:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/L75KPXJ4VW4INBLFU3KO2BUNKA.jpg)
:fill(white):background_color(white)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/BHJJYYB5LSPCRVJO4X42HE22GA.png)
Cybercrime is no respecter of national borders. It makes no difference to a hacker in downtown Donetsk whether they target a business in Killarney or Kiev. That spells bad news for Irish companies at a time when one consequence of the coronavirus pandemic has been a marked rise in cyberattacks.
The UK National Cyber Security Centre revealed at the beginning of November that more than one-quarter of all cyber incidents reported to it during the year involved criminals and state actors exploiting the disruption caused by Covid-19. In America, federal agencies have also noted a marked increase in Covid-related attacks and warned hospitals that they were under particular threat.
"We have seen an increased threat level in recent months," says KPMG head of cybersecurity Dani Michaux. "Lots of life sciences companies have had their supply chains attacked, for example. The reason behind that is intellectual property. The minute you see news about a new vaccine or treatment for Covid-19 that will attract the criminals."
This should not come as any particular surprise given the huge impact of the pandemic on business and operating models. The real question, however, is how successful the criminals have been and how well prepared Irish companies have been to deal with the increased threat.
The fairly good news is that Ireland’s level of preparedness is comparable to that of both the UK and US according to Stephen Scott, head of cyber, risk and advisory, EMEA with BSI Cybersecurity & Information Resilience. “Ireland is not that dissimilar to the UK,” he says. “It boils down to the industry involved but it’s hard to differentiate between Ireland’s approach and that in the UK and US.”
And that applies pretty much across the board. “When you think about smaller Irish companies you could say they are poor in certain areas, but you’ll find it is the same in the UK. It boils down to education and awareness of senior executives.”
No organisation should consider themselves immune from the threat, he adds. “You can find organisations that didn’t consider themselves targets because of their small size or sector. But if they don’t have the protections in place, they will present themselves as an easy target. You can get other organisations which think they were prepared but then weren’t and have ended up spending huge sums and have cyber teams bigger than those you’d find in some large consultancies.
“Smaller companies might not think they are targets but they will be hit if the criminals think there is money to be made,” adds Craig Dunn, head of cyber with Hiscox Europe. “Smaller companies do offer a lower return on investment for attackers. With big companies it is worthwhile for cybercriminals to spend a long time and resources on trying to get in.”
An organisation’s level of preparedness is usually measured by a maturity score. This benchmarks them against the US National Institute of Standards and Technology (NIST) Cybersecurity Framework, a set of guidelines for private-sector companies to follow to be better prepared in identifying, detecting, and responding to cyberattacks.
“There are five key elements to measure,” Scott explains. “Identify, protect, detect, respond, and recover. We sit down with key people in the organisation and ask them 98 questions to determine their maturity on a scale of one to five. A quite well-prepared organisation will score three out of five while state security organisations like the FBI would aspire to five out of five. If a company has a score of two we will work with them to set out a roadmap to get to three or wherever they want.”
The evidence suggests Irish companies are doing quite well when it comes to cyber maturity, according to Dunn. “What’s really coming through is that those which work with US companies are more prepared,” he says.
This is because of the high level of cybercrime activity in the US. “US companies tend to get hit first so they expect companies working with them to be well prepared,” Dunn adds. “Thirty-eight per cent of firms in Ireland have cyber insurance coverage. That’s even higher than in the US. That’s a good indicator of the level of preparedness. It could also reflect the presence of a litigation culture in Ireland. It certainly reflects the large number of US multinationals in Ireland and the large number of Irish companies working with them.”
The biggest challenge facing many companies in Ireland at present relates to remote working, says Michaux. “I do a lot of maturity assessments for clients and the average score is between 1.5 and 2.5. That’s not that high. Some may be well advanced with a score of three. Controls which were enabled on premises or in the office have not been taken into the remote-working environment. That is a problem. I have had a lot of conversations with companies about that change in the risk landscape.”
Many companies have responded to the shift to remote working by moving systems to the cloud but that can bring its own problems. “Companies need to ask if they have the same controls in the cloud as they did before,” says Michaux. “No is the usual answer. You might see a drop from a score of three to 1.5 as a result of the move to the cloud. People think the digital world is better and it could be. Lots of cloud providers have capabilities which customers can utilise. If you’re an SME allowing people to access services through the cloud, did you sign up to security controls? SMEs may not even know they exist because their main concern has been to keep the business running.”
There is another threat which Irish companies should be aware of, according to Dunn. “The threat environment for any given country tends to be influenced by its foreign policy and how it’s behaving in that sphere. Ireland doesn’t really have that problem but allegations of being a tax haven may cause problems in future. If there is going to be an ideological reason for Ireland to be attacked, it will probably be that one. You might see Irish supply firms being attacked to get at FDI [foreign direct investment] companies. Or you might see government agencies attacked if they are associated with the tax policy.”