Pictured: Sarah Hipkin, Head of Technology Consulting, Mazars
A rise in cyber-attacks during 2020 has highlighted how cybercriminals can take advantage of vulnerabilities faced by organisations as staff work more from home. With the initial focus on meeting customers and clients’ critical needs during the pandemic, many organisations have been understandably less proactive in testing the security of remote working practices and training staff to be aware of evolving cybersecurity threats, writes Sarah Hipkin, Head of Technology Consulting, Mazars.
According to the most recent annual Data Protection Commission (DPC) report1, data security breaches were up 10% in 2020. In particular, there’s a rise in social engineering tactics that relies on human interactions and manipulates users into giving away sensitive information or making security mistakes that can breach IT systems. Targeted entry points might include phishing emails, texts or voicemails.
Preying on COVID fears and vulnerabilities
Like chameleons, cybercriminals change to suit the landscape, so the arrival of COVID and increased home working provides the perfect storm to prey on fears and vulnerabilities. Typical phishing attacks might include an email or SMS masquerading as a health service provider or government department to trick victims into sharing personal and financial details regarding test results or vaccines. Alternatively, staff are asked to open PDFs or zip files containing malware from what looks like a legitimate customer, a manager or a CEO. These phishing emails are increasingly sophisticated in their content and often include personal information such as a name or even account details. Such high levels of detail are usually more than enough to satisfy the home worker that an attachment is safe and valid. The blurring of lines between work and personal life adds to the problem as home workers are tempted to use personal phones or computers for work purposes.
For critical national infrastructure (CNI) organisations, ransomware is the top threat. According to a recent UK National Cyber Security Centre (NCSC) report2, 84% of UK CNI providers experienced cyber-attacks in 2020, and 93% of those providers admitted that at least one attack was successful. For these larger organisations and institutions, the aim can include relying on human error to open the backdoors to an attack, blocking access to healthcare, education, or critical government services until the ransom demand is paid. While this threat has always been present, the move to home working has exacerbated the problem. A recent cyberattack on Queen’s University in Belfast3, for example, highlighted the vulnerability of educational establishments now increasing their use of technology to move lectures online for thousands of students.
How to mitigate current and emerging cyber risks
With the media attention on significant global cyber-attacks, it’s easy to overlook modest, human error-related mistakes that can snowball and end up costing even small companies in Ireland tens of thousands of euros to remediate, as well as inviting intervention from the regulators. But there are steps organisations can take to strengthen their defences.
- Understand your risks. What impact would an attack have on critical business systems? Where is sensitive data held, and what third parties have access to your data? Regular risk assessments are necessary to determine new cyber-attack threats. When information is a company’s most valuable asset, continual risk assessment is non-negotiable.
- Update policies and standards. Policies should reflect the changing cyber risk landscape and be communicated in a way for staff to understand and follow. IT standards need to be updated to reflect changes in the technology landscape so that systems remain secure throughout their lifecycle. Clear, concise security information and protocols are essential.
- Assess and test procedures. How watertight is your response plan should a cyber attack occur? Methodically walking through how you would report and respond to an attack to gain a clearer picture of your vulnerability level and, importantly, what you need to do to plug any security gaps and reduce service shutdown periods following an incident. An incident response plan is not effective until tested.
- Keep security budgets topped up and training on track. Continually top-up security budgets so they can meet current and emerging cyber threat levels. An ongoing security training programme is necessary to minimise human risks. So, baseline testing through mock-phishing simulation exercises can help staff to understand the cybercriminal’s mindset and test employees’ response to likely threats. Complacency is a cybercriminal’s ally.
It’s important to remember that these cyber-attacks will inevitably end in reportable data breaches to the DPC, with the financial and non-financial impacts yet to be fully understood.
One thing is sure. Cyber threats don’t disappear; they evolve. It’s only by refreshing our understanding and raising awareness of the dangers that exist, will organisations keep their backdoors and windows firmly shut against cybercriminals.