Managing security risks is going to get harder and more expensive. Less high-profile organisations can no longer take comfort from the idea that big brands and multinationals are the main target for cybercriminals – almost three in five (58pc) large Irish companies have been the victim of an attempted external cyber-attack in the last 12 months.
As 2022 starts, many organisations are dealing the ‘Log4j’ vulnerability which may leave their systems open to being tricked into running malicious code remotely.
This vulnerability is likely to be the ‘open window’ for serious attacks this year so make sure that your organisation is evaluating your exposure and putting whatever mitigations in place that you can.
We have to live with cyber threats, just as we have learned to live with human viruses. Threats are not going to go away, but they can be managed, and their impact reduced.
The hardest lesson learned from 2021 is that cyber criminals are growing increasingly sophisticated in the way they breach defences and organisations will have to respond.
On average, companies have already increased security budgets by 50pc to deal with a 125pc year-on-year increase in threats, according to Accenture’s State of Cybersecurity Resilience report.
With 86pc of Irish firms believing that the costs of staying ahead of attackers is unsustainable, they need to get the basics right by focusing on defences around three high-risk areas.
These are the three things you might consider to protect yourself going forward. None will not be failsafe, but may prove to be a good starting point.
Solutions and networks that were rapidly deployed during the first lockdown should have been made more resilient and secure by now. Ideally, organisations will issue employees with company laptops that come with endpoint security and connect over VPNs (Virtual Private Networks). For the many that don’t have the budget, the devil is in the detail – making sure that equipment and working conditions meet minimum security standards.
Security profiles change as soon as you have employees working from home. Simple things like where people sit and the age of laptops become variables that increase risk profiles – what’s to stop flatmates seeing sensitive information on the screen, for example, and is the computer too old to be covered by security updates? Employees should be encouraged to double-down on the security policies and procedures they will already have signed up to.
Unfortunately, the pandemic has left many people more anxious, which means home workers who are already operating outside the guardrails of an office environment will be even more vulnerable to the relentless phone calls and phishing emails that try and trick them into opening a door to a malicious payload.
Training should be used to refresh their understanding of the risks.
Hitting the headlines in 2021 were high profile ransomware events, the Colonial Pipeline systems breach in the US and an attack that compromised the HSE closer to home, along with many other local attacks that didn’t make the headlines but had serious impact on multiple organisations. Layers of interactive and dynamic security are the best defence, including tools to identify and contain malware that has got inside the network perimeter.
The reality is that many organisations will be breached, which is why a workable business continuity plan is imperative. Having offline back-ups and an ability to do simultaneous restores are key to recovery, with an immutable copy of multiple systems that can be quickly stood back up, rather than a piecemeal recovery that leads to bottlenecks.
Identifying alternative infrastructure potentially in the cloud can be a fast way of getting operational while the clean-up is conducted.
Test parts of the plan regularly, making sure you have the resources to meet ‘time to recovery’ targets. Full-scale recovery exercises should be confined to a couple of times a year. Do it too often and people become jaded, another risk you can do without. But getting a business back up and running is not just about having a back-up plan, it’s about good governance, making sure it’s the business and not the IT department that decides on whether payroll or manufacturing should be restored first.
Most businesses will carry out tabletop exercises to test their plans, which are good for governance, but less effective for highlighting technology bottlenecks. Some large corporates will ‘pull the plug’ and act out a recovery for real, but it’s not a strategy that will sit comfortably with many. The goal here is to achieve a higher level of operational resilience.
A year after the SolarWinds ‘sunburst’ event, when a software upgrade from a respected company was used to infiltrate high-profile customers, boardrooms are taking supply chain attacks more seriously and reviewing their trusted partnerships.
So they should. Successful breaches through supply chains accounted for 63pc of all cyberattacks in the past year, according to our survey, up 29pc from the year before.
Sending out more detailed questionnaires to prospective suppliers is one response, where evidence of proficiency is asked for, rather than taken on trust. Independent security certifications will increasingly be required and the list of them is only likely to get longer as regulatory frameworks raise protection levels.
Already in financial services, the EU Digital Operational Resilience Act (DORA) is on the way, legislation intended to improve operational resilience across the sector and provide better protection against cyber-attacks.
Jacky Fox is managing director of security for Accenture in Ireland