When it comes to cybersecurity, it’s one of the rare scenarios where pessimism is crucial. Businesses are being told they should assume the worst when it comes to the possibility of a disruptive, distressing and potentially disastrous cyber breach.
Increasingly sophisticated methods of detection coupled with easier monetisation of stolen data thanks to digital currencies means that the number of cyber breaches increases almost every single day. Yet what businesses spend on cybersecurity may merely be a fraction of what they spend on insurance, for example. With the number of data breaches on track to reach a record high this year, experts say how organisations prepare for the inevitability of cyberattacks and build their cyber resilience should be top of the priority list for 2022.
The good news is that following a spate of high-profile cyber breaches in recent months, awareness is peaking among business leaders regarding the practical, financial and reputational damage a potential cyberattack could wreak. "Cyber risk was cited as the single biggest risk to growth by Irish business leaders in KPMG's recently published 2021 CEO Outlook survey. That reinforces the clear recognition of the likelihood of cyber breaches for every organisation," explains Dani Michaux, KPMG's EMA cyber leader.
Cybercrime is itself big business, and is typically viewed as a low-risk crime with high payoffs. Data from the Palo Alto Networks Unit 42 threat intelligence team highlighted how rapidly the value of these payoffs is growing: Carla Baker, senior director, government affairs UK & Ireland, Palo Alto Networks, notes that from 2015 to 2019, the highest ransomware demand was $15 million (about €13.2m). "But in 2020, this doubled to $30 million and the highest ransomware the Unit 42 incident response team has seen this year was $50 million." Most recent figures estimate that cybercrime may now cost the world a staggering $600 billion, or 0.8 per cent of global GDP.
And according to Baker, ransomware attacks have evolved into a successful business model in itself. “Hackers see good returns and criminal gangs have developed ways for the gangs to channel the ransomware pay-outs that are hard to detect.” Perhaps it’s not shocking that cybercriminals are so enterprising – Baker even says there’s been a recent boom in hackers creating generic ransomware kits and selling them on the dark web where they are bought by less skilled hackers who can then go out and launch their own cyberattacks.
Unscrupulous attackers have taken advantage of the pandemic to prey on different types of organisations; Baker says the healthcare sector was the most targeted vertical for ransomware in 2020. “Ransomware operators were brazen in their attacks in an attempt to make as much money as possible, knowing that healthcare organisations – which needed to continue operating to treat Covid-19 patients and help save lives – couldn’t afford to have their systems locked out and would be more likely to pay a ransom,” she admits.
These days, organisations of all size are at risk of a cyberattack, agrees Raj Samani, chief scientist at McAfee Enterprise & FireEye. "We understand the impact a cyberattack can have from both a monetary and reputational point of view. Our recent research found that cybercrime is now a trillion dollar drag on the global economy," he explains.
To overcome this, he says, businesses must consider “threat intelligence” as a critical approach to understanding the types of threats that they should be concerned about. “Extracting information about certain threats; which industries they target, which countries they focus on, and how they operate is a critical component for defending against such attacks.”
“We all know the world has changed, we know the threats are out there, but many Irish businesses big and small still think that if they have a fire-wall, they are safe in the event of a cyber-attack,” says Cormac Reid, founder and ceo of Roctel. “Your business needs to be secure, as the threat landscape has fundamentally changed, and it can no longer be left to the IT department or even the CIO or CSO, to ensure the business defences are rock solid. Like Covid-19, cyber-attacks are invisible to the human eye, but steps can be taken to mitigate and greatly reduce the risk. You can use all the technology you want to protect your business, but proper management of that technology enables you to reap the benefits. Your cyber defence strategy needs to have the same focus for the business as your main business systems do; always remembering that cyber defence is a system.”
“Zero trust needs to be applied across the business with multi and two factor authentication at every application access point for users required as a minimum,” he adds.
HSE ransomware attack
But the concept of cyber resilience is not just about security – it’s about limiting the severity of breaches when they do occur, and ensuring a business can continue to operate. This issue was brought to the fore in the worst imaginable way when the HSE ransomware attack occurred – doctors were left trying to organise appointments lists with pen and paper, while scans had to be physically delivered to the relevant departments throughout the hospitals.
According to Michaux, when it comes to cyber resilience and preparedness, “it is really about planning and exercising – both at executive and technical levels. Technology needs focus, but executive engagement is even more crucial. It needs to be brought to life for the board, so they understand the challenges of dealing, for example, with organised crime, rebuilding the business, and managing the communications and regulatory flurry which comes with a major incident.”
Cyber resilience is a mindset and demands a holistic approach which brings together cybersecurity, business continuity and disaster recovery, she continues. “It requires an organisation-wide focus on not just protecting systems, but on testing the response and recovery should the worst happen as well as a willingness to contemplate the worst case scenario, and to exercise how you would respond when, and not if, that happens.”
While historically many businesses would have valued the sense of “control” over their data that more traditional models, such as on-premises hosting, would offer, more firms are beginning to see the data security benefits of other models, such as secure cloud hosting.
According to research carried out by William Fry and published in its Global Trends in Technology & Data Report, 73 per cent of organisations surveyed were increasing their investment in information security. "The onset of the pandemic and the widely-reported ransomware attack on the HSE and several other international organisations have really brought these issues to the fore for Irish business leaders," according to David Kirton, partner in William Fry's technology department.
Businesses are now looking to external providers to help them manage these risks, Michaux adds. “In the old days, IT was on-premise, defended by firewalls and barriers, under our control and our management. This model is dead, and with it comes a raft of new digital infrastructure providers that we depend on for hosting, for platform and for service provision.
“Now businesses are increasingly dependent on third party services – from the major cloud providers, through the ecosystem of software as a service (SaaS) providers and managed service providers, to the new world of data and analytic service providers.” She adds that the EU Network and Information Security (NIS) directive which creates the pan-European framework for regulating the security of our critical national infrastructure is currently being revised to reflect this reality.
But with a significant level of hybrid and remote working set to persist, employee education and training must also be a crucial element of any cyber resilience strategy. Verizon’s 2021 Data Breach Investigations Report found that some 85 per cent of data breaches involve a “human element”, suggesting that the weakest link may lie closer to home. Employee education and training is vital, says Michaux.
And with today’s threats growing in volume and sophistication, Baker says it is more critical than ever to arm the Irish state with the necessary skills to prevent cyberattacks. The Government has committed to taking steps to address the cyber security skills gap as set out in the National Cyber Security Strategy; actions include supporting the development of training programmes and promoting cybersecurity careers, among others.
And efforts are also being made to futureproof Ireland's cyber resilience. Palo Alto Networks, through its Cybersecurity Academy programme, is partnering with accredited secondary or post-secondary academic institutions to provide hands-on cybersecurity knowledge and training to students who need to keep pace with the ever-changing global cyber threat landscape, Baker explains. "We are honoured that the University of Limerick, the National College of Ireland and the Technological University Dublin are part of our Cybersecurity Academy programme. Initiatives such as these form part of the building blocks that will ensure we have the right levels of skills needed to secure the Irish state."