Special Report
A special report is content that is edited and produced by the special reports unit within The Irish Times Content Studio. It is supported by advertisers who may contribute to the report but do not have editorial control.

Criminals have an inbuilt advantage in the great cyber arms race

‘Attackers only have to find one weakness to succeed, the defender has to fix them all’

Cybercrime is on the rise, and not just because of new vulnerabilities created by the Covid-19 pandemic and the widespread shift to remote working. The truth is that cybercrime has become a business, and a very lucrative one at that. And the rewards on offer are attracting more people into this nefarious industry.

How can organisations assess their vulnerabilities and determine their cyber risk exposure? 

To put the scale of that industry in context, a report from the US Centre for Strategic and International Studies and computer security firm McAfee has estimated global losses from cybercrime at just under $1 trillion for 2020, a new record and almost double the $500 million financial loss in 2018.

And, as organisations like the HSE know to their cost, ransomware is increasingly becoming the weapon of choice. According to computer security researcher and publisher Cybersecurity Ventures, ransomware damages will cost the world economy $265 billion by 2035, up from an expected $20 billion by the end of 2021.

“The cyberattackers are increasing their aggressiveness and frequency of their attacks, with an organisation falling victim to a ransomware attack every 11 seconds,” says Carolyn Drury, global security marketing manager with Hewlett Packard Enterprise.

“It is on the rise,” says Eoin Keary, CEO of security software specialist Edgescan. “The Verizon Data Breach Investigations Report from Verizon showed that attacks were up between 20 and 25 per cent so far in 2021. It’s becoming another pandemic in a way. It’s got really bad because it’s easy to do and because people are not doing the basics. Even big companies like Colonial with multimillion dollar budgets have been breached.”

Breaches

The Verizon report also revealed that 85 per cent of breaches so far this year involved a human element; 36 per cent involved phishing, up 11 per cent on last year; and 10 per cent involved ransomware, double last year’s level.

“It is increasing but it hasn’t changed much,” Keary adds. “What we’re doing is trying to secure a moving target and it’s moving more rapidly now. The birth of cryptocurrencies and ransomware has allowed criminals to extract money in different ways.”

Those developments have facilitated the industrialisation of cybercrime. “It’s a very, very good business to be in if you’re that way inclined,” Keary adds. “You can get a job in cybercrime on the dark web. You will get paid in bitcoin and get a full benefits package and training like any other job. The days of the teenager in his bedroom are pretty much gone. Bitcoin blew the whole thing wide open. It has become much more professional, and businesses need to up their game to defend themselves.”

"The simple fact is that for cybercriminals the ransomware business model works," adds Brian Murray, enterprise account executive with security software and hardware company Sophos. "Organisations can't survive without access to their data so many are prepared to pay to get that access restored. Most of all, the use of cryptocurrencies means that attackers can now collect their ransoms with relative anonymity."

And the total cost of cybercrime is a lot higher than the losses incurred as a result of ransomware attacks, according to Colm Murphy, senior cyber security advisor with Huawei. “There could be $6 trillion in losses globally this year from cyber breaches. That’s a very big number. If that was an economy people would be acting much faster and more urgently.”

Ransomware

Ransomware is by no means the only cyberthreat which organisations must defend against, of course.

"Survey figures recently published by the International Data Corporation are stark," says Sarah Hipkin, head of technology consulting with Mazars Ireland. "They showed that more than one third of organisations worldwide had experienced a ransomware attack or breach that blocked access to systems or data in the previous 12 months. And for those that fell victim to ransomware, it is not uncommon to have experienced multiple ransomware events."

The number of phishing attacks being undertaken by cyber criminals has tripled since 2019 and is a constant firefight for IT and security teams, Hipkin adds.

“The human is still by far the easiest route for a cybercriminal to get inside an organisation’s network and obtain unauthorised access to critical systems and valuable data that often carries with it considerable street value.”

We are all aware of those human frailties. After all who hasn’t been tempted by a very convincing text from our bank telling us our card has been restricted and asking us to click on a link to clear up the issue?

“Companies are worried that employee behaviours are putting them at risk,” says Mark Jordan, chief technologist with Skillnet Ireland. “We carried out some research and it showed quite a low level of cybersecurity maturity in this country. There is also a low level of investment in training and skills development. However, there is a growing awareness of the need for greater investment. Companies need help and we are providing it in the form of a number of training programmes and other initiatives.”

Vulnerability

The pandemic has magnified that vulnerability. “As enterprises have made the digital rush to find new pandemic-inspired ways to work, it opened them up to new vulnerabilities and this was especially true at the edge of networks where the same levels of physical protection as their data centre were not established,” says Drury.

“Now the immediate panic has abated, organisations are grappling to reduce risk and ensure their people, processes and technologies are secure and protected. However, this is often done at the expense of being able to scale their security at the speed of their digital transformation.”

Most businesses are doing their best, however. It’s just that the criminals have an in-built advantage in this particular arms race.

“The defender’s job is always harder,” says Keary. “Attackers only have to find one weakness to succeed, the defender has to fix them all. A disgruntled hacker from the Conti ransomware syndicate which was behind the HSE attack released the training manual given to their people. It’s very basic stuff. It’s not black magic stuff they’re doing. They are looking for soft targets with the ability to pay, and they are looking to get in through vulnerabilities people have known about for years. It’s just that organisations are not fixing them quickly enough.”

Help is at hand

Skillnet Ireland offers a number of training courses and other programmes aimed at helping companies to protect their business in the face of the escalating cyber threat. Central to this need is the growing shortage of skilled cybersecurity personnel to protect against and respond to security breaches.

CyberQuest is a free online cybersecurity training programme. “The programme will help individuals in certain sectors to pivot to cybersecurity roles,” says Skillnet Ireland chief technologist Mark Jordan. “It offers training at foundational, intermediate and advanced levels, and will allow people move from low-growth sectors into cybersecurity roles in other areas.”

The organisation is also running initiatives for jobseekers to help them become cyber analysts. “We want to equip people for these new roles,” says Jordan. “We have a certified programme for cyber risk officers. The course equips students with a comprehensive understanding of cyber risk management, and the syllabus assumes that the students come from a non-technical background and covers a range of topics from identification of cyber risks through to risk management options. We also offer a part-time online Masters of Science in Cybersecurity programme.”

Outside of these formal training programmes, Skillnet Ireland offers other training events to companies.

“We run ‘capture the flag’ events where companies come in with their IT teams and ethical hackers show them how easy it is to penetrate their organisations,” he says. “We want to address the cyber challenges faced by companies of all sizes from small start-ups all the way up to large multinationals. Cybercriminals are very quick to understand how to penetrate an organisation’s networks. It’s a constant challenge for businesses to prevent attacks, and we want to help make sure the talent in the organisation can keep pace with that.”

Barry McCall

Barry McCall is a contributor to The Irish Times

READ MORE