The crippling cyberattacks on the State’s health service are a “wake-up call” to politicians, businesses and the public that more protective action is required, security experts have said.
Technology specialists said the ransomware attack on the Health Service Executive and the Department of Health had brought to wider public attention the increasing risks from cybercrime that they have been warning about for several years.
"Two or three years ago as a cybersecurity provider we would have been shouting at the wind trying to get board-level attention," said Pat Larkin, chief executive of Ward Solutions, a Dublin cybersecurity advisory firm that is helping some hospitals to recover data this week.
“It is an incredibly lucrative business model for cybercriminals. The cybercrime economy is now worth more globally than the illicit drugs trade.”
Mr Larkin said the public may be “aghast” that an international crime organisation would attack a national health service, threatening patient safety, but the attack is part of a trend he has been seeing. “Two or three years ago we would have been dealing with ransomware attacks every fortnight; it’s daily now in terms of the frequency of incidents with clients.”
Brian Honan, chief executive of BH Consulting, a Dublin cybersecurity and data protection advisory firm, said the HSE attack and the severity of its impact "should make companies sit up and pay attention".
“It shouldn’t just be treated or left to be thought of as an IT problem because it’s an actual business risk and needs to be managed,” he said.
The Covid-19 pandemic has created “a perfect storm” for criminals to exploit weakened technological solutions created quickly to allow people working remotely, with unprotected email and computers systems exposed to attacked, said Mr Honan.
The increase in online shopping in lockdowns has been targeted as criminals use “phishing” and other malicious emails about shopping receipts, flight refunds, tax refunds, pandemic unemployment payments and even vaccine appointments to break into IT systems.
“The focus in companies has been on getting the systems up and running and keeping the business open and surviving. Security may have been a distant thought,” he said.
Mr Honan said a joined-up strategy to tackle cybercrime that draws in State specialists, An Garda Siochána and various government departments was required and that it had to be adequately resourced.
“I would hope it’s a wake-up call that people pay attention to,” he said. “Unfortunately, I have had similar wake-up calls in the past that have created a lot of media attention but then, once the tension has waned, the snooze button has been hit.”
Protecting from cybercrime costs on average 5-10 per cent of the IT budget of a business, which in turn is 5-10 per cent of overall turnover, according to research company Gartner, which tracks spending on cybersecurity.
"Some people view it as an optional expense but at this point it's as necessary an expense as paying your health insurance," said Thomas Kinsella, co-founder of Tines, a security automation company. "Investing in cybersecurity is a cost of doing business, otherwise your and your customers' data is going to be compromised."