Training your staff is the first step in fighting and defeating cyber attacks
With an ever- growing list of cyber threats confronting Irish companies, many are falling at the first hurdle of online self-protection – educating their staff. That’s the message from Sean Rooney, cyber risk and assurance director of managed IT security specialist Integrity 360.
“When we look at the optimum security mix of people, processes and technology, many organisations seem to be ignoring the crucial people part. There needs to be more work done to raise awareness of the importance of corporate culture in this area,” he said.
While tech solutions are still crucial to maintaining a strong defence, so too is having a security conscious workforce. “How people conduct themselves on a day-to-day basis at work has a huge impact on security. It’s very difficult to change people’s behaviour, but we seem to be just leaving it on the back burner or treating it like a compliance exercise and that’s not good enough.”
While there are signs of change in the air – most notably in university level cyber psychology courses in Ireland – Rooney believes it is up to the IT security industry to lead the way in advocating for better habits in Irish businesses. “As an industry we haven’t really paid enough attention to this area, but over the next few years I hope we’ll see a lot more focus on it. The reality is that this is an IT problem that you can’t spend your way out of,” he said.
“Of course, technologies need to be updated and kept in line with current threat levels, but changing the mindset of people in an organisation so that they don’t let it down is just as important.” Taking steps, such as being accredited to standards such as ISO27001, can help create the right culture, particularly for companies that perhaps know they have a problem but not how to fix it. This is a way of closing gaps off.
“Getting certified affords a structured rather than a haphazard approach to the problem. Essentially it allows you to take stock of where you are, evaluating the environment you’re working in and working out how to get to a better and more secure place,” said Rooney
“The advantages are that not only can you give assurances to your customers and clients that you’re doing everything you can to protect them, you also protect your own brand and reputation.” According to Rooney, the typical cyber threats that face Irish companies are the ‘old reliables’ with a particular kind of malware, known as ‘ransomware’, becoming more prevalent in recent months.
“Malware is becoming more targeted and advanced than it used to be. For example, in the case of ransomware we’ve seen companies hit with a drive-by installation from a website that installs a piece of software code on the machine that then starts encrypting shared drives on that network.” “This begs the question what kind of admin rights does a typical user in your organisation have on the machines they work on – do they have local admin rights? If they do, then that machine will have a lot more access to the network than it should have.”
Once files have been encrypted, ransomware victims are faced with the choice of either paying to regain access to their data, or attempting to restore the system from backups created before the attack. “Many companies find at that point that they haven’t ever even tested their backups before. Needless to say, it’s a bad time to find out they’re not effective.”
Meanwhile, many Irish companies that have built significant businesses on an IT backbone in recent years are wondering if they need to upgrade to stay compliant. According to Rooney, corporate governance, risk mitigation and regulatory compliance are foremost in such companies’ minds. “When you have had technology in place for a while, you start to wonder if it’s still fit for purpose. Is it still ready for the threats that are out there? Some organisations have people working in the IT team that know they’re not in a good place in terms of security, but they need help to persuade the board members that they need to spend on it,” he said.
“We recommend that companies pause, step back and take a look at where the business is and what its IT strategy is. Then do some work to align their security strategy with their business and IT strategies. “Then come up with a roadmap of where they need to go to stay secure for the next three to five years. It’s obviously difficult to plan that far ahead, but you do your best,” said Rooney.
Courtesy of the Sunday Business Post