This year has seen a marked increase in malicious and criminal activity targeted at business IT systems, often resulting in serious financial and reputational losses.
Global foreign exchange provider Travelex went into administration in August, after a significant cyber attack over New Year paralysed its operations, which were then further disrupted by the Covid-19 pandemic.
During the hacking attack, the UK-based company was forced to take down its websites across 30 countries in an attempt to contain the virus and protect data; many were offline for over two weeks. The ransomware gang claiming to be behind the attack demanded £4.6m, having downloaded sensitive customer data, including dates of birth, credit card information and national insurance numbers.
Traditionally, cybersecurity efforts have focused on keeping these kinds of threats out of the system. But, it is increasingly clear that assuming that bad actors can always be kept out may be missing the point – in many cases, they could already be in organisations’ systems.
It is increasingly clear that assuming that bad actors can always be kept out may be missing the point – in many cases, they could already be in organisations’ systems
Most fraud is cyber-based
PwC’s latest annual survey of economic crime in Ireland reveals that cybercrime is the most frequently reported type of fraud, cited by 69% of respondents. The firm points out this is a particular concern for the country given Dublin’s position as Europe’s largest data hosting cluster.
According to the research (available here):
51%
of respondents experienced economic crime in the previous 24 months
69%
of reported fraud incidents were committed by external perpetrators
13%
of respondents reported losing more than US$5m to fraud over the previous 24 months
10%
of respondents did not know how much they had lost to economic crime
What is cyber resilience?
Cyber resilience helps an organisation mitigate cyber risks, protect itself against attacks (and limit their severity), and ensure its continued survival despite an attack.
Resilience is often confused with risk, robustness and security. However, risk is best considered as uncertainty that could affect objectives, robustness as the ability to withstand an attack, and security as ensuring an IT system’s confidentiality, integrity and availability.
Resilience, on the other hand, represents the capacity to recover quickly from difficulties.
Why this focus on resilience? Because over the past few years it has emerged that traditional cybersecurity measures are no longer enough to protect organisations from the spate of persistent attacks.
Cyber resilience refers to a business’s ability to continuously deliver the outcomes it intends despite adverse cyber events. It describes the planning and management of how a business prepares for, responds to and recovers from cyber attacks.
While cybersecurity’s main aim is to protect data and IT systems, cyber resilience focuses more on making sure an organisation can still deliver its business. Its intended outcome is business delivery, keeping business goals intact rather than the IT systems.
Awareness raiser
The Irish Computer Society (ICS), which is the representative voice of Ireland’s IT professionals, has launched a cyber resilience initiative to raise awareness within organisations of the need to plan if the worst should happen. The reasons for this are three-fold:
- the rapidly growing risks from cyber attacks, and the resulting disruption and cost associated with responding to them
- the enormous reputational damage that organisations (and individuals) can suffer
- the challenges that board members face in addressing these issues.
The ICS plans to raise awareness among board members as part of European Cyber Security Month in October. Part of its effort includes a survey – which takes less than five minutes to complete and is completely confidential and anonymous – of directors.
It also aims to launch comprehensive guidance on how boards can better direct and oversee cyber resilience in practice.
Further information
If you are a board member, please complete ICS’s short survey on cyber resilience by 30 September.
