International insurer Hiscox has found that 71 per cent of Irish businesses suffered a cyberattack last year, up 22 per cent on 2022. Its newest Cyber Readiness Report puts Ireland at the top of the 20 countries it surveys in terms of average number of attacks.
The most common point of entry for hackers was a corporate-owned server (57 per cent), while the most common outcome was a financial loss due to payment diversion fraud (43 per cent).
Despite the high number of attacks, the cost of cyberattacks to Irish companies is relatively low, with just over half of respondents reporting an annual bill of less than €10,000. However, the Republic also tops the charts in being the likeliest country surveyed to pay a ransom (77 per cent).
Although ransoms were paid, only a third of respondents reported the full recovery of their data, with 31 per cent reporting that the attacker asked for more money. Little wonder then, that, among all countries surveyed, cyber insurance ownership is highest in Ireland.
‘A gas emergency would quickly turn into an electricity emergency. It is low-risk, but high-consequence’
The secret to cooking a delicious, fuss free Christmas turkey? You just need a little help
How LEO Digital for Business is helping to boost small business competitiveness
‘I have to believe that this situation is not forever’: stress mounts in homeless parents and children living in claustrophobic one-room accommodation
Sam Glynn of Code In Motion, a cybersecurity consultancy that works with organisations of all sizes, says there are three things that each one needs to focus on to mitigate the risk of cybercrime.
“It’s about PDA – people, devices and accounts – with people being the most important,” he says. “It’s a bit like having the best security in the world on your home. But if you have a 10-year-old child, as I do, who will open the door to anybody, believe what they say and then invite them in, all your security is null and void.”
Scams such as phishing and CEO invoice fraud rely on people trusting them. Increasingly scammers are using artificial intelligence to make such attacks appear more trustworthy.
“If it’s a ‘drive by’ general scam, like the eFlow one – where mass texts are sent, telling recipients they owe a toll fee – scammers are able to use generative artificial intelligence to create messages that align much better with formal communications,” says Glynn.
If the fraud is very targeted and aimed at a high-value executive, scammers will also use online tools to gather information about them.
“They’ll see how they talk, who they talk to and what about,” and use that to make much more tailored communications, adds Glynn.
Deepfake videos increasingly allow miscreants to impersonate a person with uncanny accuracy, feeding them conversation in real time. “These are becoming increasingly credible,” he says.
Training and awareness is the best line of defence, says Glynn. One way to protect your business is to agree a password with staff, or even a facial gesture, he says, as evidence that the person on the video call is indeed who they seem. Families should have one too, he adds.
“The old rules are best, such as asking to call the person back, or even asking to meet them face to face, just to take the urgency out of the situation,” he says.
Scammers will often inject a false sense of urgency into cybercrimes, whether it is the “child” texting a parent to say they have lost their phone and need money for a new one, or a message from the boss telling you to override protocols and transfer money quickly lest a deal be lost.
“You have to put proper controls in place to prevent such actions. Even if the person receiving the communications is fooled, having a second person authorising it means that, at the very least, the scammer has to fool two people,” says Glynn.
With devices, such as laptops and phones, once you have your software and patches up to date, the biggest cyber risk is loss or theft.
“The best thing you can do is ensure the device is no better than a brick to the person who steals or finds it, by having it password protected,” says Glynn. “The key is knowing to do that before the event, not after.”
The A in PDA refers to accounts, the kind of online platforms you use and the kind of information you divulge on them. For example, Glynn questions the need for any app to require your date of birth, other than to ensure you are over a certain age. His advice is to make one up.
Similarly, be very careful where you put client information. The rise of generative AI has seen many employees feed sensitive client information into chatbots, including sales data and customer insights, in order to have clever pitches and presentations fed back to them. But because the information on these platforms could, theoretically, be regurgitated later, with the right prompt, such activity opens the door to the risk of serious GDPR breaches.
“You don’t know what third parties the data you are putting in the front door of such apps may be going out the back door to, so read the terms and conditions,” says Glynn.