Cybersecurity: doing nothing is the real crime.

Katie Kirwan
By:
On: 22 Feb 2018
Share this post

Brian Honan Cybersecurity

Knowledge isn’t only power, it’s also security. That was the message from a recent cybersecurity briefing at Three.

The panel of cybersecurity, information security and mobility specialists conveyed the importance of knowing the value of your data, the risks to it and how to counter them.

“I’m not here to scare you, but…” started Brian Honan of cybersecurity consultants BH Consulting. Brian’s real and local examples of cyber-attacks weren’t about fear-mongering, but about making the threats real to Irish businesses.

He asked, “How many of you have some kind of connection to the internet on your person at this moment?” The answer was everyone. Every connection is a potential vulnerability. Karl McDermott, Head of 3Connected Solutions at Three, reminded the room of the attack on major US retailer Target. The attackers hacked the supplier of the in-store refrigerators, gained access to Target’s network via the refrigerators and stole 40 million credit card details. No wonder the Global Risks Report 2017, published by the World Economics Forum, ranked cyber-attacks in the top five threats.

The implications of cyber-attacks can go beyond the financial. At Target, two executives lost their jobs. When Ashley Madison – the “dating” site that condoned adultery – was hacked and its members’ database dumped on the internet, there were two suicides directly linked to the breach.

Clearly there is every reason to take cybersecurity seriously. The biggest risk comes from doing nothing.

The Global Risks Report 2017 placed cyber-attacks in its top five threats.

If it’s worth knowing, it’s worth stealing.

As the Ashley Madison breach shows, it’s not only financial information which is targeted. Brian quoted the infamous bank robber Willie Sutton Jr. who, when asked why he robbed banks, replied: “Because that’s where the money is”. Hackers target businesses because that’s where the data is, and data has value. In the cybercrime marketplace, there is a price for every piece of identifiable information.

Unlike a bank robbery however, victims of cybercrime may not even know they’ve been robbed until long after the event. Businesses may discover they have been defrauded only when an irate supplier gets in touch about overdue invoices. The invoice they thought they paid was actually from a cybercriminal using the supplier’s logo and contact details that looked legitimate at a glance (which is all they usually get), and with seemingly incidental information about a change of bank account details.

On the other hand, some cybercrimes are all too obvious, relying on extortion or ransomware. Regardless of the method, all businesses are vulnerable and need to take action. The question is: what action?

Identify. Assess. Establish policies.

Brian Honan’s advice to the audience was to first of all identify your key data assets. If you can identify and put a value on them, you will be able to weigh-up the impact it will have on your business if they are stolen.

Secondly, Brian advised a risk assessment. Where is your data located and how secure is that location? Is it in data centres or on mobile devices? Is it encrypted, wipeable, recoverable?

The third step Brian recommended is to establish formal policies around what people are and are not allowed to do – especially where a BYOD (Bring Your Own Device) policy is involved. Security awareness training should be provided to employees; not only telling people how to protect themselves and the business they work for, but also explaining why things need to be done this way. With proper training, people can be transformed from the weakest link in your security to the strongest. After all, it’s usually users who first detect and report a breach not systems.

Learn from the Target attack and extend your policies and training to include your company’s third party relationships. All suppliers, vendors and partners who have access to your network or any of your data need as much consideration as your own systems and employees do.

Security is an ongoing task. Set up monitoring and alerts for suspicious activity on your systems. Share information on attacks and attempted attacks with your business network and the Gardaí. Sharing this information is key to preventing it happening again to you or others. Also, a cover-up or denial is always eventually exposed with far worse consequences. As Brian pointed out: “The criminal is always responsible, so don’t be ashamed”.

Don’t be an easy target.

Brian Honan’s presentation was followed by a questions and answers session with a panel comprising Nicola Mortimer, Head of Business Products, Marketing and Operations at Three, Sean Rooney of Integrity360 IT security specialists, Ken Nelson of Citrix, Karl McDermott and Brian.

The session covered topics ranging from the virtual disappearance of the security perimeter, due to the growth in mobile devices; to the need for basic security “hygiene” – including complex passwords and regular installation of patches and updates; to the fact that the cloud offers better data centre security than any small to medium enterprise could ever achieve.

The overall message was that there is no such thing as perfect security, but hackers go after easy targets, so don’t be an easy target. There are solutions available to alleviate risks. Nicola wrapped up and summarised the session, “The problem is not unsolvable. It’s about a structured approach that’s reinforced across the business”.

Want to learn more? Our new eGuide on Cybersecurity is available for free now: