Dodge the bullet of a damaging data breach

Recent years have seen information security hit home. Rather than being something that happens ‘over there’, attacks on and breaches at the HSE, the National College of Ireland, TU Dublin and, most recently, Electric Ireland have demonstrated this small country is no more immune to attacks by criminals than is any other.

This should not be a surprise given that the threat landscape is in a constant state of flux and the complexity of the threat continues to grow, said Paul Delahunty, chief information security officer at cloud and security specialist Stryve.

“It’s constantly evolving, and it will always be constantly evolving. It’s not that anything massive has happened recently, but we are seeing an acceleration of the trends that were already under way,” he said.

In practice, this means continuous growth in the threat that needs to be countered.

“They’re becoming smarter and smarter the whole time and AI [artificial intelligence] has thrown a real spanner in the works,” he said.

Pure AI attacks are not yet common, but it has already become a tool in the arsenal of both attackers and defenders. While internet security firms use AI to augment threat hunting, the main use of AI on the other side is to make social engineering more convincing.

“We knew it was coming but perhaps not as quickly as it did. Phishing is still one the biggest threat vectors because it preys on people and people are the soft underbelly.”

Delahunty said the AI problem is only going to get worse, and could cause major epistemological headaches when it comes to security, just as we are seeing in other areas of life.

“I think this question of truth is the biggest threat we are facing. If you can use AI to make phishing attacks smarter and more believable that’s a huge jump forward [for malicious actors]. It sows confusion: ‘What is truth? How do we know what is true and what is not?’ I give it three or four years and we will see real problems.”

In the meantime, however, businesses still have to defend against attackers. Though the Irish, and wider European, economies have fared well enough in recent years, concern is still abroad that interest rate rises could lead to a recession or slowdown. The last time this happened, after the financial crisis, IT spending, including on security, cratered.

This cannot be allowed to happen again, Delahunty said, now that IT is truly central to the operations of every business. Crucial to this is having the right communications strategy with the board.

“Security is always seen as the insurance policy and so the problem with security is when it is good you don’t see it. We try to advise people to report to boards on the number of threats they have blocked so that people can see the value. If you’re reporting zero breaches it is seen as a waste of money.

“Based on history, security budgets tend to be one of the first to get cut. Working out there in the field you would be shocked. There is an attitude of ‘this stuff happens elsewhere’. Also, explaining the seriousness of the threat can have a paradoxical effect with people saying: ‘Well, if they can get in there they can get in everywhere’.”

The biggest threat today, however, isn’t phishing or malware. It is the massive skills shortage. Indeed, what was estimated to be a total of one million unfilled vacancies worldwide is expected to have risen to 3.5 million by 2025, according to the Cybersecurity Jobs Report published by Cybersecurity Ventures.

This has an obvious impact at home. “Phishing will always be the biggest threat in terms of types of attack, but I think the biggest threat we have today is the lack of cybersecurity professionals. That’s the big threat. The National Cybersecurity Centre has said we, as a country, are thousands short. That is a big existential threat,” said Delahunty.

This is important because, even when businesses have pushed a lot of their operations to public cloud platforms, they are still responsible for elements of security.

“The line of responsibility changes depending on the kind of cloud services you have [but] you need to understand that it’s not just taken care of because it’s ‘in the cloud’. It’s not some magic fix.”