The threat of security breaches is nothing new. Indeed, as long as IT has been a part of business, it has been a vector for attack. Today, however, the threat is more severe than ever, with concerted efforts being made by criminals to attack and then extort money from organisations all over the world.
Luigi Cacco, senior director, cyber security, at Presidio said that, over the years, the cyber threat has transformed — and not for the better.
Rather than nuisances, today cyber attacks are a big business, run by organised criminals and, crucially, with a viable method for extracting ransoms without altering the authorities: cryptocurrency.
Of course, even back in the 2000s, not all hacks were trivial, but the scale of the threat today is magnified. In2022, for example, 5.5 billion malware attacks were reported (Statista), while according to one security vendor, 2023 saw 59 per cent of businesses hit by ransomware.
This message that the threat is from organised crime needs to be understood. In addition, an entire shadow economy exists, in order to facilitate attackers.
“These people want money. It is real [and] it is sold as a service. There are platforms to do this kind of attack,” he said.
However, while awareness has grown in recent years, including in Ireland, it tends to ebb and flow.
“I think people, as with everything, you need awareness to grow and it grows bit by bit,” he said. “A year after a big hack people start to forget, then they perhaps hear about another one. We’re humans; if it is not part of your daily experience, you will not think about it”.
Whether we think about it or not, though, the threat is out there.
“We continue to have breaches because there are very efficient organisations behind them”.
Notably, small businesses are at risk from attackers. While some may feel they are too small to bother with, experience has shown us not only that they are a target, but also that they can be a step in a so-called ‘supply chain’ attack aimed at working up to larger organisations through their suppliers.
It will be a significant future challenge, Cacco said, to ensure every vendor and third party within a supply chain adheres to security controls.
“In an increasingly interconnected world, a vulnerable supplier could be easily exploited, allowing attackers to move laterally into other organisations and undermining all efforts to build a robust cyber risk management plan. This aligns with the principle that attackers typically exploit the weakest link to compromise a target,” he said.
Attackers typically exploit the weakest link to compromise a target
The message about the severity of the threat is getting across, he said, but what can be frustrating is that a strong security posture requires continuous assessment. Unfortunately, the reality is that as attacks grow in sophistication, security measures need to evolve.
“The problem is, from a defensive point of view, the attacker is moving as well,” Cacco said.
Core security controls such as identity management, endpoint security, network security, and email security will always remain crucial, Cacco said, but new areas such as cloud security and more recently, AI security, are emerging as new technologies are introduced.
“We [as an industry] need to make it clear to them that the threat landscape has evolved. It’s always changing,” he said.
Also evolving, however, is the legislative landscape. Two new pieces of EU legislation in particular, the Digital Operations Resilience Act (DORA), which applies to financial institutions, and the updated Network Information Security (NIS2) directive, which applies to companies with over 50 staff, are driving change.
“In this context, for small and medium-sized businesses with limited budgets, it would be challenging to comply with all these requirements; hence, partnering with an expert becomes essential”.
Overall, the regulatory changes are a positive step, he said, as they underscore for management the need for a strong security posture, including stringent oversight of third-party service providers, something that is important in order to avoid undermining a company’s efforts to build resilient cyber defence.
“Going forward, they will know better that, as part of the yearly budget, there will be someone allocated for cyber security,” he said.