8 minute read
Industry Review: Cyber Security
INDUSTRY REVIEW: CYBER SECURITY: ARE YOU SET UP FOR SUCCESS WHEN THINGS GO WRONG?
Awareness, education and a willingness to take a few simple defensive steps are the keys to defending your company’s brand against the ever present threat of cyber-attack, according to leading Irish experts in cybersecurity. The bad news is that the threat posed by cyber criminals to every business is increasing. The good news is that there are a few very simple steps you can take, without spending a pile of money, to protect yourself against 19 out of 20 attacks.
Advertisement
As well as driving the growth in remote working, the pandemic has also accelerated the pace of digital transformation for business, essentially a drive to the cloud and the adoption of software as a service (SaaS). So instead of dealing with a system in a single location an IT manager could now have effectively 50 or 60 satellite offices or devices that each have to be manage remotely. The problem is exacerbated when people start using their own personal devices, including PCs, laptops and particularly smartphones, for work purposes.
IBM cybersecurity and gamification strategists John Clarke and Dr Jason Flood
IBM
“People think it’s great that they’re able to do everything on their phone. But if you click on a link that exposes your company data, there’s your brand gone. The moment people realise you don’t secure your system they’re not going to share their data with you. You have to trust somebody to work with them,” says David McNamara, founder and MD of CommSec, a cyber security services provider based in Blanchardstown.
“It’s incredibly easy to become a hacker, a 12 or 13 year-old can start watching video tutorials and get into the game,” points out Dr Jason Flood, CTO of security gamification and modelling with IBM in Blanchardstown, who has 20 years of experience in cybersecurity. “Even software tools originally designed for good can end up being used with malicious intent – and hackers are all too often shown as ‘cool’ in the media,” he adds. He points out that a surprising number of smaller businesses will engage somebody like a student to create a website for them – it could be the gifted, tech savvy daughter of a friend, for example – and its functionality might well be excellent. “But has it been hardened for security? And then what happens when you’ve been hacked? Who do you call? You might have got a cheap website, but if your digital footprint is going to be important to the operationalisation of your business are you set up for success in the event of something going wrong?” he asks.
David McNamara
CommSec
Simple but effective steps
McNamara points out that there are a number of standards that people can adhere to but a basic approach is to be compliant with the questions you would be asked if you were to apply for cyber insurance.
Do you take backups of your systems? If you are subject to a ransomware attack and you don’t have your data backed up you simply cannot recover. But the important thing is that that backup is not connected to your main systems all the time and you need to have your own backups encrypted.
Is you antivirus software up-to-date? And if you backup to the cloud do you have multi-factor authentication in place? “There are a few different ways this can be done and it doesn’t cost anything, it’s just good housekeeping,” McNamara emphasises. “Enabling it on your devices or system will knock out 95% of attacks because a hacker would have to guess your second method of authentication and that’s just not do-able.” He also points out that under data protection legislation people using laptops for their work are obliged to have them encrypted. “There’s a free tool called BitLocker but that requires Windows 10. So if you are still using Windows 7 or XP, and many people still are, then I would recommending upgrading straightaway,” McNamara advises. Keeping devices up to date for both operating systems and installed apps or software is another basic. Manufacturers and developers release regular updates, or “patches”, which not only add new features but also fix any security vulnerabilities that have been discovered. “Patching is critical for any business,” he adds.
It is also good practice to make sure that system configurations are checked regularly to make sure firewalls are on, creating a buffer between your IT network and external networks. “People get into the habit of wanting things quickly and often turn it off because they can’t access a web site; they take shortcuts that they shouldn’t,” McNamara cautions. In the same vein, it’s worth bearing in mind that most manufacturers supply their hardware and software with a default configuration that makes it quick and easy to start using the product. But if you leaving the settings this way it makes it easier for cyber attackers to gain access to your data.
“The reality is that nothing on this list is particularly difficult, it just requires a bit of discipline – and therein lies the problem. If I’m running a business that’s where my attention is. IT is just a tool to help me do my job and I’m not focussed on it unless there’s a problem that needs fixing – or until I get hacked and by then it’s too late.
Awareness, training and practice
IBM cybersecurity and gamification strategist John Clarke points out that there’s an estimated four million shortfall worldwide in the number of cyber specialists needed to address the problem. One way of addressing that is to identify and train people who have a passionate interest in this area and recruit them directly, not insisting that only people with four-year degree courses are suitable.
“One of our best hires to date is someone who was a woodworker, but he’s an older gentleman who brings a different way of looking at things to the job, which is exactly what we need,” Clarke notes. He was spotted through a “Capture the Flag” gaming event hosted by IBM at an OpenSource event.
The other way of overcoming the shortfall is by addressing the problem at source. “There’s also a lot of blame put on the end-user, the person who has clicked on something they shouldn’t have and let the hacker in,” says Dr Flood. “But I think the onus is on us, as a community and as an industry, to bring a better awareness and understanding – because people are going to click on stuff, it’s just a natural instinct.”
The answer, strongly advocated by McNamara as well, is in-house training to help anyone using the IT system recognise potentially dodgy communications coming into the business and to imbed procedures so they know exactly what to do in the event of a crisis.
From its base in Blanchardstown, IBM’s high tech X-Force Command Cyber Tactical Operations Centre is a 21 ton trailer tractor-trailer with expandable slideouts, 20 workstations and a phenomenal amount of computing power. Flood and Clarke use it across Europe for a variety of purposes, from hosting Capture the Flag events to on-site cyber investigations and for training client company “cyber first responders” to handle a security incident with confidence and speed through gamified breach scenarios. “A lot of SME’s, in particular, don’t have any IT disaster recovery plan to begin with,” says Flood. “Typically it’s along the lines of ‘There’s a problem, ring John!’ But what happens if John is on holiday or simply can’t be found?
“Others have a plan prepared, box ticked, and they’ve never even read it. You really, really don’t want to be leafing through a 50 or 150 page document trying to find the answers in the middle of a crisis. A lot of this is about testing your own process until the response becomes automatic,” Flood emphasises. “So in the Tactical Centre we work with SMEs to get people talking about how they connect into the digital ecosystem and to learn and practise their response.”
The need to develop awareness and to know what to look for is key, McNamara says. “Even emails supposedly coming in from a reputable enterprise which at first glance look legitimate will have tell-tale signs that something is amiss – provided you know what you’re looking for. If you’re suspicious, don’t click. Pick up the phone to the person it is supposed to come from. And don’t use any phone number that’s in the email, either, go to a website and look up the number,” he cautions.
He also advises strongly against paying a ransom. “If you do there’s no guarantee you’ll get your data back and even if the attackers do give you the encryption keys your data may well be corrupted.”
The pandemic has resulted in a big increase in business for CommSec and since the start of the pandemic its staff has grown from 12 to 21 people. “During the pandemic we got ISO 27001:2013 certification, which is the information security standard. We set up a new digital forensics practice, which is headed by a former Garda detective who was 12 years in the National Cyber Crime Bureau, and we’ve set up new service, CheckScan+, which looks for vulnerabilities in applications, websites and IP addresses.
“We’ve also just launched another service, CommSec Business Secure, which we believe is going to be a game changer. It’s aimed at SMEs, from sole traders to up to 25 people, to make it affordable for them to make their business secure. We’ll manage that for you remotely, doing your patching, anti-virus and antiransomware on up to three devices per user, all for €50 euro a month or €500 for 12 months.”
