Cybersecurity Without Insanity? It could be as simple as 3 – 2 – 1…

This week: Some terrible news for many vulnerable people. An attack on a HR provider results in a system outage. And phishing is still the most common way for a ransomware attacker to gain access to European organisations.


3 – Abuse victims’ data stolen in ransomware attack

It was reported earlier this week that personal information of abuse victims has been stolen by cyber criminals, following an attack on a company that provides a cloud-based IT system to a number of charities in Ireland.

According to the report on RTE, “The company, Evide, manages data for around 140 charities and non-profit organisations in Ireland, Northern Ireland and the UK [..] It is believed around 2,000 victims, survivors and suspected perpetrators may have been affected in Ireland”. As Brian Honan mentions in the article, the criminals may now try to blackmail the individuals whose data has been stolen, by threatening to release their data to their loved ones if they don’t pay a ransom. This is precisely what happened in Finland, when the patient data stored by the “McDonalds of psychotherapy” was attacked (which I discussed back in 2021).

Alongside the terrible impact this could have on a lot of vulnerable people, it also a reminder about supply chain risk. After all, If you are a cyber criminal, why would you attack one company when you can attack a service provider that manages the data of dozens of companies? This is why Third Party Risk Management (TPRM), Supply Chain Risk, Vendor Management are all hot topics for regulators around the world.


2 –Payroll provider is a victim of a cyber attack.

SD Worx, a HR and payroll giant that services 5.2 million employees for over 82,000 companies, has suffered a cyberattack which has caused them to shut down all IT systems for its UK and Ireland services.

This is yet another attack on a service provider. According to a recent report in Bleeping Computer, the company’s security team discovered malicious activities in its data centre and the company took immediate action to isolate systems and servers to minimise the impact. SD Worx has said that the attack was not a ransomware attack and the system shutdown was their proactive response to contain the impact of the incident rather than an outage directly caused by the attackers.

I am sure customers are unhappy about the outage. However, the alternative could have been significant disclosure of a lot of personal data about a lot of employees (assuming the company’s actions have prevented this).


1 – Phishing remains the most common doorway for a ransomware attack

The most common way for ransomware attackers to gain access to a European organisation’s systems in 2022 was through phishing (i.e. fooling someone into clicking a link or downloading a malicious file).

According to a report in SecurityWeek, and recently mentioned by Ireland’s NCSC, phishing was the method used in 40% of ransomware attacks* in the EMEA (Europe, Middle East & Africa) region that were investigated by Mandiant, a cyber incident response organisation that is owned by Google. In other regions, the percentage was lower, with the use of exploits (e.g. taking advantage of software that has not been updated by the victim) becoming more common.

* It is important to consider the data sample used in any analysis or research. In this case, the analysis “is based on Mandiant Consulting investigations”. Mandiant is a well-regarded, global incident response organisation but it is more likely to be called in by a large organisation with the financial means (or insurance cover) to pay for Mandiant’s involvement. Therefore, Mandiant’s data sample is likelty to be biased towards attacks on larger firms. The data may not reflect the reality for every organisation. Remember what I said about the danger of averages?



PS To listen to Cyber 3-2-1 and a roundup of my other articles this week, all episodes are accessible from or wherever you get your podcasts.