Cybercrime is on the increase — and is evolving at breakneck speed.
Almost half of business across Ireland said in a recent survey that incidents are increasing, yet a similar percentage said their spend on cyber defences would remain unchanged.
Despite awareness slowly growing of the existential threat posed by cybercrime, more and more organisations and individuals are falling victim to the sinister gangs that pervade the digital world.
According to Pat Larkin, chief executive of Ward Solutions, the reason is simple: Companies believe they are safe by merely investing in cyber security tools.
But not enough organisations are paying attention to the fact that their people are vulnerable to attack.
Think of it like this: You buy a state-of-the-art home alarm system to protect your home.
Screeching alarm sound, infra-red lights, the works.
It sounds great but it’s not much use if you and your family aren’t really up to speed in employing the security systems.
What’s the point of having an alarm if you don’t know the code?
On a larger scale, think of corporations being vulnerable to a mass attack as akin to a town that is prone to flooding.
You can install the latest flood defences with the help of quality architects and designers.
That flood system won’t provide much protection if the city doesn’t have a protocol to activate the defences when disaster strikes.
“Attacks are much more sophisticated and much more targeted and they are much more successful,” Mr Larkin said. “That is really the trend and the message we have tried to get across to people – your historic strategy doesn’t necessarily apply. Throwing technology at it on its own does not solve the problem. [A] prevention only strategy is unsuccessful.”
Over a third of organisations have admitted to having a security incident over the last 12 months, according to Ward Solutions.
“That security incident could be anything from a ransomware attack, to a lost laptop, or inadvertently sending personal details out through email. It describes a lot of forms. People pick up the headlines of major breaches or something topical like ransomware, and they get a little obsessed and stuck in the headlights on that one. We do a lot of board briefings and events for people. We try and get them to step back from it a little. You can have some of the best technology in the world but if you don’t have the human firewall, then the technology can be very easily bypassed,” he said.
Organisations who report cyber attacks are typically referring to an email that duped them.
“That duping really involved process, not technology. What seems to be a bona fide request from a supplier to change their banking details and therefore you wire to the new bank account without performing any checks or verification. People are inclined to hit the reply button too easily. You see it so many times,” he said.
The biggest consistent failing is when firms take an “ad hoc” approach to their information security.
People have to rethink their approach to firewalls and invest heavily, said Mr Larkin.
“Engage your staff at all levels. If you do it piecemeal in relation to your technology and your people and your processes, you are going to leave major gaps,” he said.
“Here is an industry getting a very strong return from cyber criminality. Once that dynamic is in place, that becomes a growth industry. The more success they have, the more resources they have. There’s a discussion going on at the moment that some of these groupings have more resources in terms of cyber hacking than nation states. Arguably some of their capability has come from a relationship with these nation states,” he said.
Companies like Ward Solutions are going to be in demand in the coming years as organisations wake up to the threat, Mr Larkin said.
“Our business is about protecting organisations and their brand, their intellectual property, etc by identifying the risks they face, and helping them put in place appropriate controls. We would describe ourselves as a complete security and solutions provider. We’ll help with that upfront effort of identifying the risks and other priorities, building a security management system. We then help them in testing and verifying their security posture, which is something you need to do regularly,” he added.
Getting the simple things right and not being distracted by the new wonder systems and their boastful promises is important.
“We’re not about trying to ship them the latest silver bullet,” Mr Larkin said.
“We spend a lot of time educating our customers on what measures they should be taking. We want to be in a position to help protect people as best we can.”