15 June 2017
Technology today is so deeply woven into virtually every facet of business that crimes committed through digital channels are a fundamental problem. Ransomware encrypts data on a computer and victims must pay to get their information back or risk it being deleted. The prospect of losing vital data forever, combined with a financial hit, may have made many organisations realise the seriousness and the threat posed by cybercrime.
Data breaches are a major risk for many businesses, from exposing customer records through a stolen laptop or USB key, to deliberate targeting of customer details or personal information that criminals can sell on black markets. Aside from losing data, breaches can lead to reputational damage and financial loss. An example being in January of this year, the websites of the Central Statistics Office, the Department of Justice and the Courts Service all suffered distributed denial of service attacks which took them offline which some argue was detrimental for their reputation.
Back to basics
If people only ever did business in the physical world, security would just be a matter of alarms, locks, fences and anti-theft systems to protect offices, shops and warehouses. But more reliance on technology inevitably means the cybersecurity risks increase.
Faced with persistent attackers prepared to play the long game, what can businesses do to protect themselves? It is recommended that people focus on the basics, getting to know all the technology they have in their business, whether it is all up to date, and to know all the vulnerabilities associated with it.
Sectors most hit by ransomware in Ireland include healthcare and the legal profession. Earlier this year the Central Bank, warned all those coming under its protection, including investment firms, funds, fund service providers and stock brokers, that cyberattacks present a significant threat.
Part of the problem facing a number of banks across Ireland and ultimately the globe is that they haven’t invested as much as they should have in the infrastructure required to keep their data as secure as it should be. It is vital for financial providers to have security as a cyber-attack could result in a significant financial exposure.
Smaller organisations might need more of a cost-benefit analysis but if they are applying for public sector tenders, cybersecurity risk insurance may be a minimum requirement.
It is cheaper for many organisations to store their data in the cloud, and the theory is that it is safer too. But that is not always the case. Yes, it is cheaper and it is a managed service. But the downside is that they lose a little control in relation to their data protection. At the end of the day one may pose the question, where is the data sitting?
Would your employees fall for an online scam?
Training and employee awareness are also relatively inexpensive yet very effective in improving security. These exercises encourage staff to be more aware of cyber threats such as suspicious emails. Good backup can help to restore data in the event of a ransomware infection.
Many cyber criminals can make emails appear to be from a genuine address and use them to impersonate a senior executive at the company, requesting an urgent money transfer. Phishing emails often evade technical safeguards because they are carefully crafted to appear genuine and trick the recipient into opening them or clicking on a link. This puts the onus on businesses to educate their people to spot potential scams.
An increasingly popular approach to security awareness training is to start by sending employees a fake phishing email, made to look like it comes from the organisation’s own HR or payroll department. It might say, please click this link or open this file, and when you are brought to a website, to ask for network login credentials.
You can see how much information that people would give and then share general statistics with an organisation. It is believed that many IT departments are the biggest culprits for opening these unsuspecting emails.
Empowering employees to be more security-aware involves changing a company’s culture, which can take time. However, an encouraging development is that more companies are taking the risk seriously and putting measure in place to prevent an attack happening.
EU General Data Protection Regulation
It has been a while in the making, but agreement as to the wording of the General Data Protection Regulation (“GDPR”) has recently occurred. This agreement will have an impact on many businesses’ information security plans. Since the EU General Data Protection Regulation has come out people are taking security and data protection much more seriously at management level.
The GDPR contains a series of new rules that requires entities to revisit and refresh their systems and operations for data protection. Collectively, these new rules lay down a new journey that entities will have to follow to keep on the right side of the law.
There can be little doubt that the GDPR presents a big issue for many entities and particularly those with large stores of personal data or business models based on the commercial exploitation of personal data.
Is there a solution and if so what is it?
Cybercrime prevention can be straight-forward - when armed with a little technical advice and common sense, many attacks can be avoided. In general, online criminals are trying to make their money as quickly and easily as possible. The more difficult you make their job, the more likely they are to leave you alone and move on to an easier target. The tips below provide basic information on how you can prevent online fraud.