Defending against threats which keep on changing
Organisations face many challenges when it comes to protecting themselves against cyberattack
Love Island presenter Caroline Flack: searches for her name land on links to more malicious websites and viruses than any other celebrity, according to cybersecurity firm McAfee. Photograph: Tristan Fewings/Getty Images
Many Irish TV viewers will be familiar with Caroline Flack in her role as presenter of the popular Love Island reality show. But Flack has recently earned the more dubious honour of becoming the most dangerous celebrity to search for on the internet in the UK, having knocked Kim Kardashian off the top spot. Searches for Flack’s name land on links to more malicious websites and viruses than any other celebrity, according to cybersecurity firm McAfee.
This demonstrates once again the fact that an organisation’s greatest vulnerability to cyberattack is probably its people. Employees clicking on dubious celebrity sites, being fooled by phishing emails, getting hoodwinked by social media fraudsters, or simply losing USB keys or laptops tend to be the weakest links in the cybersecurity chain.
This may sound fairly light-hearted and of little importance, but the global cost of cybercrime reached $1.5 trillion, or $2.9 million per minute, in 2019, according to the annual Evil Internet Minute Report from San Francisco-based cybersecurity firm RiskIQ.
The evolving nature of the threats mean that, at some point, almost all businesses will face this risk
“Organisations need to educate their employees to look out for phishing,” advises Three Ireland’s head of regulatory affairs Niamh Hodnett. “Malware is often linked to phishing and employees have to think before they click.”
Of course, phishing and risky web surfing aren’t the only cyber threats facing organisations. “Ireland is part of the global cybersecurity environment and is exposed on a local and global level,” says Brían Gartlan, who heads up BDO’s Risk & Advisory Services department in Ireland.
“The threats are evolving and becoming more sophisticated. The evolving nature of the threats mean that, at some point, almost all businesses will face this risk. These threats mean there are many areas to defend, manage and prepare responses to such threats. SMEs who innovate by using mobile apps, utilising social networks or mobile workforce tools must think worst-case scenario as part of the planning, and implement ongoing security by design – covering technical, procedural and end-user training.”
Variety of sources
Cyberattacks can come from a variety of sources, according to Kevin Curran, professor of cybersecurity at Ulster University. “Plain ordinary criminals are behind much of it but there are threats from some governments as well,” he notes. “But only very large organisations need to be concerned about those threats from governments. Not even the Irish Government should be all that concerned. That threat is mainly coming from Russia and eastern Europe where you have highly trained, mathematically thinking societies.”
And there are others. “There are individual hackers who can be financially motivated,” Hodnett points out. “Hacktivists who are motivated by a cause; organised crime groups; cyberterrorists with a political agenda; and insiders with an axe to grind with the company they work for.”
She also notes the existence of unscrupulous corporations who ally with other threat actors to steal intellectual property from or inflict reputational damage on rivals.
The nature of the attacks is equally diverse. According to Dani Michaux, KPMG’s head of cybersecurity in Ireland, the top threats include ransomware and various types of traditional fraud using the internet as a vector.
“There are many threats and over the past year ransomware was one of the most publicised,” she says, noting there is evidence that threat actors are getting more co-ordinated.
“We are also seeing increased supply chain risk and data breaches,” she says. “It’s about the ability to obtain intellectual property and they are using the supply chain as entry points to organisations.”
Another line of attack is cloud-based software. “Some organisations are not deploying security properly when they move on from premise to cloud-based solutions.”
And then there is CEO fraud, which involves quite a sophisticated scam but would not be all that difficult for old-fashioned confidence tricksters. The cybercriminal learns all they can about a chief executive or chief financial officer by connecting with them on social media and other channels. They then send a spoof email purporting to be from them the day they go on holiday asking for an urgent bill to be paid that they had forgotten about. The emails typically contain a frightening amount of detail about the holiday destination, the family members on the trip and so on.
“Generally, requests for change of payment beneficiary details should be diligently checked,” says BDO’s Gartlan. “Prime times to attack are during holiday season when key decisions-makers are on annual leave, threat actors are aware of this and try to target a company when someone else is in charge.”
Defence against cyberattack often comes back to basics. “Ensure passwords are secure and use more than single-factor authentication by requiring a code to be sent to a mobile before granting access,” Hodnett advises. “New-generation firewalls remove malware at the edge before it gets into the network and even small SMEs can use these.”
All organisations should have cyber policies in place, regardless of size, she adds. “Companies need to educate employees to look out for phishing and they should ensure that the right people have the right level of access and a log should be kept of who is accessing the system. Software and operating systems should be updated regularly with patches to keep security features up to date.”
Regularly changing passwords is actually bad practice as people just default to easily remembered passwords if they do this
Kevin Curran says it starts with adhering to smart practices and standards. “The ISO27000 cybersecurity certification offers a checklist for what to do,” he adds. “All files that contain sensitive data should be encrypted. You can put third-party canary software on the network to detect breaches. Organisations should also get training for their employees.”
They should also apply best practice for passwords, which is not what you might think. “The National Cybersecurity Centre in the UK has said that regularly changing passwords is actually bad practice as people just default to easily remembered passwords if they do this,” Curran points out.
“At a minimum, businesses should consider completing a cyber-gap assessment or penetration testing of their environment,” Gartlan adds. “Have your IT team issue phishing emails regularly and compare open rates and how many people highlighted the email as a phishing email.”
Finally, Michaux points out that organisations are not alone in facing this challenge. “When these things are happening, they are not only happening to you,” she says. “You should share information with your own community. We are better together than individually, and we should share experiences of what happened and learn from each other about what works and what doesn’t work.”