Cybercrime and the steps to take to counteract a cyber attack
What is cybercrime
By 2023 almost one in five Irish businesses have experienced a cyber attack or data breach, according to new research by professional services firm Aon. Cyber attacks are the malicious attempts to damage, cause disruption, gain unauthorised access to computer systems, networks or devices via cyber means. Most cybercrime is committed by cybercriminals or hackers who want to make money. However, occasionally cybercrime aims to damage computers or networks for reasons other than profit. Far too often, successfully managing cyber risk only becomes a priority after a cyber incident has occurred.
Cybercime is becoming more prevalent since the Covid-19 Pandemic, the adoption of hybrid and remote working across many organisations introduces new challenges as employees can access company networks from a various locations and devices. This in turn provides hackers with new opportunities to exploit weaknesses in software, hardware and people actions. Also economic and geopolitical disruption in (global increase in cost of living, Russian/NATO tension, climate emergency and energy security) recent years has also led to the increase in Cybercrime. The HSE became all too aware of this issue when they were subjected to a cyberattack in May 2021. It resulted in months of disruption in the health service.
Prior to the Covid-19 pandemic cybercrime was present but were we all aware of the disruption it could cause. My colleague Conal Kennedy wrote an article titled The growing threat of Cybercrime to accounting practices in the February 2017 edition of Practice Matters. Subsequent to this, the HSE attack in 2021 caused people to sit up and ask could this affect them. The reality is that any organisation no matter what size could be subjected to a cyber attack. The response of the Government and business to this threat for a long time had been inadequate, leaving them often to play catchup in the wake of attacks. But there are signs Government agencies and society in general are starting to address get a handle on the issue with more urgency. Much of this has been led by the National Cyber Security Centre (NCSC), an agency that was found badly under-resourced after the HSE attack.
This article sets out the major types of cybercrime and some steps firms should take to prevent a cyber attack.
Types of cybercrime
The three most common types of cybercrime include:
Email and internet fraud, otherwise known as phishing. (Phishing campaign messages may contain infected attachments or links to malicious sites, or they may ask the receiver to respond with confidential information). Research conducted by IBM states that 41% of cyber attacks start with phishing. The emails may not personalised, contain incorrect grammar and spelling mistakes.
We all think it won’t happen to us, but for example, during a busy tax deadline an email arrives you click on the email and then realise once you have done this it is a phishing email. However, it is too late you have passed on confidential information, and this could result in weeks of disruption, culminating in a significant loss of income to the firm. 47% of organisations suffer reputational damage after a phishing attack (source: Egress’s email security Risk Report 2023)
In April 2023 Bank of Ireland issued a warning to its customers in respect of fraudulent e-flow messages that many of them were receiving. The fake message was requesting that individuals pay their travel toll charges. The link in the message brought people to a fake site and in turn allowed the hackers to collect personal information and monies from individuals.
Ransomware attack/cyberextortion (demanding money to prevent a threatened attack). The hackers have infiltrated your system and all computers in your office have been attacked, you can no longer access your system and clients’ data. The hackers are demanding a ransom to be paid within a number of hours or your data will be destroyed or released on the darknet. You need to make the decision whether to pay this amount, normally in cryptocurrency, to the hackers. In 2022 64% of organisations that were infected with ransomware paid the ransom. One important point to be aware of:, once you pay the ransom the hackers, who operate on the Dark Web, can in turn post your details and you could be subjected to another attack.
The biggest ransomware cyberattack in Ireland to date was on 14 May 2021, in which the HSE suffered a major cyber-attack that caused all its IT systems nationwide to shut down, resulting in months of disruption for the Health Service. More recently in February 2023 Munster Technological University in Cork also suffered a ransomware cyber attack. The University refused to pay the ransom and the gang knowns as “Blackcat” who allegedly stole 6GB of data, released this to the Dark Web. The University secured a High Court injunction to prevent the sale and public use of this data. In addition, the attack caused many days of disruption for the University and its’ students.
A malware attack is where a computer system or network is infected with a computer virus or other type of malware. A computer compromised by malware could be used by cybercriminals for several purposes. These include stealing confidential data, using the computer to carry out other criminal acts, or causing damage to data. Again, a malware attack can cause significant disruption to firms, as you will require the services of professionals to destroy the viruses, resulting in significant financial and time loss for the firm.
Other types of cybercrime
Other types of cybercrime include:
- Cyberespionage hackers access government or company data,
- Identity fraud where personal information is stolen and used,
- The theft of financial or card payment data and theft and sale of corporate data.
- Password infiltration- 96% of the most common passwords can be predicted by hacking tools in less than one second.
Cybersecurity steps you should take
Effective cybersecurity in the workplaces is essential to reduce the risks of cyber-attacks and threats. Staff education-in the area of cybercrime/security is key. Organisations should have their own processes and procedures in place. These should include
- Regular monitoring of systems
- Use and update anti-virus software
- Using data breach detection tools and
- Testing system vulnerabilities.
It is important to be aware that, even with all the correct procedures in place, an attack is still possible. Don’t ever think it can’t happen to your firm.
Your staff are your biggest asset. However, research conducted notes that 95% of cyber security breaches are as a result of human error. Once they are educated and vigilant they can help you to can prevent cyber-attacks. They should be taught to follow the firms guidance and report anything suspicious immediately. Ensure they are trained to
- Use strong passwords, and change these regularly, a strong password is over 13 characters in length and contains letters (upper and lower cases), numbers and symbols. It is important that the passwords are changed regularly
- Notice a change in passwords not authorised by them
- Never open attachments in spam emails or emails from people you do not know.
- Do not click on links to untrusted websites or websites that you are not familiar with.
- Never give out confidential personal information unless the link is secure
- Contact companies directly about suspicious requests, if you become suspicious that a client/company is requesting personal information make sure to pick up the phone and contact them.
- Report immediately to the IT team or IT provider if their computer is running slowly, notice deletion of computer files not carried out by them or find payments that were not authorised by them.
- Training in itself is not sufficient, of course. It is important that you test your controls. Carry out regular reviews of compliance. Engage with IT professionals to send test phishing emails to your firm and review the results.
Another protection that cybersecurity insurance is something firms should be considering. Many policies pay out for ransomware attack . To date we understand that there have been no claims by third parties such as clients of firms in relation to cybercrime in Ireland. The main policy claims relate to ransomware/damage to the system. However, with cyber-attacks on state agencies already resulting in breaches of data, this too could happen to smaller/medium firms. You may not suffer a direct financial loss because of the breach, but third parties may want compensation if their data has been compromised.
So in summary the importance of effective, up-to-date, cyber security cannot be overstated and it is important you take a threat of a cyber attack seriously. Staff awareness is crucial and can prevent a possible cyber-attack. The key is to be vigilant as a cyber attack can cause a significant loss of profits and weeks or even months of disruption to a firm and significant reputational damage. So therefore STOP, THINK and CHECK and don’t be afraid to report something to your IT department or IT provider, as your prompt actions could protect you.