As business has become dependent on IT, computers and networks have not only driven profits, but also become the single greatest threat. Notably, one study conducted by the University of Maryland’s Clark School found that a hack against an internet-connected device occurs every 39 seconds.
John Ryan, head of cyber security solutions at Arkphire, said that Irish organisations cannot take a laissez-faire attitude to the issue.
“There used to be this concept of ‘security through obscurity’, and in an Irish context that might mean thinking ‘Nobody will care about us’, but the fact is that they do care,” he said.
In fact, Ryan said, recent well-publicised breaches indicate that the prevalence of this attitude could prove disastrous. “I think what’s happening is indicative of the state of preparedness of the country in general. I’d be fearful for our critical national infrastructure, and for private companies too.”
Indeed, though the attacks on the HSE and Department of Health may have overshadowed it, other Irish institutions have been in the firing line this year: TU Dublin’s Tallaght campus and the National College of Ireland were both hit in April.
The first step in ameliorating the issue is to take it seriously, something many Irish businesses have not done.
“This comes down to the fact that most organisations have not taken this up to board level. It’s poor enough even in the private sector, where typically it depends on the strength of the IT department and it really shouldn’t. It should be a board-level issue. There should be tech experts on the board,” Ryan said.
Beyond issues sui generis to Ireland, there is also the wider negative perception of IT, and this is something that bedevils business worldwide. Strange as it may seem with more and more businesses attempting to shunt customers and clients online, and to drive revenue from the data they generate, IT’s reputation has not improved much.
“IT is generally perceived as a cost centre. Everyone is talking about digital transformation, but how seriously are they treating IT?” said Ryan.
Indeed, other business functions, say accounting, do not seem to suffer from the same image problem. Ryan said that the answer, simply, was to stop relegating IT to an afterthought.
“It needs continuous improvement and to be baked into the organisation. For that you need leadership,” he said.
Don’t leave it to the users
Of course, IT security is difficult and, frankly, from an end-user perspective, annoying. This in itself is a sign of an approach to security that is likely to fail, Ryan said.
A good IT security set-up should be secure but painless, and founded on “zero trust” principles.
“You shouldn’t see it. You run into real fatigue if you’re managing it all yourself. Organisations need to take away the burden from the users with things like single sign-on with 2FA: you log on and your credentials are automatically there,” he said.
Instead, what is more common is users being given access to systems that they do not need or else access beyond required levels. This means that once a user is compromised, hackers can get deep into the business.
Crazy as it sounds, Ryan has encountered user behaviours that effectively render IT security null and void.
“Privilege is the key to the kingdom for the attacker,” he said. “If you look at any breach, 80 or 90 per cent will have had privileged access. Organisations still use the default accounts and they also share passwords: you’ll often discover there’s a spreadsheet with a list of all the passwords in it,” he said.
Risk mitigation can be performed, though. “If a house has an alarm, a dog and monitored security, the burglar is going to go next door.”
Once basic security procedures are in place, measures such as network segmentation can ensure a breach does not bring down the entire organisation. Then, back-ups need to be not only performed, but performed properly.
“A lot of people think they have immutable back-ups and they don’t; disrupting the back-ups is often the first thing attackers do once they have privileged access,” Ryan said.
It is not only the HSE that has been breached: Ryan noted that a report published by global insurer Aon showed a 715 per cent increase in ransomware between 2019 and 2020.
There are simply no quick-fix solutions, and no alternatives to taking security seriously on its own terms. Moving to the cloud, for instance, can help reduce the risk from unpatched and outdated systems, but the idea that it is a risk-free paradise is misguided.
“The other fallacy out there is: ‘If I move into the cloud, it will be fine.’ The idea is that it will be Microsoft’s problem, or AWS’s problem to look after security. But in fact, there is shared responsibility: you take responsibility for what you put in there,” Ryan said.