Cyber Risk: what Irish businesses need to know
Despite hearing constantly about cyber crime and the tactics of cyber criminals, many Irish businesses, especially smaller ones, tend think they’re not the targets of such activity. It is a common cry heard by Irish cyber security professionals from Irish SME owners, ‘what would a hacker want with us?’
This often leads to a level of complacency when it comes to cyber security protection measures that leaves Irish businesses open to attack. Understanding a little more about how these criminals operate, what tools are at their disposal, and more importantly, what can be done to protect businesses, could raise the protection level for everyone.
The first thing to tackle in this discussion is that a small Irish business is not a target of hackers, hactivists (hacker activists), or even nation state actors. The perception of ‘I’ve nothing they could be interested in’ is false for a number of reasons.
First of all, hackers these days are almost entirely profit motivated. Organised crime has turned to cyber crime due to its relative low risk, high-yield possibilities. No less an organisation that the United Nations, with its Office on Drugs and Crime, has written about organised criminal gangs have branched out in the cyber world, often with some of their oldest scams and crimes.
This trend has been compounded by a creeping professionalisation of cyber criminals. Studies from as early as 2014, have found that criminals are offering professional level support services for their hacking tools, denial of service attacks, and ransomware platforms.
The drive towards professionalism in operation has been matched by an increasing sophistication of hacking tools and services. Taking advantage of developments in technologies such as software as a service and cloud applications, there are now ‘crime-as-a-service’ operations that further increase reach, lower cost, and widen access for hackers and cyber criminals.
The import of these developments is that it has never been easier to access, deploy, and operate sophisticated hacking tools that are backed up by professional level services. The effect of organised crime then is to ensure that hackers are motivated to look for every weakness, opportunity, or victim. Criminals will search widely for vulnerabilities and weaknesses that will allow them to take advantage. The cost of opportunity for them is very low and therefore even a small gain from a hack is worthwhile as it might be one of tens of thousands of such small hacks and gains.
With the understanding that any organisation could be a target, what can smaller organisations do?
The first step, according to many authoritative voices is to take a risk-based approach. What that means is to focus on the areas of most significant risk to the organisation. Even for the largest enterprises, no one can protect everything with limited resources. Therefore, the best approach to take is to identify what is of greatest value to the organisation and then focus the greatest protection there. For a small business with an online presence, that may be a customer database, or it might be systems related to production, or productivity tools. It doesn’t matter what it is, it need only be the answer to the question ‘what can we not do business without?’
After making these assessments to protect the most valuable, then next thing is to consider data, not systems. The old idea of a firewall, like a castle wall, protecting everything inside is long gone. The pandemic, and the work from home model in particular, has exploded that one. There is now a drive to protect data at rest, where it is stored, and in motion, when it is being served to those who need it.
These are the trends in cyber risk management that large organisations have applied in recent years, but are now well within reach of smaller businesses through cloud and as-a-service delivery models. No longer do businesses need to buy, implement, and administer a complex set of security applications. Now, managed security service providers (MSSP) can deliver all manner of cyber security services to organisations of any size, without the need for them to have anything more than a passing knowledge of the need. This has been a game changer in cyber security. Without the need for in-house expertise, or the capital cost of infrastructure and application management, the smallest companies can access the most sophisticated cyber protections, informed by industry best practice and a broad install base.
The cold reality in cyber security is that it is impossible to eliminate all risk. Every organisation is a target, but with a change in mindset and access to everything needed as a service, Irish businesses of every size can protect themselves to a base level that will make them less attractive as a target. Hackers and cyber criminals tend to be opportunists and if they come across a target that is reasonably well secured, the likelihood is they will carry on to an easier target. As the old axiom goes, you don’t always need to outrun the lion, just don’t be the slowest prey.