Just as the world was distracted by one virus, along came another. The ransomware attack on the HSE may have been the biggest cybersecurity incident Ireland has ever faced, and the most devastating, but by no means was it the first.
Indeed, it has since emerged that a number of businesses based in Ireland have been victim of similar incidents in recent months, with many of them forced to pay significant ransoms.
And we are not the only targets: global estimates suggest that anywhere between €350 million and €1 billion was paid to cybercriminals by desperate businesses in 2020.
Cyberattacks can decimate businesses and bring them to a standstill, causing operational destruction and reputational ruin. As one expert put it: “There are only two types of businesses – those that haven’t been attacked and those that will be.” Indeed, the HSE attack may well be the catalyst that finally forces businesses to seek some form of cyber protection against these often insidious threats.
“The attack on the HSE at such a sensitive time is a wake-up call to government on the need to get serious about cyber security but also about the digital agenda more broadly,” says Fergus Sharpe, head of public affairs at Dublin Chamber. “A new national digital strategy is needed to reflect post-Covid realities, this time with a clear focus of authority in government to drive necessary changes across the system.”
The UCD Centre for Cybersecurity and Cybercrime Investigation (CCI) was established in 2006 to support law enforcement in the fight against cybercrime. Back then most of the incidents they dealt with were faced by financial institutions and their customers, whereby access to their accounts – and often the money itself – would be lost after a phishing attack. The Garda would step in and the CCI would help with the ensuing investigation.
It's everyday folk who are using technology in a way that exposes them to threats they are not aware of
Nowadays these types of attacks can be faced by just about anyone, and the CCI has a key role in working with the National Cybersecurity Centre in providing training and investigating incidents, such as the ongoing ransomware attack that has crippled the health service, explains cybersecurity programme manager Dr Cormac Doherty.
Prevention
Speak to any cybersecurity expert and they all say the same thing – prevention is better than cure. But there is always a weakest link, and Doherty points out that cyberattacks do not target computer experts – quite the opposite.
“It’s everyday folk who are using technology in a way that exposes them to threats they are not aware of. One of the best strategies to defend against cybercrime and prevent incidents happening is to raise awareness of the risks you can be exposed to.”
He says while there are some efforts ongoing to educate employees in all sectors of these treats, to his mind it is not enough considering the devastating consequences of such attacks.
“It goes all the way through from school and college to work,” he says. “We need all of those types of outreach efforts to inform and educate about what is likely to happen if you don’t effectively pay attention on the internet.”
It doesn't matter if you have the most expensive firewall in the world. If you have a user on the inside who's just going to click all the links, that's that
What the HSE ransomware attack has done has made the threat of a cyberattack much more tangible, as the public digests – or even experiences first-hand – the upheaval that such a crime can cause. Yet Doherty disagrees with how the incident has been portrayed by the media.
“It’s framed as being a very high-tech thing, that it’s very difficult to understand and very advanced. The reality is in cybercrime it’s not, it’s all things that we already know. It’s about getting that information out there.”
So how can organisations, large and small, protect themselves against these types of attacks?
While (costly) investment in ICT infrastructure is critical so that a business can protect access to its systems, Doherty again stresses that it is education and training that will do the heavy lifting when it comes to prevention.
“It doesn’t matter if you have the most expensive firewall in the world. If you have a user on the inside who’s just going to click all the links, that’s that. Raising awareness of threats among staff will be one of the most impactful investments you can make.”
Information security
The reality is that Ireland lags behind when it comes to cybersecurity and the associated risks.
Prevention is dramatically less expensive than recovery
Doherty says: “There are some countries which have got quite mature government/state level structures surrounding cybersecurity and information security, with everything from the qualifications required in order to work in agencies and network operations, or a mechanism whereby every single public service is expected or required to undergo cybersecurity awareness training at least once a year.”
This would be tricky to introduce here in Ireland, but “the alternative is that there’s an awful lot of expertise required to defend against users who are completely oblivious to the risks”, Doherty says.
Cybersecurity is currently the most topical area in Three's enterprise and government division, says Karl Duffy, head of enterprise and public sector with 3.
“It certainly looks to me like what has happened regarding the ransomware attack has been a wake-up call for large corporates and government entities. Prevention is dramatically less expensive than recovery, which is clear when you look at some of the costs incurred by those who are targeted by cybercrime as they work to recover their services fully,” he tells Business Ireland.
We see a lot of organisations doing a good job securing their fixed networks
Particularly in the era of remote working, Duffy points out that all businesses have vulnerabilities. Mobile needs to be a core part of the overall security of an organisation. “You wouldn’t go to great effort and expense to secure your fixed networks and leave a vulnerability on the device in your employee’s hands; especially if you allow your employees to use work applications on their mobiles.”
Businesses need to consider all of the network access points into their organisation.
“If you think about the access points into your home such as doors and windows, you wouldn’t triple lock the front door and leave the back door wide open and the same principle applies in your business. We see a lot of organisations doing a good job securing their fixed networks, for example certain links will have security built in, but the mobile device needs more attention now.”
Potential victims
Duffy echoes Doherty’s point that we are all potential victims of cybercrime. As a result 3 has blended its mobile network with the most sophisticated mobile protection services available as part of a service called 3 Mobile Protect. “The service will secure your employee’s device from phishing, malware and data theft,” he says.
“A good example is the FluBot attack which arrived in Ireland recently and was well covered by the media,” says Duffy. “This is what’s known as a malware scam, and is worryingly effective. It works by sending an SMS to a customer pretending to be from a company such as a trusted parcel delivery service, and it asks you to click a link to download an app to track your parcel.
“Unfortunately once the link is clicked and the app downloaded, without 3 Mobile Protect the hackers are in and have access to your personal and work information. If a customer had 3 Mobile Protect installed the system would have notified that this was unsafe even if the customer had already clicked the link, so the hackers are blocked.”
Interest in these types of services has unsurprisingly soared since the HSE attack made the news.
“For the price of a cup of coffee each month, corporates and government entities can fully secure their mobile devices with solutions like 3 Mobile Protect, and I think the importance of ensuring devices are fully protected is really starting to land home with many of our customers,” Duffy says.