‘The HSE attack made everyone take cybersecurity seriously’

23 Jun 2021

Jan Carroll. Image: © Francesco Baldini

UCD lecturer and cybersecurity researcher Jan Carroll discusses how cybersecurity is now everyone’s problem, not just an IT department problem.

Click here to view the full Infosec Week series.

Cybersecurity has been in the spotlight a lot more in the last year and that is in no small part due to the Covid-19 pandemic.

A sudden shift in the way we work and learn meant that a huge amount of the global workforce moved to cloud computing, remote desktops and a decentralised system.

But this sudden move caused major problems for security professionals as they tried to secure the new remote workforce and protect data that had suddenly spread far and wide.

From early on in the pandemic, it was clear that cybercriminals were taking advantage of Covid-19 with predatory emails and spam messages. The World Health Organization saw a doubling of cyberattacks and in August 2020 Interpol reported attacks were rising at an ‘alarming’ rate.

But it wasn’t until this year that the severity of these attacks really came into focus with several major attacks including a severe ransomware attack on Ireland’s Health Service Executive (HSE).

While many of the HSE’s systems are now back up and running, the effects are still being felt and the vast costs have yet to be tallied.

However, cybersecurity researcher Jan Carroll said there is a silver lining to the recent attacks.

‘Cybersecurity and information security is now everyone’s problem’

“One positive result of the HSE attack is that it has made everyone take cybersecurity seriously,” she said. “We should see this as an opportunity to take advantage of having everyone’s attention and launch a national cyber awareness campaign.”

She said that even outside the HSE attack, other developments both in the industry itself and in the media have led to a heightened awareness in the importance of cybersecurity.

“Cybersecurity and information security is now everyone’s problem, not just the IT department,” she said. “The implementation of GDPR and the high-profile data breaches from the likes of Facebook has made us all aware of how our personal information is stored and used by different platforms.”

Tackling the skills shortage

Carroll also works as a cybersecurity lecturer at the UCD Professional Academy and, as such, is extremely passionate about closing the cyber skills gap by bringing more women and underrepresented groups into the industry.

A recent report from Cyber Ireland found that 47pc of companies’ security teams are at least somewhat understaffed and almost half (48pc) of companies have open or unfilled cybersecurity roles.

Carroll said that while the skills shortage is a global problem, it’s good that it has been identified and steps are being taken to address it.

“Organisations such as Cyber Ireland are working with national bodies, industry and learning providers, including UCD, to road-map delivery of quality learning addressing industry and worker needs,” she said.

This need within industry combined with increased awareness of cybersecurity issues has created a demand for cybersecurity courses.

Last month, IT Sligo launched a new course focusing on the infrastructure that powers the movement of data on the internet with security baked into its modules. And at the beginning of June, a new €8m project led by Munster Technological University was announced to address the cyber skills gap.

The UCD Professional Academy where Carroll lectures is also offering professional diplomas in cybersecurity and ethical hacking, both enrolling for July.

“Part of my research is to attract more ‘returners’ to cybersecurity, especially women who have transferable skills. The technical skills can be taught more easily than the so-called ‘soft skills’ of critical analysis, communication, report writing etc,” she said.

However, Carroll said there is still a problem in the infosec industry when it comes to diversity, with a report from the International Information System Security Certification Consortium, or (ISC)², estimating women only make up 24pc of the cybersecurity workforce.

While this is a marked increase from the previous estimate of 11pc, Carroll said more work still needs to be done.

“There are issues with retention and lack of inclusion on leadership teams also. Other groups are underrepresented too, and it is an issue which needs to be addressed sooner rather than later,” she said.

“The diversity problem is everyone’s problem. A diverse workforce is a more secure workforce as we all bring our own unique experiences and frames of reference to the table.”

Wider impact on society

The HSE attack was arguably one of the biggest cyberattacks to take place in Ireland, the repercussions of which Carroll said will be felt for years.

“Once the Conti crime group set their sights on the HSE, they were going to persist and get in some way. These groups have the perseverance, the skills and the resources to penetrate pretty much any defences,” she said.

‘It’s not enough to do awareness training once a year in order to tick a box’

“Organisations need to learn from the attack by ensuring they have proper business continuity and disaster recovery processes in place to minimise when, not if, they are hit with an attack.”

She also said she wants to correct the misconception that “criminal hackers are young lads in hoodies sitting in their bedrooms. They’re not”.

“These criminal groups are similar to large, international corporations and their product is ‘hacking-as-a-service’. They are well managed and structured, often state-supported, and they’re not going away any time soon.”

She said that the majority of breaches come down to the human element and that the best forms of defence is to have a security-aware workforce.

“It’s not enough to do awareness training once a year in order to tick a box. Security is everyone’s responsibility,” she said.

“Even if we all follow the best protocols to protect our own data, we are still vulnerable as we entrust our data to other parties who then fail to protect it. We need to be constantly vigilant as no defences are perfect.”

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

Jenny Darmody is the editor of Silicon Republic