Threat of cyber attacks can no longer be ignored

The problem with dealing with malware and other malicious attacks is that they don’t care who or what they’re attacking. Usually an attack is thrown out into the wild in the hope that someone will download it, open an attachment and be infected by it. Since the internet has no borders, malware can attack and infect anyone, anywhere, something Irish businesses should be aware of.

Someone who knows this better than most is Sir Rob Wainwright, one of the speakers at this year’s Deloitte Best Managed Companies awards symposium. He was executive director of Europol for nine years, managing the agency’s 1,000 people with an operational network spanning 40 countries, before he became a senior partner in Deloitte’s European cyber-security practice where he works with clients across Europe.

The biggest problem facing businesses, including Irish ones, is the focus on data breaches and what that means for cyber criminals, Wainwright said.

“There is still a bulk of cyber crime that is connected with large data breaches and the means for cyber criminals to steal data from government institutions in order to monetise it, to sell it maybe to other criminals who then use it for fraud, credit card fraud, mortgage fraud, and so on,” he said.

“The need for illegal acquisitions and exploitation of data is still very much a big part of this economy, and that’s where a lot of the volume of cyber-crime is driven.

This is a real issue for financial and healthcare institutions. The data they store is incredibly precious to malicious actors. Such data can be monetised at a higher rate, and that is why a lot of attacks happen in that area, Wainwright said.

“When I speak to health executives, some of them misunderstand the nature of the threat,” he said.

“They say ‘why would the criminals come after us, we have no money?’ and of course the point is they’re not after your money, they’re after your data which makes them a lot of money.”

It’s not just the financial end of the business that can be damaged, something GDPR will enforce thanks to greater fines being imposed, but also a company’s reputation and trust.

A company that does not take the necessary measures to protect data and does not try to inform affected parties of an attack is going to be viewed poorly.

“Very often [reputational damage is] a bigger problem and bigger risk to companies,” Wainwright said.

“We have seen large companies which have had large data breaches have their share value fall significantly when they have reported those breaches.

“I’d like to think that executives of most companies understand that there’s quite a bit riding on this to get it right.”

With these problems in view, and the likes of GDPR in place as well, prioritising security and privacy is key. But there can be a conflict of interest as companies race towards digital transformation, modernising systems and services they use so they can become more efficient and do more.

Wainwright said that while it is a “tremendously powerful and important way to modernise your business”, you should not overlook the safety element of it. On the positive side, he said more and more businesses in Ireland and elsewhere are taking this into account.

“[Through it] we’re actually exposing ourselves to more ways in which we can be attacked and breached,” he said.

“A culture of security must be embedded into these massive digital transformation programmes. What I’m hearing and seeing locally in places like Ireland is that businesses are showing more signs of that.

“They are building in security elements in a much better and more robust way when they configure this transformation process. That’s really good to see.”

As for security advice for businesses, Wainwright is a board member of the Global Cyber Alliance, a non-profit organisation that helps businesses understand what they need to do in simple terms.

“The bigger the business is and the more sensitive your assets are, be it personal data, hard cash or intellectual property, the more layers you’ll have to put in place across your network and systems to ensure adequate protection.

“Also, if you have members who don’t quite understand why they should be in place, you should frame it in the context of risk management.

“[You should] advance to a level of risk management and the tolerance for risk that is affected at the right level that you’re in,” he said.

“When you start to see it like that - and I have this discussion with many board members - it starts to become easier for them to understand. From there, you realise that security, however challenging it is, is actually just another risk to be managed.

“Every company has a risk management framework and this is just another one.”