Dealing with a global threat
An EU Commission report estimates global financial losses due to cybercrime to be at least €350 billion a year and projected them to reach €1.89 trillion by 2019
WannaCry ransomware attack: Cybercrime is very much a global phenomenon but the solutions begin at home
The nature of the threat posed by cybercriminals was perhaps most powerfully demonstrated during last year’s US presidential election. The fact that the computer network of the Democratic Party, an organisation with access to some of the best cybersecurity expertise on the planet, could be hacked by criminals on the other side of the world sent a chill down the collective spine of the business and political establishment.
More recently, the global spread of the WannaCry ransomware, attack which infected more than 230,000 computers around the world and crippled the UK National Health Service, showed just how vulnerable even the largest organisations are when it comes to cyberattack.
It should come as little surprise then that a 2016 report from the Executive Agency for SMEs at the European Commission estimated global financial losses due to cybercrime to be at least €350 billion a year and projected them to reach €1.89 trillion by 2019.
This has led to a change in attitude towards cybercrime in the past few years, according to KPMG head of cyber Mike Daughton. “It was previously seen as an IT issue and a lot of people on boards and at senior management level didn’t really think about it. They saw it as the responsibility of the IT department but they are now seeing it as much more of a business issue. If you look at risk registries of many organisations, cybersecurity is moving up in prominence.”
It is also getting much more attention from regulators, particularly in the financial services sector. “Regulators are expecting much more from companies in this area, they want them to be prepared for cyberattack and be able to defend against it.”
The EU General Data Protection Regulation (GDPR), which comes into force next year, has also served to sharpen the focus. “This affects all companies and organisations regardless of size once they hold data on third parties,” Daughton adds. “It places new requirements on them and this is all tied into cybersecurity. The threat landscape has changed as well. The criminals are becoming more sophisticated, it’s a moving train and it’s getting more difficult for organisations to keep up.”
Every business needs to be aware of the threat, according to John Bolger, senior manager for IT audit and cyber security with BDO. “We are working with clients who face threats on many levels, from denial of service attacks on their websites, ransomware on their workstations and networks, to spear phishing of their CFOs and accounts payable departments, malicious or careless and inappropriate employee activity, and old-fashioned physical theft of mobile devices with data on board.”
The evolving nature of the threats mean that at some point almost all businesses will face this risk, he continues. “These threats mean there are many areas to defend, manage and prepare responses to such threats. SMEs who innovate with bring your own device, mobile apps, and use of social networks or mobile workforce tools must think worst-case scenario as part of the planning, and implement ongoing security by design – covering technical, procedural and end user training.”
Karl Montgomery, head of 3Connected Solutions, says that prevention is better than cure when it comes to cybercrime. “We are seeing an increased use of data analytics to monitor what’s happening on networks and to detect suspicious activity,” he notes. “For example, a retailer might put their tills on the network and they should only talk to one or two servers. If there are signs of more activity than that it probably indicates that something is wrong. The whole piece around data analytics is growing in importance. Technologies like machine learning and artificial intelligence are being used for security.”
He points to a report from Gartner which has predicted that by 2020 zero-day vulnerability to cyberattacks will be a fraction of 1 per cent. That is, the chance of experiencing a brand new type of attack will be infinitesimally small. By then, almost everything will be a known form of attack, so much of the defence will come down to keeping technologies up to date and training people.
Training is critical, Montgomery adds. “An IDC report has shown that phishing is the biggest single incidence of cybercrime, with 38 per cent of respondents saying they had fallen victim to it. A lot of this comes down to staff training so that they know not to click on unknown or suspicious links and not to open attachments if they are not sure of the identity of the sender.”
People can actually be an organisation’s first line of defence, according to KPMG director of forensic practice, Will O’Brien. “More focus is needed on people and training,” he contends. “People can be your greatest risk but they can also be your greatest asset in the fight against cybercrime if they are trained properly. They will be the first to notice suspicious activity and report it so that an appropriate response can be put in place.”
Greater co-operation between organisations is also needed, says BDO’s John Bolger. “We believe that Government and businesses need to open and facilitate secure two-way communications channels for cyber security policy and updates. The framework to support this requirement is in progress. The Government has implemented a National Cyber Security Centre (NCSC) and Computer Security Incident Response Team (CSIRT) as part of the 2015-2017 Cyber Security Strategy. A key factor in the success of this will be the sharing of information. There is a reluctance among businesses to share ‘bad news’ due to reputational risks. This needs to be circumvented by the provision of secure and confidential communications channels.”
People, process, technology are the essential ingredients of a good defence, according to Mike Daughton. “Organisations should take a holistic approach to these areas and build out the controls from there. There is also an element of planning for the worst. They need a response and recovery capability as well. If you do get a breach such as a denial of service attack, you need good frameworks in place to respond, deal with it and recover. This needs to be done with reference to all the critical data assets which need to be protected.”
There are opportunities for Ireland amid this electronic battlefield. Estonia, one of the smallest countries in the EU, has established itself as a global leader in cybersecurity and a recent trade visit to this country jointly organised by Enterprise Ireland and Enterprise Estonia gave Irish firms the opportunity to link up with their Estonian counterparts to gain access to their expertise and possibly form joint ventures. “One of the aims of the Ireland-Estonia Tech Bridge was to encourage more Estonian cybersecurity companies to consider Dublin as a viable alternative to other leading European cities,” says Bartosz Siepracki, Enterprise Ireland’s Warsaw office manager.