An organisation’s greatest vulnerability to a cyberattack is its people. The most common attacks include phishing emails and malicious software including ransomware, viruses, spyware and worms. The threat of cyberattacks has grown and the evolving nature of these threats means that all businesses are at risk.
“Ireland is part of the global cybersecurity environment and is exposed on a local and global level”, says Brían.
“The threats are evolving and becoming more sophisticated. The evolving nature of the threats mean that, at some point, almost all businesses will face this risk. These threats mean there are many areas to defend, manage and prepare responses to such threats. SMEs who innovate by using mobile apps, utilising social networks or mobile workforce tools must think worst-case scenario as part of the planning, and implement ongoing security by design – covering technical, procedural and end-user training.”
CEO fraud is one scam that is not that difficult for cybercriminals to execute, particularly as information on CEOs and CFOs can be easily accessed by connecting with them on social media or other channels. The attacker will usually send a spoof email purporting to be from the day they go on holiday asking for payment of an urgent bill or a request for change. “Generally, requests for change of payment beneficiary details should be diligently checked,” says Brían.
“Prime times to attack are during holiday season when key decisions-makers are on annual leave, threat actors are aware of this and try to target a company when someone else is in charge.”
Commenting on the steps that organisations can take to protect themselves, Brían adds: “At a minimum, businesses should consider completing a cyber-gap assessment or penetration testing of their environment.”
“Have your IT team issue phishing emails regularly and compare open rates and how many people highlighted the email as a phishing email.”
Cybersecurity should be on the board agenda at company meetings and Brían feels that awareness by businesses is improving. “Cybersecurity is quite topical at the moment and awareness has improved, with businesses now sharing the responsibility across departments where previously it was seen as an area of responsibility just for IT departments,” he says.
“It should be added as an agenda item so that the board are aware of the steps an organisation is taking to prevent such an attack from happening.”
A huge amount of effort is now being taken by businesses to defend against cyberattacks. Prevention may be better than cure; however, organisations need to be prepared for a cyber-breach and the post-breach response is just as important as the effort that goes into preventing one.
Brían says that the response should involve external assistance: “In order for businesses to be prepared, they should implement an incident-response plan and identify key third parties and internal skills required during a breach,” he says. “This approach may also benefit from a series of simulation training exercises to ensure all parties are aware of what steps need to be taken in the event of a breach.”
Commenting on the steps that organisations can take to limit the impact of a breach and prevent its spread, Brían adds: “A critical step in planning is to ensure logical separation of zones are in place. The business must ensure they have the ability to identify early and have the controls in place to isolate affected zones.”
Brían also emphasises the need to learn from experience. “It is important for businesses to remediate root causes from the previous breach. Prevention within cyber has always been a challenge. As technology improves, it becomes easier to use but threat actors’ technology also improves, and businesses must therefore have plans in place to respond to any breaches”.
BDO's cybersecurity team works with businesses to design pro-active cybersecurity programmes to mitigate cyber risks. For more information contact Brían Gartlan at +353 1 470 0202.
Content adapted from The Irish Times Business: