There used to be only two certainties in life – death and taxes. Now there are three, because it is no longer a question of if an organisation will suffer a cyber breach, but when. With this omnipresent threat hovering, how can companies best prepare for such an eventuality and become more cyber resilient?
“Cyber risk was cited as the single biggest risk to growth by Irish business leaders in KPMG’s recently published 2021 CEO Outlook survey. This reinforces the clear recognition of the likelihood of cyber breaches for every organ- isation,” notes Dani Michaux, KPMG’s EMA cyber leader.
Data from the Palo Alto Networks Unit 42 threat intelligence team demonstrates just how rapidly the cost of these attacks is growing.
Carla Baker, senior director, Government Affairs UK & Ireland, Palo Alto Networks, notes that from 2015 to 2019, the highest ransomware demand was $15 million. “But in 2020, this doubled to $30 million and the highest ransomware the Unit 42 incident response team has seen this year was $50 million.”
According to Baker, ransomware attacks have evolved into a successful business model in itself. “Hackers see good returns and criminal gangs have developed ways for the gangs to channel the ransomware payouts that are hard to detect.”
Perhaps it’s not shocking that cybercriminals are so enterprising – Baker even says there’s been a recent boom in hackers creating ransomware kits and selling them on the dark web where they are bought by less-skilled hackers who can then go out and launch their own cyber attacks.
It has also become clear that unscrupulous attackers have taken advantage of the pandemic to prey on different types of organisations; Baker says the healthcare sector was the most targeted vertical for ransomware in 2020.
“Ransomware operators were brazen in their attacks in an attempt to make as much money as possible, knowing that healthcare organisations – which needed to continue operating to treat Covid-19 patients and help save lives – couldn’t afford to have their systems locked out and would be more likely to pay a ransom,” she says.
These days, organisations of all size are at risk of a cyber attack, agrees Raj Samani, chief scientist at McAfee Enterprise and FireEye. “We understand the impact a cyber attack can have from both a monetary and reputational point of view. Our recent research found that cybercrime is now a trillion dollar drag on the global economy,” he explains.
To overcome this, he says, businesses must consider “threat intelligence” as a critical approach to understanding the types of threats that they should be concerned about. “Extracting information about certain threats, which industries they target, which countries they focus on, and how they operate is a critical component for defending against such attacks.”
According to Michaux: “It is really about planning and exercising – both at executive and technical levels. Technology needs focus, but executive engagement is even more crucial. It needs to be brought to life for the board, so they understand the challenges of dealing, for example, with organised crime, rebuilding the business, and managing the communications and regulatory flurry which comes with a major incident.”
Cyber resilience is a mindset and demands a holistic approach which brings together cybersecurity, business continuity and disaster recovery, she adds. “It requires an organisation-wide focus on not just protecting systems, but on testing the response and recovery should the worst happen, as well as a willingness to contemplate the worst-case scenario and to exercise how you would respond when, and not if, that happens.”
While, historically, many businesses would have valued the sense of “control” over their data that more traditional models, such as on-premises hosting, would offer, more firms are beginning to see the data security benefits of other models, such as secure cloud hosting. According to research carried out by William Fry and published in its Global Trends in Technology and Data Report, 73 per cent of organisations surveyed were increasing their investment in information security.
“The onset of the pandemic and the widely-reported ransomware attack on the HSE and several other international organisations have really brought these issues to the fore for Irish business leaders,” says David Kirton, partner in William Fry’s technology department.
Michaux agrees. Businesses are now looking to external providers to help them manage these risks, she says.
“In the old days, IT was onsite, defended by firewalls and barriers, under our control and our management. This model is dead, and with it comes a raft of new digital infrastructure providers that we depend on for hosting, for platform and for service provision.
“Now businesses are increasingly dependent on third-party services – from the major cloud providers, through the ecosystem of software as a service (SaaS) providers and managed service providers, to the new world of data and analytic service providers.”
She adds that the EU Network and Information Security (NIS) directive, which creates the pan-European framework for regulating the security of our critical national infrastructure, is currently being revised to reflect this reality.
And with today’s threats growing in volume and sophistication, Baker says it is more critical than ever to arm the Irish State with the necessary skills to prevent cyber attacks. The Government has committed to taking steps to address the cybersecurity skills gap as set out in the National Cyber Security Strategy; actions include supporting the development of training programmes and promoting cybersecurity careers, among others.
And efforts are also being made to future-proof Ireland’s cyber resilience. Palo Alto Networks, through its Cybersecurity Academy programme, is partnering with accredited secondary or post-secondary academic institutions to provide hands-on cybersecurity knowledge and training to students who need to keep pace with the ever-changing global cyber-threat landscape, Baker explains.
“We are honoured that the University of Limerick, the National College of Ireland and the Technological University Dublin are part of our Cybersecurity Academy programme. Initiatives such as these form part of the building blocks that will ensure we have the right level of skills needed to secure the Irish State.”