594827985

This article was first published in the May 2018 Ireland edition of Accounting and Business magazine.

If they were scenarios in a Netflix thriller or Scandi noir they might sound far-fetched: a crime syndicate enters your office and brazenly sets up business there; agents from a rogue state arrive at your door, threatening to smash up the premises if you don’t pay them off. Yet however implausible they appear, these threats are all too real for Irish businesses in the online world. 

Last year, a number of high-profile Irish websites, including government bodies, were among thousands compromised globally by hackers using them to mine cryptocurrencies. Meanwhile, the threat of ransomware escalated to new levels in 2017 as attacks involving the WannaCry and Petya viruses cost businesses around the world over €4bn, with strong evidence that at least some attacks were state-sponsored. Add to this the ever-present threat of sensitive data breaches, and information sold or disseminated online, and the warning from Oracle CEO Mark Hurd should ring in every business owner’s ears. 

Hurd argued last year that what we’d seen so far was only a foretaste of ‘truly shocking’ cyberattacks yet to come. ‘This thing is going to get more serious, not less serious,’ he said. Lloyd’s of London shares the concern, and has estimated that a fresh wave of escalated attacks could cause up to €100bn worth of economic damage worldwide.

Misplaced confidence

Yet it’s an open question as to whether this reality is resonating among Irish businesses to the degree it should. A recent survey by Accenture found that almost three-quarters of Irish security executives are confident in their ability to protect their business from cyberattacks – this in spite of the fact that the average company suffers two to three effective attacks per month. Head of cybersecurity for Accenture in Ireland, Chris Davey, says the findings bear out the need for new thinking. ‘The reality is that most Irish companies do not have effective technology in place to monitor for cyberattacks and are unaware of ways to better protect their business,’ he says. 

It’s a view shared by Hugh Callaghan, EY’s director of cyber. ‘Most people believe their controls are bullet proof and can’t be breached,’ he says. ‘The reality is quite different. One of the things companies haven’t really grasped is how good their detection needs to be.’ 

For those conscious that their commitment to online security isn’t up to speed, Accenture’s research offers some useful guidance. It found a range of similar traits in the key areas of strategy, technology and governance among companies that effectively ‘leapfrogged’ from security laggards to high performers. Firstly, these companies aligned their security strategy with their business objectives and took a proactive rather than preventative approach to security. Secondly, in terms of technology, they actively engaged with new and disruptive technologies. Finally, in the area of governance, they ensured their chief information security officer had real control over security strategy, along with buy-in and a strong line of communication with the CEO and board. 

Protection is key

Ivan Quill, pre-sales technical architect with cybersecurity specialists Integrity360, notes that while the recent cryptocurrency mining attacks brought home the danger of networks becoming infected by employees clicking on seemingly innocent links, the nuisance they cause isn’t yet comparable to the dangers of active data breaches or ransom scenarios.Key to combating those, he says, is up-to-date anti-virus protection. 

‘A lot of companies are starting to bring AI [artificial intelligence] or machine learning into their anti-virus protections, which is vitally important. A traditional antivirus is dependent on a system getting infected and providing indicators of compromise. When you get into machine learning, you are identifying what the code you’re running is doing and using modelling to identify good and bad behaviours.’ 

For those who find themselves in a worst-case scenario, Quill says that ‘it is vitally important you have a solution to recover your data. There also needs to be a gap between the backup and the main data to ensure it’s not compromised by the same attack.’ 

There may be a temptation to pay a ransom, particularly when it’s a relatively small amount. However, Quill stresses there is no guarantee payment will lead to decryption of data, while indicating a propensity to pay may put businesses on the radar for further attacks. 

While he sees a growing awareness among Irish SMEs of the threat, Quill agrees it is coming from a low base. ‘Some of the events of last year have woken people up. However, there is still a view in many smaller companies that “no one will go after me”. But if someone is targeting major companies they will often look at suppliers to find a weak point. If you don’t have the same level of controls, you may be a target.’ 

Donal Nugent, journalist