The recent ransomware attack on the HSE is only the tip of the iceberg and most attacks on businesses start with antiquated systems and poorly trained employees.
It’s perhaps a dirty little secret of the business world in 2021 that many successful extortions by hackers who have managed to breach a company’s IT system go unreported because firms fear reputational damage. Welcome to the frontline of cybersecurity in 2021.
The tech industry has been fighting a losing battle with hackers for as long as companies had networks and computers had operating systems. You could argue it goes back even further beyond Enigma machines to encryption and cyphers used by spies in ancient Rome and even earlier. As long as there was information to protect, someone always wanted it. Knowledge is power.
“This is definitely a global pandemic from a cybersecurity perspective”
But in 2021 even the average individual with a mobile device or broadband connection is now on the frontline of cyberattacks, assailed daily by phishing and smishing attacks to scam calls and more. In June Bank of Ireland reported that the number of phishing sites targeting Irish consumers doubled in just a month with up to 20 fraudulent websites appearing daily.
It starts with individuals
Michael Montoya, chief information security officer, Equinix
The average business, no matter how much is invested in defending systems, is at the mercy of the most trusting employee who can easily click on the wrong link in an official-looking email or fall prey to sophisticated social engineering that could yield access to bank accounts or see entire systems held to ransom.
The crippling ransomware attack on the HSE should serve as an eye-opener for many organisations in Ireland and globally but, as a roundtable held by data centre player Equinix held this week heard, could be more prevalent as many firms pay the hackers and keep it under wraps. Even not sharing this knowledge is holding back the fight against hackers.
The attacks don’t even have to be sophisticated. A spoof message sent to an employee of Meath County Council in 2016 saw €4.3m end up in a Hong Kong bank account. This could still happen in any organisation today. And probably is happening.
With the recent ransomware attack on the HSE shining a light on the risks associated with antiquated digital infrastructure, Equinix’s global survey of 2,600 IT decision-makers illustrated that 84pc of respondents in Ireland view improving their organisations’ cybersecurity as a top priority, similar to the 81pc of respondents worldwide who said the same – a significant increase from the 70pc of total respondents who said this in the 2019 version of Equinix’s report.
“Our survey was conducted just before the HSE and other recent high-profile breaches,” said Maurice Mortell, managing director of Equinix in Ireland. “It shows that Irish enterprises had already recognised cybersecurity as their top priority. Now that there is national awareness of the havoc that a cyberattack can cause, we are seeing an even more pronounced focus on IT and cloud security by Irish enterprises.
“The evolving workplace is seeing a growing trend towards hosting applications and data in the cloud, so we can expect to see a sharper focus on cloud security. There are significant benefits of hosting data in highly secure cloud environment, but there are also risks.
But it is also clear that training and knowledge-sharing is key to the fight back.
“This is definitely a global pandemic from a cybersecurity perspective,” said Michael Montoya, chief information security officer (CISO) at Equinix. “Public disclosure is essential. By ensuring that indicators are compromised this gets into other organisations’ defence mechanisms. Technology is improving but we need to move faster.”
Montoya said that US President Biden’s recent executive order on improving the United States’ cybersecurity has helped to bring the conversation to public discourse about how paralysing cyber attacks can be. “If you want to get the US people’s attention, mess with our BBQs and petrol.”
Patch updates are critical
Maurice Mortell, managing director, Equinix Ireland
Montoya said that for organisations to defend against attacks such as those on the HSE constant patch updates to systems are crucial. “Critical patch updates are just like putting on a safety belt. As a community we need to increase the barriers for entry for attackers. There is no doubt that this is a a global challenge that every business, community and government faces.”
Montoya warned that if anything the attack perimeter has expanded for businesses because so many employees are working from home, with the majority working off domestic broadband connections.
“Covid-19 has made cybersecurity a business resilience topic. With massive regulatory and tremendous reputation issues, what we are seeing now is identity has become the new perimeter.
“With so many people working from home, traditional tech is not helping to provide the same level of control. The acceleration of digital transformation requires a different approach, starting with identity.”
Hugh McGauran from Check Point Software agreed: “Irish organisations embraced digital transformation because they had to.”
He pointed out that there is a skills shortage when it comes to cybersecurity professionals and that the Irish curriculum in schools and universities need to keep pace. “There’s no reason why Ireland can’t be a centre of excellence for cybersecurity. It would be brilliant to see curricula move at the speed of the industry.”
He said that it should be a matter of Government policy to see a much greater acceleration of tech talent to the wider business community.
Mortell agreed and said that there is a rich vein of tech talent in Ireland but suggested looking beyond colleges and universities to develop cybersecurity skills. “There is a good case for apprenticeship programmes and even down to developing the skills in schools.”
Montoya said that in the cat and mouse battle between organisations and hackers, the hackers will always win if organisations fail to stay organised and informed. This boils down to disciplined security patching and keeping people trained and certified. “You need to bring everyone onto the field. Technology will only take us so far. Organisations really need to take critical patching seriously, deploy technology closer to the control plain and remove phishing attacks and continue to address this in training.”