:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/WB3NVJ5QO7VAKWT4WZZAGAL66Q.jpg)
:fill(white):background_color(white)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/BHJJYYB5LSPCRVJO4X42HE22GA.png)
If the recent Facebook/Cambridge Analytica scandal can be credited with anything, it’s that it made people all too aware of how much they live online nowadays. Details on everything from their favourite childhood cartoon to their credit card information is floating around cyberspace – something the revelations made vividly clear. The internet has merged itself into everyday life in ways that felt impossible just a decade ago, and that level of connectivity is only going to increase.
Half the population of the planet now use the internet in some form, and with that level of growth it’s only natural for cyber crime rates to increase too – in fact, the worldwide cost of cyber crime will reach close to €2 trillion by 2019. There’s been a steady rise in cyber attacks on Irish businesses in recent years too, with even small- or medium-sized enterprises – who once wouldn’t have been seen as traditional targets – starting to feel the pinch.
In the past, most businesses tended to view cyber security as an issue for the IT department, but it’s now a primary concern for many. Hacking has become more sophisticated, and the responsibility to protect data and customer information from potential breaches – no matter the size of the company – has increased the need for awareness. Cyber threats can come in many forms, be it denial of service attacks on websites or ransomware, a form of malware that can lock computers or valuable files until a ransom demand is paid to unlock it.
A number of high-profile events have helped sharpen business focus on cyber crime in recent years, says Tony Hughes, associate director of risk consulting at KPMG. “Three out of four large Irish companies increased their spending following the WannaCry ransomware attack in 2017, with budgets being increased by up to 59 per cent. At the same time, the SME sector has still to fully engage with the issue – with recent surveys indicating that 49 per cent of SMEs budget for around €1,000 per year on cyber security, with 22 per cent having no budget in mind at all.”
Reputational damage
Not only can these breaches result in financial loss, they can cause reputational damage too – a business that’s had data stolen won’t be very attractive to potential clients. Irish businesses can no longer afford to be lax when it comes to online security, especially with the introduction of the EU General Data Protection Regulation (GDPR) on May 25th. This requires any organisation that holds personal data to report breaches to the Data Protection Commissioner – failure to do so can result in fines of up to €20 million.
“The arrival of the GDPR and the associated penalties has certainly caught the attention of business leaders. Focus to date has been on good housekeeping of the ‘information estate’, with efforts being made to capture personal information in information registers,” says Hughes.
That said, only one of the 99 articles in the GDPR deals with cyber security, and Article 32 doesn’t provide specific guidance over what constitutes an appropriate security model. Hughes feels this presents businesses with a chance for self-reflection about their security needs. “Perhaps businesses should use GDPR as an opportunity to look closely at how they currently operate and best utilise the resources needed not only to merely comply with GDPR, but also how best to securely process customer and citizen information after the May 2018 deadline.”
Karl McDermott, Head of 3Connected Solutions with Three, say GDPR has seen a significant increase in the number of customers talking to them about mobile security. “Companies are fearful that the data employees have on their mobile devices could be compromised if that device is lost or stolen. As well as basic MDM [mobile device management], we have seen a significant increase in the deployment of Citrix Enterprise Managed Mobility solutions.”
Staff training
While figures surrounding cybercrime can make for bleak reading, it’s not all bad news. There are plenty of things businesses big and small can do to defend themselves. One key layer of defence is staff training and awareness. “Staff are a critical element of cyber defence, particularly in relation to attempts at cyber fraud or theft, phishing, data theft or corruption or transmitting malware. Encourage them to think twice before opening an unsolicited email attachment or acting upon unusual requests, even if they appear to be from senior management,” says Hughes.
Karl McDermott says there are fundamental things any business should be doing to safeguard themselves, including: “Keep their systems up to date. This means operating systems at the latest patch levels. Very few attacks are ‘Day Zero’, which means they are only effective against systems which have not been updated and make sure that any company who you connect to has the same level of security that you require for your own business. Many attacks come from external companies connecting vulnerable systems to another company’s network.”
Cyber crime is a global issue and has led to the creation of cyber defence alliances and ISAOs (Information Sharing and Analysis Organisations) around the world. The aim of these alliances is to pool resources and share information about potential security issues, and to gain strength in numbers. Of course, there’s a level of trust involved for those within the alliance, but the days where institutions attempt to conceal breaches out of embarrassment are fading fast, and such co-operation is in everyone’s best interests.
The cyber security tech industry is experiencing something of a boom time, although a one-size-fits-all approach rarely works. KPMG, for instance, takes an approach dubbed “Cyber Resilience” that ensures businesses are supported at all times, including in a post-breach situation. “Our full offering is designed to help organisations identify, protect, detect, respond and recover from a cyber-related incident,” says Tony Hughes. “This involves the design of target operating models for cyber security in a business, IT audits, privacy management, core technology testing, forensic services, business-continuity planning and evolving and future technology risk.”