Businesses that fall victim to hackers or data breaches must report the incidents and not fear adverse publicity, so other companies can also learn from the experiences and better protect themselves against cybercrime.
That’s according to Irishman Brian Honan, one of Europe’s foremost experts on IT security.
Honan has recently been appointed special adviser on internet security to Europol’s European Cybercrime Centre (EC3), which is made up of 12 internet security experts from various fields and backgrounds, including Eugene Kapersky, founder of Kapersky Labs, Raoj Samani, the CTO of McAfee, and Rik Ferguson, vice-president of security research for Trend Micro.
Prior to the Europol appointment, international IT security publication SC Magazine named Honan Information Security Person of the Year in recognition of his contribution to the IT security industry and his work in establishing IRISSCERT, the Irish IT security incident response team.
Career in IT security
Honan’s foray into IT security began in the 1980s, while working at Irish Life as an engineer. A stint at Cognotec followed, where he ensured foreign exchange systems were kept secure. In 2004, he decided to set up his own consultancy, BH Consulting, which advises organisations, from government bodies and financial institutions to SMEs, on how to protect themselves against IT security breaches.
Honan would agree there are few areas of life today unlikely to be impacted by some form of technology-related crime.
Every year, the number of attempted hacks on company networks increase, according to McAfee. More and more hackers are unleashing viruses and DNS (domain name server) attacks, and a rising spate of cybercrime that goes beyond pranks and financial gain to espionage is beleaguering police forces.
The revelations by former CIA contractor Edward Snowden of the existence of PRISM, a programme that allegedly monitors the servers of internet giants such as Google and Facebook to spy on billions of people, as well as his claims that the US National Security Agency (NSA) bugged the phone of German Chancellor Angela Merkel, reveals the extent to which technology pervades today’s world.
Honan said “information sharing” about cybercrime needs to be enhanced – not only among IT security experts and software makers, but also businesses that are affected themselves.
“Cyber-criminals today are capable of having millions of PCs under control in a botnet without their owners’ knowledge, which are then used to attack larger targets via DNS attacks. Servers of businesses can be harnessed without their owners’ knowledge to spread spam and malware. No matter how big or small you are, you are potentially a target for criminals and they will use you and the resources under your control for their own benefit,” Honan said.
Business and law-enforcement link
One of Honan’s ambitions is to create better links between law enforcement and businesses to better defend against cyber-criminals who are hijacking business computers and networks.
“(EC3 is) not going to be whisking me away via helicopter on cases,” Honan said. “It’s more of an advisory role. The reality is if I want to target your computer or your network, I can do so from anywhere in the world. It’s the responsibility of organisations everywhere in the world to admit they may have a problem.”
The problem with cybercrime and fighting it, Honan said, is that few businesses, especially in Ireland, will admit to being victims of cybercrime or cyberespionage.
“There are cases in Ireland where companies have been extorted. The criminals break into their networks, overwrite the backup tapes, encrypt the company server and deny the company access to its own information and unless the company hands over €3,000 they’ll never see their data again.”
Honan added that businesses inevitably just want the problem fixed and they will try and find the cheapest way of fixing the problem.
Irish firms, he said, are reluctant to bring in law enforcement because by doing so they could invite negative publicity, for example. Firms are, by Irish law, expected to report a data breach – be it the result of hacking or the loss of a device containing data – to the Data Protection Commission if people’s private information has been compromised.
According to research by Symantec and the Ponemon Institute, the cost of a data breach for a compromised company could be US$136 per compromised record.
In recent weeks, Vodafone’s Germany-based business was hacked and more than 2m customers’ names, addresses, limited bank account information and dates of births were accessed. An individual who was working for the company and who had insider knowledge of internal systems was behind the breach.
In Ireland, data breaches that occur in the public and semi-State sector become public knowledge, but the same can’t be said for the private sector.
In 2008, a laptop belonging to the Department of Social and Family Affairs containing details of as many as 390,000 social welfare recipients was stolen. The following year, four laptops were stolen from Bord Gáis offices in Dublin containing the details of 75,000 customers.
Another case in 2003 involved PBX fraud, whereby phone systems belonging to the Department of Social Affairs were hacked and the hackers ran up phone bills costing the State €300,000.
This form of IT crime was once considered the ICT world’s dirty little secret because it can happen to any business at any time, and it has only been in recent years that the industry has begun warning private enterprises to speak up and defend themselves.
“If someone breaks into your office and steals €200 in petty cash, you’d report that to the gardai,” Honan said. “If a hacker broke into an Irish company’s servers and stole from the bank account, people are reluctant to report it to the police.”
This is where Honan said he believes the conversation needs to be changed and victims of cybercrime, whether in Ireland or elsewhere in the world, need to speak out.
“Invariably, when the breach happens it hits the headlines. A lot of businesses become ridiculed for not having prevented the attack. We need to stop victimising the victims and make people realise there is a real impact and real threats out there that need to be dealt with.”
The business community as a whole needs to get out of this ‘island’ mentality and report crimes and start sharing information and experience so others don’t fall victim, said Honan.
The scale of the problem is vast, he added. Firms are as much as under threat from hackers as they are from employees who may commit fraud, espionage or use company equipment for illicit reasons.
Support for security
Honan’s appointment to EC3 echoes what he said is a strong tradition of Ireland supporting security.
“We have a long history of engaging with threats and risks in the real world. Think of the Troubles in Northern Ireland and also the fact that we are respected peacekeepers for the UN. With all the multinationals based in Ireland, in particular security players like Symantec, McAfee and Tend Micro, and also the cloud companies like Amazon and Facebook, which require security expertise, Ireland as a nation has a lot to bring to the table on the security front.”
However, as ill prepared as businesses may be in terms of defending themselves against cyberattacks, law-enforcement agencies worldwide lack the resources to handle the growing complexity of cybercrime. Ireland, Honan said, is no different.
“Ireland is quite similar to other countries, it’s the same in the UK, the US and many other countries where the skills aren’t available and police forces are under pressure to deal with the new kinds of threats and problems,” Honan said.
“It requires specialised skills and getting people to expert level takes time and effort. In times of cutbacks and reduced budgets, time is not a luxury any more.”
A version of this article appeared in the Sunday Times on 3 November