Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week: This month and last month, Ireland’s police, government and national cybersecurity agency have warned SMEs about the ever-increasing threat of cyber attacks. And yet executives and boards will continue to deliberately ignore this risk until their valuables have been stolen.

This week’s action: You are choosing your own adventure. Make sure you are comfortable with your choice.

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.

THREE ARTICLES

1: This month: Irish police and government warn SMEs about the ever-increasing threat of cyber attacks

What? As reported recently in The Journal, Gardaí (Ireland’s police force) and Irish government ministers “have warned businesses to prepare for potential ransomware attacks, saying that the number of attacks targeting small and medium businesses has increased. [..] Minister of State Ossian Smyth said that at the time of the HSE cyber attack, there was ‘a lot of concentration from criminals on the very large [..] multinational organisations, [where criminals] try and get $10 million to 20 million out of them. Now that’s changed, and we’re seeing a lot of attacks on much smaller organisations, on SMEs.

So what? Don’t listen to me – Listen to Assistant Commissioner Paul Clearly when he states: “We’ve seen a lot of these cyber attacks can have a crippling effects on businesses of all sizes and can lead to a company being pressurised into making substantial payments to regain control of their data without any guarantee that we will get any back or that the data won’t be posted online anyway.” If you are responsible for IT in a smaller organisation, you must get a handle on cybersecurity. If you assume it is being managed appropriately but you haven’t seen any evidence to prove it, I will bet you that your assumption is incorrect.

2: Last month: Irish police and government warn SMEs about the ever-increasing threat of cyber attacks

What? The head of Ireland’s National Cyber Security Centre, Richard Browne, recently stated that “[the NCSC] have been dealing with the threat of ransomware for some time; however, we have seen a noticeable change in the tactics of criminal ransomware groups, whereby rather than largely focussing on governments, critical infrastructure and big business, they are increasingly targeting smaller businesses. This is a trend that has been observed globally, and Ireland is no exception with several businesses becoming victims of these groups in the past number of weeks.”

So what? The bad guys know that small businesses do not have the resources and defences of bigger organisations, so they know they are easier targets. If you are responsible for IT in a smaller organisation, you must get a handle on cybersecurity. If you assume it is being managed appropriately but you haven’t seen any evidence to prove it, you are either happy to take the risk or you are going to work with me so you can prove (or improve) your security within 4 weeks.

3: Two months ago: US cybersecurity expert warns about our deliberate ignorance

What? Back in August, Stan Stahl of Secure The Village stated a very valid concern that really resonated with me. “In discussions I’ve had with many information security professionals, [..], there’s a general sense that a lack of concern and “deliberate ignorance” is all too frequently the norm for executives and boards. The general consensus is that we are far too reactive, seeking to lock the barn door only after the horse has been stolen … and then only locking the door through which the horse was stolen, leaving the others still unlocked.”

So what? I often wonder why businesses do not review their cybersecurity defences until after they’ve been attacked. We lock the front doors of our homes, even though most of us have never been burgled. Why don’t we do the same with our cybersecurity barn doors? You are either choosing to check that the barn doors are closed or you are choosing to deliberately ignore the risk that they are wide open. In both cases, you are making a choice. It’s important that you are comfortable with that choice.

TWO NUMBERS

1: Less than 10%

What? Less than 10% of companies that pay a ransom to cyber criminals will get all of their data back, according to Assistant Garda Commissioner of the Garda National Cyber Crime Bureau and reported by The Journal.

2: 80%

What? The percentage of organisations that pay the ransom in a ransomware attack and are then attacked again, according to Ireland’s Garda National Cyber Crime Bureau (GNCCB).

So what? There is no guarantee that paying a ransom will lead to your data being successfully being decrypted or prevent the data from being leaked online. Paying a ransom may only make it more likely that you will be attacked again in the future, as you will be seen as a soft target. So, instead of paying a ransom after an attack, why not invest a fraction of the money to improve your cybersecurity defences so you reduce the likelihood and impact of the attack in the first place?

ONE ACTION

1: Choose your own adventure

What? Small businesses are at an ever-increasing risk of attack. You don’t have to believe me – Just listen to the national cybersecurity agencies in your country. And yet, most executives and boards are choosing to deliberately ignore this issue until they are attacked. The vast majority of cyber attacks are not sophisticated attacks – They don’t need to be, because the front doors of most victim organisations were unlocked and the back doors were never installed in the first place.

So what? If you are responsible for IT and cybersecurity, you are choosing your own adventure. You are choosing to check your doors now, or you are choosing to try to close the doors after your valuables have been stolen. In both cases, you are making a choice. It’s important that you are comfortable with that choice. If this makes you uncomfortable, you are going to work with me so we can ensure your cybersecurity doors are closed.

Cybersecurity Without Insanity – it’s what I do.