We use cookies to improve your experience on this website. Read More Allow Cookies

Ransoms, reporting and reputational risk: cybercrime and SMES in 2022

Posted on: 17 Nov 2022

Cybercrime is evolving, and planning, people management and police co-operation are more important than ever. That’s the key take-away from legal firm Matheson’s annual Cyber and Data Protection Conference.

 

Moderated by Matheson partners Anne-Marie Bohan and Deirdre Crowley against the backdrop of European Cyber Awareness Month, the event featured talks and discussion from Detective Brian Halligan of the Garda Cybercrime Bureau, Data Protection Commissioner Sandra Skehan and security expert Stuart McKenzie of cyber-security experts Mandiant Consulting.

 

The conference also polled attendees on their experience and defences. Somewhat alarmingly, 35% of those who took part had suffered a cyber-attack in the last year. Building on the theme of last year’s conference, which advised businesses to treat a cyber-attack as not a threat but an inevitability, the panellists focused on developments in how attackers are operating, and how organisations can put their plans in place.

 

All businesses are under threat – but SMEs are most exposed While Detective Halligan is keen to emphasise that all businesses are a target for cybercriminals, he sounds a special note of caution for the SME sector. “SMEs may not have big IT security budgets, and they may not be as secure [as larger enterprises]. Cybercriminals are aware of this,” he says, noting an upsurge in attacks in the SME sector since 2021.

 

McKenzie has some valuable insight to share on the way cybercriminals operate behind the scenes, and once again the news isn't good for SMEs. Vulnerabilities, he claims, are often found by freelance criminals, who trawl the web looking for breaches in security. This information is then sold to an access broker, who will pass the details on to the hackers themselves. In other words, if you were hoping to hide below the radar, don't count on it; there's someone out there whose job it is to find you.

 

Organising in this way, he says “means that they are operating with essentially limitless resources”. While phishing and other human methods of gaining access to systems remain the main way in, even with a perfect team, you may not be safe. Reporting is essential – but businesses are falling short If your organisation is hacked or otherwise compromised, you have 72 hours to report the event to An Garda Síochána and the Data Protection Commission, including holidays and weekends, and a failure to do so is punishable by anything from an unlimited fine to five years in prison. Detective Halligan also points out that every piece of information the Gardaí receive forms part of a puzzle that can prevent further crimes.

 

The primary aim of traditional policing may be to bring the perpetrator to justice, but when it comes to cybercrime, the picture is far more nuanced. Halligan points out that while the actual culprit might not be prosecuted, “every cybercrime reported is a piece of the puzzle that can lead to the capture of key servers” and other infrastructure that organised gangs use to carry out attacks.

 

However, Skehan is concerned that businesses are not meeting their obligations. Though incidents have risen since 2020, she states that “we’ve actually seen a drop of 50% in reporting [of customer data breaches]” With the appointment of two new data commissioners in Ireland and the organisation moving into an enforcement phase, this might see some businesses in hot water. However, she is keen to stress that the DPC are also available to help with the difficult process of disclosure: “It's not all about the fines, there's a lot of other steps that we can take to assist.”

 

The ransom demand – to pay or not to pay?

According to a recent survey from IT service provider Typetec, around 25% of Irish SMEs have paid a ransomware demand. While the decision not to pay may seem like an obvious one, McKenzie points out that in the heat of the moment, it may be tempting: “the business comes to a shuddering halt very quickly”. He also notes that attackers are now leveraging the reputational risk to the business to get victims to pay up, threatening ‘we'll publish your data on the dark-web or somewhere public; we're going to embarrass you’.

 

Attackers may move on a Friday or on a bank holiday weekend, to apply further pressure. Skehan notes that although there is currently no Irish or EU law in place to prevent the paying of ransoms, handing over the money often doesn’t solve the problem: “From our experience, especially when you look at numbers of organisations who have paid the ransom, they receive the encryption key but a further ransom is requested.”

 

Preparing for the worst – the do’s and don’ts

If McKenzie had to point out one mistake organisations made when preparing for a cyber-attack, it would be throwing more technology at the problem, which he believes overloads teams and often doesn’t work. Instead, he suggests, organisations may be better to served by simply running updates on the systems they have. “Most of the attackers get in through unpatched software or other vulnerabilities,” he claims. In other words, it’s well worth taking the time to get IT to run that software update.

 

The importance of having a well-oiled team to handle security, reporting and customer disclosure was also highlighted, with Deirdre Crowley pointing out the importance of the people element: “you don’t want to get the team working together for the first time during a cyberattack”. While ‘wargaming’, or running a simulation of an attack, has gained popularity as a technical tactic, it should also be a human resources operation. Disclosure is also something that should be planned out well in advance.

 

McKenzie points out that a quick disclosure can be essential for reputation and to remove ransom leverage, but “you need to be honest without telling everything”, which is not exactly an easy thing to do at the last minute Skehan insists that a breach should be communicated as soon as the risk is assessed. “If necessary, do it through a public campaign and follow up with individuals that need to be contacted,” she says, pointing to the guidance materials on the DPC website. The takeaway Alarming as it may sound, any assumption of safety is out the window for SMEs. While it’s necessary to keep systems secure and ticking over, in 2022, having a process in place for when the worst happens may be even more important than prevention.'