In truth, cyber security has not been a simple matter for some years now: the days of simply running anti-virus software or installing a firewall are long behind us. The recent shift to remote working, however, demanded an entirely new strategy – and predictions of the future of work being a hybrid of both remote and office imply that 360-degree protection will have to become the norm.
Three extremely high-profile breaches drove home the issue for Irish organisations, but the question of cyber security often has not received the attention it should have, at least not at senior level.
“We try to say to people that security should be a board-level issue, and we have seen some movement on that because of the attacks of the HSE and two higher education institutions,” John Ryan, head of customer integration and innovation at Arkphire, said.
Part of the problem is that technology has tended to be seen as a question for the IT department alone. However, perhaps a deeper and more long-standing problem, particularly for small businesses, is a sense that Ireland is not of interest to hackers.
Today, the realisation that this is not the case has set in, said Ryan. Not only is Ireland home to major multinationals, but domestic businesses are finding themselves the target of hackers. Indeed, the wave of phone scams demonstrates that even individuals are in the telescope of cyber criminals.
In fact, Ryan said, the scam phone calls themselves seem to have a connection to past data breaches.
“It looks like they're using the data that was stolen even for the phone scams. The tail can be very long,” he said.
Nonetheless, as a small country, Ireland has long represented something of a grey area when it comes to data: while figures on attempted breaches across the EU, in the US or in Britain are regularly published, local data has tended to be thin on the ground.
One of Arkphire’s partner organisations, security hardware and software developer and vendor Check Point Software Technologies, has lifted the veil.
“Previously, it has been difficult getting statistics for Ireland, but Check Point brought some out,” said Ryan.
The numbers are dramatic to say the least.
“They reported a 149 per cent of increase in ransomware in April in May, and a 413 per cent increase since June 2020,” he said.
Notably, this period coincides with the massive and historically novel shift away from the office to home-working. The upshot of this is that traditional approaches to cyber security are no longer fit for purpose, Ryan said.
“A few years ago, people were talking about the perimeter and that shows where we were. There is no perimeter anymore, because of remote working.
Ryan said that, despite recent tentative moves back to the office, the pandemic experience has fundamentally shifted attitudes to work, and that this change will persist into the future. As a result, new cyber security strategies are here to stay.
“We did a survey on remote working and it showed that just 12 per cent of employees and 5 per cent of employers could see a return to full-time office-working,” he said.
Ryan views the correct approach to security as one that reacts to the world as we find it, not a model of how we might like it to be, or even how it used to be.
“First it has to be effective, of course. The other thing is that the end-user experience has to be effective, and if you’re not monitoring it, you're not able to know that,” he said.
In practice, this means adopting zero-trust and secure access service edge (SASE) approaches.
“As a philosophy, we would say you need a zero-trust approach: you trust nothing until you explicitly decide to, through observing that the traffic is doing what it's supposed to be doing.”
In addition to continuous network monitoring, end-user devices should be secured.
“At the end-user device you use second factor authentication, then you interrogate the device: is it a healthy device? Is it calling from where it's supposed to be, while [simultaneously] looking at traffic on the network for malware,” said Ryan.
Some businesses have taken the approach of deploying work-specific devices, but users’ own devices can also have secured partitions installed. This becomes particularly important with smartphones, as few people seem willing to carry both a personal and a work phone.
“We did a rollout of 8,000 new devices to remote workers in one organisation. They needed to be highly secure so they wanted to make sure they were separate devices, [but] there's still the BYOD [bring your own device] regime there in the background, particularly for mobiles,” Ryan said.
The network monitoring side can be surprisingly sophisticated, with trust levels matched to specific areas of the internal systems.
“In the traffic, one scenario might be, you have an end-user on the software development side who is suddenly accessing the finance network. At that point your trust drops off, it’s not just a question of guarding the entry point, it has to be continuous,” he said.
This kind of granularity brings with it a level of complexity that is difficult for internal IT teams already busy with essential systems.
This comes on top of an estimated four-million-person shortage in trained security professionals globally, according to the International Information System Security Certification Consortium (ISC) Cybersecurity Workforce Study, the result of which is cyber security professionals are free to pick and choose for whom, and for how much, they work.
Businesses should understand the value of working with external providers, then, said Ryan.
“People are more conscious of it now. The question is are they willing to pay ten euro per person, per month. Would you drive your car without insurance?”
Ryan goes further, making the case that cyber security should not be seen as a necessary cost centre, but as something that enables the business to drive revenue.
“And it’s not just insurance, it’s protection and, in fact, it's an enabler: it enables people to change their business to work from home. You have to ask yourself questions such as will your staff move on if you don’t give them that opportunity,” he said.
Indeed, with many taking the pandemic as an opportunity to escape over-priced and cramped housing in Dublin, this aspect will only become more important. Where, in the past, towns such as Navan or cities such as Waterford or Dundalk were the outer fringes of the commuter belt, a shift to remote working could see a significant section of the workforce scatter to the four provinces.
The security as a service model supports this, said Ryan, including for SMEs, by delivering a level of security expertise that businesses would struggle to achieve internally.
“It’s becoming more simple in terms of the service model,” he said.
Part of the service provision model is a recognition that security can never sleep, as the longer an intrusion goes on the more dangerous it becomes.
“If you see an end user device has been infected, kill the connection. That's easy enough. If it's a server that is serving half your customer base that's a more serious problem,” he said.
For Ryan, a cyber security service provider’s primary responsibility is to allow a business to function.
“Our objective is to identify the incidents early because typically that's how they get in. The dwell time of a piece of malware is typically around 90 days,” he said.
“The easiest thing would be to let no one in, but where does that leave you?”