PwC’s Will O’Brien discusses some of the major cybersecurity trends coming down the line and gives five tips for infosec teams.
Earlier this year, PwC’s 2021 CEO survey found that 90pc of Irish business leaders are worried about cyberthreats, a marked increase from 78pc last year.
However, the survey also revealed that more action to combat this crime is needed, with just 27pc of respondents planning double-digit investment in cybersecurity and data privacy in the next three years, lagging behind global counterparts at 31pc.
Will O’Brien, a director in PwC Ireland’s Cyber Practice, said the rapid digitalisation and blanket remote working that has taken hold over the last year, combined with the increasingly sophisticated attacks from cybercriminals, has made the risk of cyberattacks even greater.
“The changes that happened last year are society-wide. Organisations moved critical business processes and services online during the pandemic, and at haste. As a result, business resilience depends on cyber resilience, and any interruption to online services from cyberattacks may prove catastrophic.”
‘Business resilience depends on cyber resilience’
– WILL O’BRIEN
The evidence of these cyberattacks has become startlingly clear in recent months. A report from March of this year found that ransomware attacks in manufacturing tripled in 2020. This was shortly followed by one of the most severe cyberattacks Ireland has ever seen, with a ransomware incident impacting the HSE.
O’Brien said cybercriminals have started to target the operational technology the manufacturing sector relies on. “With manufacturing giants like WestRock, Foxconn, Honda and Norsk Hydro among those reporting attacks, it is clear that those in the industry need to protect themselves,” he said.
“The barriers to entry into ransomware operations have been lowered by ransomware-as-a-service (RaaS) schemes, which means that SMEs are as much at risk from a ransomware attack as large organisations.”
The impact of ransomware attacks on technology systems can extend beyond financial loss. It can result in supply-chain issues, such as in the Colonial Pipeline attack in the US last month, which knocked much of the pipeline’s network offline. It can also result in the leaking of sensitive data, as was the case in the HSE attack.
O’Brien said adopting defence-in-depth security strategies and having effective preventative, detective and corrective controls in place is critical for reducing risk. He outlined five key actions security teams should take immediately to protect businesses.
1. Conduct an independent cyber health check
“Identify an independent third party to complete a short assessment of cyber risks within your organisation,” he said.
“This assessment should be based on industry standards, such as NIST or ISF, and will produce a report that allows you to decide on the remediation investment required.”
2. Establish a cyber governance forum
He also advised that businesses should have a group of senior stakeholders across the business that includes representatives of the operations, technology, security and legal teams, which would meet monthly to discuss remediation progress and report to the company’s board.
3. Create a cyber incident response plan
“While the majority of efforts should be focused on preventing these attacks, it is also vital that organisations plan and exercise their response to a major ransomware incident,” O’Brien said.
“Like your fire drill, have a cyber incident response plan, including your communications plan, and rehearse this with management.”
4. Increase cyber awareness
The majority of cyberattacks have a human element at the heart of the incident, meaning educating staff on best security practices is key. “Your staff are a critical control,” said O’Brien.
“Establish a programme of continuous learning and phishing exercises to keep your people cyber aware.”
5. Brief the board
He added that it’s important to have the board engaged on security matters, as it is one of the biggest risks facing a company. “Look to present to them quarterly and design separate briefing sessions to improve their level of understanding and readiness,” he said.
“Boards should question their security teams to determine not only how susceptible they are to ransomware attacks, but how prepared they are to recover from one, should an attack occur.”
Other considerations
O’Brien also highlighted other key areas that security teams need to consider, such as data protection. “Any organisation that breaches the rules of GDPR faces financial sanctions, reputational damage and public scrutiny over data protection shortfalls,” he said.
“Finally, businesses often need to communicate with outside parties regarding an incident, and they should do so whenever appropriate, such as contacting An Garda Síochána, fielding media inquiries, and seeking external expertise.”
However, he noted that while the sharing of information surrounding an incident may be important, security teams should also be cautious in this regard and have a communications plan in place before an incident occurs.
“Otherwise, sensitive information regarding incidents may be provided to unauthorised parties, potentially leading to additional disruption and financial loss.”