Cybercrime is an evolving challenge that Irish businesses need to plan for, developing a cybercrime strategy and processes to combat attacks such as malware, ransomware and phishing. In Ireland, cybercrime outpaces global averages for businesses. Research by PWC found that incidences of cybercrime in Ireland (69%) are double that experienced by international companies (34%). The study found that the high level of cybercrime is a concern for potential investors evaluating Irish businesses for investment.
As well as reassuring stakeholders, there are plenty of reasons to implement a cybercrime strategy. Data protection legislation such as the General Data Protection Regulations (GDPR) requires customer data to be securely stored, with significant fines for non-compliance. Customers expect data to be protected from data breaches, while attacks such as ransomware can see companies have to pay considerable funds to access their scrambled data. Cybercrimes such as hacking and illegal access to IT systems and networks can also expose intellectual property, commercial data and sensitive information to data theft and exploitation.
Protecting your business from cybercrime demonstrates to stakeholders you can be trusted when protecting data and clients’ information. Certification such as Cyber Essentials demonstrates an industry-standard approach to data security and may be a requirement for some commercial tenders, such as UK government bids.
Common types of cybercrime
Cybercrime can take many forms. and may be carried out by individuals, hacking groups or even state actors.
- Hacking – Where a person gains access to network and data, applications or systems to compromise them or steal data. Hackers can use a variety of approaches to access systems, such as unpatched operating systems to social engineering methods. For example, a hacker could place a USB stick near an organisation with the label ‘staff salaries’ on it. An unsuspecting employee could plug it into an unprotected network, where malware could self-install and be used to compromise systems.
- Phishing – An attack on your network where someone poses as a trusted person or business and tries to trick people into sharing sensitive personal information. A common phishing tactic uses a fake email disguised as a genuine email from someone within your organisation, such as a request to reset your password and a link to what appears to be a credible website.
- Malware – An umbrella term used to define malicious software that targets networks. Malware can disable computers and networks or stay hidden on a network and monitor network activity, such as keystrokes and passwords. Malware is commonly installed by opening an attachment on a fake email.
- Ransomware – A type of malware, it prevents an organisation from accessing devices such as laptops and data storage, often scrambling data and making it unreadable. Ransomware gangs will often demand payment, usually in a cryptocurrency, to unscramble and restore access to data and devices. However, information may be left unusable even once a hefty ransom has been paid.
How to protect your business against cybercrime
There are ways you can strengthen your businesses’ protection against cybercrime and develop a cybercrime strategy for employees to follow. From updating your business’s network security systems to setting up robust access controls to determine who can access data, boosting your cyber security can minimise downtime and reduce productivity.
Keep software up-to-date
Keeping your software, such as applications and operating systems, updated can help protect your organisation against malicious software or viruses. Software updates routinely fix security flaws in software, denying criminals the opportunity to exploit security holes and access your network. Outdated software was a key finding in the aftermath of the cyberattack on HSE Ireland that occurred in May 2021. Many of HSE’s systems were still using Windows 7 software, despite Windows 10 being available.
Interested in GDPR and data protection? Read our guide to who is responsible for demonstrating GDPR compliance.
Install and maintain security software
Install anti-virus and anti-malware software on all devices and keep it up-to-date. Commercial security software can scan files, such as email attachments and prevent them from being opened if they contain malware. Look for features such as daily updates to virus definitions, the ability to recognise previously undetected malware, and user alerts that help prevent users from accessing malware websites or responding to a phishing scam.
Enforce strong passwords for all users. The Cyber Essentials 2022 update mandates that all administrative users of cloud-based services have multi-factor authentication in place. Use a combination of tools to control access, such as a strong password, a security number and an access code sent to the user’s mobile device.
The Cyber Essentials 2022 update requires organisations to use commercial password generators when choosing passwords and enforce a policy of regularly changing passwords.
Data back up
Routinely back up data to a separate, secure storage location – ideally offsite – so data can be restored in the event of a security breach or ransomware attack. Ensure employees store data in a way that allows it to be backed up, and do not allow the storing or processing of organisational data on personal devices that may have lower security thresholds and prevent routine back ups.
Implement strong firewalls
Firewalls monitor incoming and outgoing network traffic on a system and prevent unauthorised devices from accessing your network. Firewalls and routers should have a strong password (at least eight characters, symbols and numbers) and 2FA to prevent unauthorised users from circumventing a firewall. Ideally, an organisation should whitelist the IP and devices of authorised devices that can access the network remotely or limit access to internal network devices.
Create a BYOD asset register
Bring your own devices (BYOD) can enhance organisational flexibility but introduces new security challenges. Create a BYOD register and ‘onboard’ any device from staff, such as ensuring it has robust security software, passwords, 6-character PIN and 2FA access.
Certification Europe Cyber Essentials
Our Cyber Essentials certification can strengthen your organisation’s cyber security management systems and demonstrate robust IT and data security systems to build customer trust. Certification in Cyber Essentials from an internationally accredited certification body can enhance your data security assets and help you protect organisational assets.
Our Cyber Essentials certification is the first step to strengthening your organisation’s cyber security management systems and demonstrating robust IT and data security systems to build customer trust. Certification in Cyber Essentials from an internationally accredited certification body can enhance your data security assets and help you protect organisational assets.
We also independently assess information security management systems (ISMS) to ensure it meets the criteria required for certification in ISO 27001.