Cyber threats are a pressing issue for all businesses
Last week’s announcement that the government is to boost the National Cyber Security Centre (NCSC), transforming it into an independent agency with its own staff and budget, should be read as a recognition that Ireland is finally taking IT security seriously. The same message needs to be heard in business, though, from the board of large enterprises down to small businesses and even sole traders.
The elephant in the room, of course, is the 3 December PWC report into this year’s catastrophic attack on the HSE. A nightmare at any time, coming in the middle of the Covid-19 pandemic the Conti ransomware managed to grind the health service IT estate to a halt at the worst possible time. Over 150 excruciating pages, the report details how the HSE has a “very low level of cybersecurity maturity”, no single executive in charge of network security, only 15 full-time cyber security staff (presumably significantly fewer than it has physical security staff on-site), and “did not have many of the cybersecurity controls that are most effective” in place.
This is disastrous stuff, and as sure as night follows day, disaster was the result. Recovery costs alone are estimated at €500 million. The human cost is, so far, unknown. It would be a terrible mistake to be smug, however, or to point the finger at the HSE as uniquely weak. If the country’s health service can be brought to its knees by someone opening an e-mail attachment, imagine what it would mean for a business – or former business, as it would soon become.
Everyone in the industry knows about the cyber security skills shortage, and the 2021 Life & Times of Cybersecurity Professionals, published by the Information Systems Security Association this July suggests it is only getting worse, with staff burnout added to the list of recruitment issues. Let’s face it, though: another problem is a lack of investment.
Cyber security, like a number of other IT functions including back-up, is a nuisance. A cost centre from a business point of view, and one that takes a certain type of person to be interested in. Despite this, or perhaps because of it, it is essential. The days of ‘script kiddie’ attacks and viruses that do little more than print a message on the screen are long behind us. Instead, today’s threat is from criminal gangs, able to hire top talent on a breach-as-a-service basis, if you can imagine such a thing.
And the threat intensifies year after year. Indeed, the NCSC this week published an advisory that a vulnerability in a Java library could be used to breach Apache Web servers, an alarming possibility given that LAMP, or Linux, Apache, MySQL and PHP, systems are the bread and butter of many business operations, and the gateway to a lot of customer data.
Micheal Conway, managing director of Renaissance Contingency Services, said EU oversight was causing an improvement in the general state of cyber security in Ireland. It is still not enough, though, he said.
“It will end up being the case that you need to be fit for purpose, with things like ISO-type standards. Ultimately, in the best traditions of Ireland and the way things are run here, they’ll do it reluctantly, but they will do it in the end, because it has to be done,” he said.
The challenge is greatest for small businesses, a greater proportion of whose revenue will need to be spent. Like rent and rates, though, cyber security, in the form of assistance from a managed service provider, is now just part of the cost of doing business.
“If you want to do business internationally you will need a minimum level of compliance,” said Conway.
And for those who don’t bother, disaster awaits.
“It is a horrible problem, no matter what way you look at it, and there will be more issues,” he said.