities. But occasionally, things don’t go as planned. A bad line of code caused serious issues for the International Space Station in 2013. Sony accidentally bricked – rendered unusable – Playstation 3 consoles with a bad update. And who can forget Facebook’s outage last year that not only caused its services to fail for users, but also locked its staff out of the very systems they needed to fix the problem, which was attributed to a software audit tool.
So it’s not a bad thing to be wary of installing software updates too quickly. Just don’t delay installing them for too long, especially if there are security updates included. The longer you hold off, the longer your system is left vulnerable to potential hackers.
It is almost impossible to remember every strong password you have created, which is why we often take a risk and reuse them
That advice goes for all your connected devices, from your laptop and smartphone to your connected home devices. Stay on top of updates to prevent your wifi lightbulbs and smart fridges being used as part of a bot army online.
When it comes to laptops and other devices you use regularly for sensitive tasks, make sure your systems are as protected as possible, with antivirus software and firewalls. And don’t forget to regularly update those, too.
Click with caution
Having a healthy dose of wariness could keep you safe online. If you operate a “zero trust” policy online, you could save yourself a stray click that installs bad software on your machine.
While there have been all sorts of stories of malware that can get on to your phone without you having to do a thing, the reality is that for most attacks, we humans are the weak link. That means clicking a link, installing infected software or visiting a website that compromises your device.
Be careful of what websites you visit, and if a link arrives in an email, there is no harm in forgoing the convenient click and going to your web browser to type in the address yourself.
Don’t click on attachments without checking the source. We all know to be aware of suspicious, unsolicited attachments. But what about an email from a known business or personal contact? That may not set off alarm bells, but it could easily be infected with malware and create a backdoor into your computer system and accounts.
Scan all attachments for malware with security software, and if in doubt, contact the sender through verifiable channels.
Use strong passwords
Prevention is better than cure, and in this case, strong passwords could be all that stands between malicious attackers and your personal data. But what is a strong password?
It is one that is difficult to guess or crack using a brute-force attack – where the attacker uses trial and error to guess your information. Anything containing personal information should be avoided, as should simple-to-guess words or phrases. It goes without saying “password” should never be your actual password, unless you’d like to leave the door wide open for whoever would like to poke around in your accounts.
The more random, the better, and the longer a password is, the more difficult it will be to guess. Use a mix of symbols, numbers and letters, both upper and lower case.
It is almost impossible to remember every strong password you have created, which is why we often take a risk and reuse them.
But that is one of the quickest ways to ensure your data is compromised. That password you have been using for the past 10 years is probably floating around a cache of compromised credentials on the dark web. Reusing passwords across multiple accounts gives hackers the key to all your online accounts.
There is one solution that could help: a password manager. This is an app or software on your computer that will not only store all your strong passwords, but will suggest them to you.
Has your data been exposed in a previous breach? There are ways to find out
It may seem counterintuitive to trust all our passwords to a piece of software, but security experts back them for one very good reason. As much as we like to think our passwords are random, human nature means they probably aren’t. A computer-generated password is another proposition.
All you have to do is secure the software with a single strong password, and it will do the rest for you. Just make sure that password is as strong as possible – and not a reused one.
Even if the worst happens and someone manages to break your secure, random password, having two-factor authentication will help keep intruders out of your accounts.
This adds another layer of security to your accounts, requiring you to not only know the password to log in, but also provide a back-up code or authentication method to gain access to your account.
If your accounts offer two-factor authentication, implement this feature, and choose an authenticator app over simple text message authentication to make things even more secure. Google and Microsoft both offer authenticator apps to add an extra layer of security to your accounts, as does Facebook.
Check for breaches
Has your data been exposed in a previous breach? There are ways to find out. HaveIBeenPwned tracks multiple data breaches, compiling the credentials that have been leaked into a searchable database.
Security software company Avast has a "hack check" website (https://www.avast.com/hackcheck) to see if your password has leaked online. You enter your email address, and any associated breaches will be emailed to you
Both Apple and Google offer password check-ups on their systems, alerting you if your saved password has shown up in a data breach and advising you to change it as soon as possible. It may not necessarily be your password that has leaked, but if it is a dictionary word, or a commonly used alternative, it may have been used elsewhere and leaked in a breach.
Watch your accounts
Keep a close eye on your accounts, both financial and digital, for signs of unusual activity that could indicate you have fallen victim to some sort of attack.
If you notice anything usual – emails you haven’t sent, or accounts that you didn’t sign up for – do some further investigation.
If necessary, you can cancel credit cards and speak to your bank about potential fraud. Some more technologically forward banks will alert you every time a transaction is made on your account, giving a potential early heads up about any fraudulent activity.