How to deal with unprecedented levels of cyberrisk
Start with staff training and move quickly towards finding an edge for your company
‘People moved to the cloud very quickly, but the criminals moved as well.’ File photograph: Getty
The shift to remote working has highlighted weaknesses in the cyber defences of even the largest and best resourced organisations. What chance everyone else?
Covid has exposed employers to unprecedented levels of cyberrisk as staff work from home, often on their own devices and always on their home networks. For employers, the bottom line is this: if you connect it, you must protect it.
Start with staff
Employees are your first line of defence so draw up a cybersecurity policy and ensure everyone is familiar with it.
It should outline the importance of cybersecurity and include brief explanations about the various forms of attack, such as phishing, smishing and ceo fraud.
It will explain the need for preventative actions such as applying patches and updates, and why this goes for their own devices if they use them for work purposes, as well as their official work ones. It you have rules around BYOD (bring your own device) practices, specify them.
This is particularly important given how rich a source of personal information the email on a person’s smartphone contains.
Even leaving aside the risk of customer data breaches, simply having confidential work attachments can leave firms open to an array of social engineering-enabled attacks.
What to do in the event of a DDOS (distributed deinal of service) and ransomware attack should also be specified, as should guidelines and protocols around company social media.
“Staff training raises awareness and best practice around issues such as phishing, the need for two factor authentication and avoiding weak passwords,” says John Durcan, senior technologist with Enterprise Ireland, who suggests Skillnet Ireland is a good place to start.
The national agency for worker learning has a range of free online cybersecurity training programmes which your staff members, or a nominated cyberteam lead, can use to develop their skills in-house.
It includes free courses from the CISCO Networking Academy, whose modules are online, self-paced and self-certified.
More than 6,500 people are employed in cybersecurity in Ireland, compared with other countries that’s a high proportion given our small population size of less than five million.
Despite this, soaring demand means that cyber skills remain “like hens’ teeth”, says Dave Feenan, who heads up the ICT Skillnet.
It makes training up your own staff doubly valuable. Skillnet offers a range of programmes to suit, right up to a masters degree in cybersecurity, an online programme delivered by the National College of Ireland.
It has also launched futureintech.ie, a new initiative that includes cybersecurity analyst training, which is designed to help non-tech jobseekers move into high demand IT careers, so more talent is on the way.
In all, Skillnet Ireland’s Cybersecurity Skills Initiative aims to train 5,000 people in cybersecurity skills over the next three years.
Demand looks set to outstrip even that. Globally the cybersecurity sector was already projected to grow by 10 per cent – even before before Covid hit, points out Aoife O’Leary, Enterprise Ireland’s vice-president digital technologies, in San Francisco.
While the rush to keep one step ahead of the cybercriminals is global and never ending, Irish companies should at least have an advantage given that Ireland is now an established hub for cybersecurity innovation.
Home grown cyber heroes
The increased cyberrisk resulting from the move to home working is something that a fast emerging crop of homegrown companies is helping to mitigate.
Ireland is already home to the top five security companies worldwide and is the location of choice for more than 40 multinational companies with cybersecurity operations. It is also home to over 60 indigenous cybersecurity companies and start-ups.
Cybersecurity has long been a significant sector here. The need to secure the data of the many multinational companies which choose to locate here, as well as that of the indigenous sector trading around the world, has long put data security to the top of the government’s agenda.
It’s why the National Cyber Security Centre was established a decade ago, and why Ireland has had a national cybersecurity strategy since 2015 – the current one charts the sector’s development until 2024.
Cyber Ireland, another national initiative, was established in 2019 to provide a framework to support a fast growing cybersecurity cluster that is therefore being fostered not just by industry but by academia and government too.
Enterprise Ireland plays its part by providing innovative cybersecurity start-ups with funding, advisory and soft supports such as mentoring. That has resulted in a series of homegrown cybersecurity solutions which are world class and well worth checking out for any organisation now looking to manage cyberrisk effectively.
These include TitanHQ, which provides web and email filtering, as well as secure email archiving, and protects businesses from malware, ransomeware, phishing, viruses, botnets and other cyber threats.
Enterprise mobility solutions provider CWSI helps organisations reduce the risk inherent in staff working off their own devices, enabling them to stay secure while they do so. Cybesafe is an intelligent online security awareness platform that helps to measure and address employees’ cyber practices and behaviours.
From a user perspective, they’re all part of the new generation of cybersecurity products coming out of Ireland which are not just more effective but easier to navigate than their antecedents.
“We are seeing a blend of technologies come together, with expertise in artificial intelligence and cybersecurity working together with the result that the tools are both getting better and easier to use, which is really nice,” says Durcan.
Simple staff training can have an amazing impact on the reduction of cyberrisk and, with the move to home working, that has become more important than ever.
“When you are in an office environment you have the whole office protection around you, including firewalls,” says Durcan.
“At home you can click a link that can lead to ransomware, or a key logger (malware which can be used to capture things like bank account numbers or passwords), and even the fact that it has happened will not be picked up until much later, because you’re using a local device.”
Andy Green, Chief Information Security Officer at Gemserv and Cloud Security Influencer of the Year winner at the Cyber Security Awards 2020, saw immediately the ways in which the pandemic impacted cybercrime.
“What was quite amazing was the speed at which criminals adapted to Covid messaging”, he says. Many moved swiftly to try and defraud industry and even the healthcare sector as organisations looked to secure personal protective equipment.
In the main however, organisations that had good remote working technologies in place, tested before the pandemic, are at broadly similar level of risk from cybercrime now as they were then.
For others, working from home has increased the cyber risk. “Previously people connected to their colleagues within the network, knowing that anything within it was secure,” he says. When communications cross that boundary, they become insecure, creating “a significant area of risk”.
Outside of the safety of a secure corporate network or VPN, sending an email is akin to “sending a postcard without an envelope,” he cautions.
The good news is that much of what is required is inexpensive or even free. “It includes ensuring you have a firewall on your router, and that it is turned on, as well as a firewall on your device – such as Windows Defender,” he advises.
Next, make sure devices are configured to switch off services that are not required, such as Wi-Fi. Mobile device management software allows companies to check the configuration of users’ devices, says Green.
Ensure two-factor authentication, use anti malware software such as AVG, which is free, and make sure your operating software, and that of any third party apps on your phone, plus patches, are all kept up to date.
“Research from the UK government indicates that if these five fundamental steps were taken 80% of cyber activity would be prevented,” he says.
Get the edge
The risks inherent in home and mobile working has fuelled the rise of solutions for “edge devices” too, any piece of hardware that controls data flow between two networks – such as a router which connects public networks to the internet.
During the first lockdown many organisations were caught up in the rush to equip staff, often buying devices such as lap tops straight off the shelf, without thought for cybersecurity, says Justin Moran, head of governance and head of security at mobile phone company Three.
Now that the dust has settled, it’s time to secure them. 3Mobile Protect is a solution that shields mobile devices from threats like phishing and malware. It also lets you filter out non-work apps and content such as social media. Its Mobile Device Management enables staff to remotely wipe smartphones and tablets in the event of loss or theft, ensuring their content doesn’t fall into the wrong hands.
Even before Covid, the move to cloud computing had seen our vulnerability to cybercrime increase. That threat has since escalated, and for a number of reasons. “People moved to the cloud very quickly, but the criminals moved as well,” says Dani Michaux, KPMG International’s EMA cyber leader.
Exacerbating the problem is that staff newly working from home are more likely to be distracted, either by family members and flatmates, or by the simple fact that their colleagues, customers and suppliers are all getting used to a new environment too.
It makes the chance of crimes such as payment fraud, where funds are misdirected to a criminal’s bank account by a simple change in digit, or an authentic looking note purporting to be from a boss, easier to pass under the radar, she points out.
What’s more, it isn’t only cybersecurity that needs redressing as we adapt to the brave new world of work, it is the organisation’s entire approach to risk.
For very many, their traditional business continuity planning meant that, in the event of a major event, such as fire or an electricity outage, Plan B would see them dispatch staff to work from home, she points out.
“But if people are already working remotely, you have to ask yourself, ‘what does your business resilience look like now’?”