Author bio: Niall Mackey is the Commercial Director of Topsec. His team excels in enhancing email security for firms, safeguarding sensitive data against cyber threats.
Business is facing immense challenges currently, from the potential effects of climate change, to labour shortages, and the very real possibility of a recession.
But in the eyes of business leaders, these challenges are easily outstripped by the risk of cyber incidents. This is according to the global Allianz Risk Barometer, which assesses emerging risks across industries and sectors.
Cybercrime and the threat to Irish business
The top 10 global business risks for 2024 are headed up by ‘cyber incidents’ at 36%. Climate change is half of that, with ‘political risks and violence’ as a mere 14% concern.
Email: the cybercrime vehicle
Unsurprisingly, email is the most successful route of attack for cybercriminals. Research into Ireland’s cyber-risk landscape by Microsoft Security, shows that 38% of respondents selected ‘work email compromise’ as the biggest threat to their organisations. These generally take the form of phishing and clever social engineering.
And email remains on the growth path. The State of Email Security (SOES) report found that reliance on email has exceeded that of Covid-onset figures. And more email has led to more email-based threats. This highlights that while M365 does fulfil a great function, 90% of threats are through email. This is why there is a need for augmentation services, like our integrated Inbox Protect, surrounded by a human first threat detection Managed Service.
While the use of email is growing, it seems users’ wisdom is not.
A massive 95% of all data breaches are due to human error. The SOES survey reported that 48% of respondents said that their organisation’s biggest security challenge is a lack of employee awareness and education around cyber threats. All respondents had been targeted by a phishing attack in the last year, of which 70% said recipients had opened a malicious email and for 90% of them, the source of a data breach was an email.
Operations departments are seeing social engineering techniques and more targeted approaches like spear phishing or whaling, cloning emails of specific senior users, making it even more difficult for users to spot that it’s a scam.
As technology improves to halt malicious emails before they reach their recipients, so too have criminal strategies to infiltrate systems. For example, we’re seeing emails that pass all weighted criteria of malicious elements, still reaching inboxes.
What was originally a legitimate URL, is triggered post-delivery, and is then redirected to a malicious domain. We’re even seeing files dropped into a OneDrive folder – it could be a QR code or URL – which appears to have no malicious content. A bad actor then amends the content within the OneDrive folder and now the document/email contains a malicious link, waiting to be clicked.
The law is coming for non-compliant organisations
In line with global trends, the Microsoft Security report revealed that most Irish organisations, across industries, have encountered malicious cyber incidents, some resulting in financial losses.
It also revealed that the majority of Irish executives are unaware of the NIS2 or DORA (Digital Operational Resilience Act) legislation, a regulatory framework to enhance the security and resilience of critical digital infrastructure and services in the EU.
The security element of the GDPR is also a focus and more and more, the onus is on organisations to ensure that they’re aligned with legislation.
Compliance requirements are becoming stricter, scrutiny is more intense, and fines imposed are higher. Organisations will need to review and update their cybersecurity strategies and practices to align with the new standards. Organisations will have to follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents.
Another issue we’re seeing is the incorrect setup of email authentication protocols like SPF, DKIM, and DMARC, which help prevent spammers, phishers, and other unauthorised parties from sending emails on behalf of a domain they do not own.
Only 25% of organisations have the correct configuration, making it an easy entry for spear phishing. It also leaves organisations wide open for domain spoofing, where hackers impersonate your domain. As far as your customers are concerned, you’re a trusted domain. And this is actually a simple matter to resolve and ensure compliance.
Who are they after?
Targeted phishing is more successful, and there are a number of ways to access this specific information.
LinkedIn is an ideal platform to see where senior people are going and when, with all their details available with a bit of digging. It’s easy to track a person to a new company. New starters are vulnerable because systems and protocols are new. And so new starters are pure gold on the list of phishing targets, followed by IT professionals, whose valuable admin profiles have rights to all systems.
Finance and procurement people are next down the list, followed by HR people, who have access to all data on all staff.
More training required
We’re pretty trusting, us humans. We also do silly things when we’re in a hurry or under pressure. We remain the weakest link in the IT security headache. The Microsoft report says that password attacks are the most common attack vector, but emerging technology like AI is accelerating the innovation curve of modern social engineering.
The Allianz Risk Barometer reported that 48% of respondents said that there is insufficient employee awareness of cyber threats, and that this is their organisation’s biggest challenge in 2024. A huge contributor is obviously the remote work set-up post-Covid, where we’re not always using secure networks and secure VPNs, we’re on coffee shop wifi, on multiple devices.
Without driving fear, it’s crucial for organisations to weave security awareness into company culture at every level.
What other holes need to be plugged?
The Microsoft report delved into the strategies that Irish organisations have around cyber defence. Only 44% have regular risk assessments to identify vulnerabilities in systems and networks, and just 38% have a multi-layered IT strategy of prevention, detection, response, and recovery. 26% of organisations said they won’t be investing in their IT security infrastructure in the coming year, despite the evolution of the threat landscape and greater focus on compliance.
This complacency is misguided: sophistication and intensity are increasing with the help of state-of-the-art technology. Over the past two years, Microsoft has seen the number of password attacks rising from 579 per second to over 4000 per second.
To summarise, organisations across Irish industries are as much at risk as their global counterparts. Complacence is a mistake right now, threats are rapidly evolving and growing.
Compliance is paramount as the law takes a hard stance against security breaches. And users need more awareness, training and accountability.
This threat is going nowhere, but it’s not insurmountable.
Author bio: Niall Mackey is the Commercial Director of Topsec. His team excels in enhancing email security for firms, safeguarding sensitive data against cyber threats.
See more breaking stories here.
More about Irish Tech News
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at [email protected] now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at [email protected] now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.