In the early days of company-wide IT systems, cyber security meant keeping an eye on traffic flows both into and out of an organisation. Firewalls on the premises created perimeters around a company’s IT network, meaning cyber security was like a strong brick wall surrounding the network. However, technology has moved on in recent years and so this approach is no longer the best one.

“The flow of digital interactions through an organisation has become a lot more complex,” John McCabe, managing director and executive vice-president, Damovo, said.

Thinking about it, it is obvious: today, with remote and hybrid work commonplace, a perimeter-based approach to security is no security at all. Too strong and it will keep out legitimate users who need to connect remotely; too weak and it will let in anyone and everyone.

Indeed, one vector for attacks is created by a misguided lock-it-down approach to IT as this drives users to connect in unauthorised ways, using so-called ‘shadow IT’.

“Even the simplest IT network is a sprawling web of connections that spans the cloud, third-party suppliers and devices in multiple locations. Shadow IT has also added further to the complexity,” McCabe said.

Given all of this, a change is needed, he said: “It’s clear that old ways of thinking about cyber security are no longer fit for purpose.”

The looming clouds

In case anyone thinks being a small country means Irish business will be ignored by criminals, evidence is now mounting that Ireland is on the hit list. Last year's attack on the HSE was preceded by two successful breaches of higher education institutions, and 2022 has already seen a breach at the RDS including the reported theft of "personal data belonging to staff, members and suppliers''.

The unstable geopolitical environment is also a factor. Without wanting to be alarmist, the ongoing war in Europe is a potential factor. Attendees at the Zero Day Con in Dublin this past week heard claims of a 25 per cent increase in attacks since the conflict began. Moreover, researchers also recently claimed there has been a 500 per cent increase in mobile malware infections since February.

Given the reality in which we find ourselves, the first step, McCabe said, is to assess the entire IT estate. In other words, he said, first look at the ‘as is’ and then ask where you need to be.

“To protect a network, it’s critical to gain a full understanding of what it is – by mapping out which software, devices and hardware are in use”.

Working with a managed service provider means that these first steps can be done and followed up immediately. Policies should then be put in place, such as zero trust access, better data backup, multi-factor authentication and biometrics.

“Security maturity doesn’t have to be achieved overnight. It can be arrived at systematically and incrementally,” McCabe said.

Damovo’s cybersecurity division Lares works with many companies, large or small, to validate their security posture through offensive security-focused services such as complex adversarial simulations, network penetration testing, application security assessments, insider threat assessments, incidence response and forensics and vulnerability research.

“Once established, this total view of the network can be used to reveal where potential points of weakness and threats may lie – and it can be used to model risk and responses. This approach gives a list of priorities that can be tackled one by one, addressing the most important issues and focusing on risk reduction.”

Protection is not just about the systems, though: people play a huge part too, and so awareness and training are integral parts of developing a cyber security mindset.

It’s also vital to make security easy, McCabe said.

“If your measures introduce too many additional steps, your teams will find ways to try to bypass them. It’s human nature. This is where approaches like zero trust can be helpful. By giving the right people access to the right resources at the right time, security and user experience are both optimised.”

Fundamentally, organisations large and small need to stop thinking of cyber security as an optional cost centre.

“If it isn’t integrated into your digital thinking and approach, you could be exposing your organisation to very high risk,” he said.

The good news is that there are highly skilled partners out there whose expertise and knowledge will help to protect your organisation against these threats. A robust cybersecurity strategy will not be a blocker but an actual business enabler, said McCabe.

“A continued focus on cyber risk reduction can actually allow your company to achieve even more,” he said.