Spectacular cyberattacks like the one on the HSE tend to command public attention, but these are the mere tip of the iceberg of cybercriminal activity. Indeed, there has been a marked shift away from ransomware attacks on larger, wealthier organisations in favour of targeting smaller businesses which may be less well defended, with the National Cyber Security Centre (NCSC) recently warning Irish businesses of this trend.
Two reasons are advanced for that change. The first is that bigger organisations tend to be better protected and are less likely to pay a ransom. The second is that some of the ransomware gangs became victims of their own success and attracted the attention of law enforcement which forced them to fracture. That in turn has led to a proliferation of what might be termed freelance cybercriminals who do not have the resources to take on big organisations and are searching for easier pickings among smaller companies.
You need to understand what is critical to your business, how can you protect this, and how you can recover if attacked. These will all be key factors to reducing the risk and impact
“Normally what cybercriminals do is target supply chains,” explains David McNamara, chief executive of cybersecurity firm Commsec. “These are typically small and medium-sized businesses. The criminals use them to get into large organisations. They understand that large organisations have better defences. Small and medium-sized businesses do not have the same level of defence and they are seen as an easier mark.”
It comes down to a question of resources. “Small to mid-sized organisations tend to not have the resources to build up a strong cyber foundation and at times it is only when they get attacked that they take it seriously, which is sometimes too late,” says Marc Roche, associate director with Accenture in Ireland’s security practice. “You need to understand what is critical to your business, how can you protect this, and how you can recover if attacked. These will all be key factors to reducing the risk and impact.”
While gold standard cyber defences may be beyond the reach of many SMEs, there are some simple steps they can take to protect themselves and deter the criminals. They begin with what McNamara terms proper housekeeping which includes keeping software and operating systems up to date, maintaining secure data backups, and having multifactor authentication on all devices, email accounts and so on.
“There are lots of simple things that companies in the supply chain can do,” he says. “After all, it’s their brand and reputation that’s at stake. It’s all about trust and if your customers can’t trust you, why should they do business with you? The more difficult you make it for attackers the better. Small and medium-sized businesses typically have antivirus software and firewalls, but they may not be configured properly. User education is also important. Business should educate employees to not click on email links or suspicious websites.”
It comes down to how well you train your teams to know what strange looks like, especially now that most people are working from home or in a hybrid arrangement
Most compromises start with a phishing email, so having the settings correct is important, says BDO director Eoghan Daly. “It will not be apparent to cybercriminals, but it is a key measure organisations can take. Requiring two-factor authentication to log on to company systems and accounts will prevent the majority of cybercrime.”
Sean Morris, chief technical officer at Galway-based cybersecurity firm TitanHQ advises small businesses to carry out testing on their staff to see if they are prone to being fooled by phishing messages. “They should also keep their antivirus and other software up to date. Operating systems on laptops represent a treasure trove for criminals.”
The importance of training is highlighted by Rida Villanueva, director of Cybersecurity and Forensics with Grant Thornton. “It comes down to how well you train your teams to know what strange looks like, especially now that most people are working from home or in a hybrid arrangement. There is a slightly different vulnerability. You have to set up the equipment yourself. There is not the same security as in the office. There are added layers of security you can have but these tend to be the responsibility of the individual to look after. Personal devices like home printers and mobile phones are also points of vulnerability. How do you secure these personal devices when people are using things like messaging apps on them?”