Podcast Ep 135: Jacky Fox leads Accenture’s security business in Ireland. She talks about the impact of cyberattacks on a business and the correct actions business owners must take.
When I last spoke to Jacky Fox a few years ago, she described cyber as the fifth domain of warfare after air, sea, land and space. The events of the past year have seen a full-blown war break out in Europe for the first time in decades, and technology from drones to cyber attacks are par for the course.
What is also par for the course is how cyberattacks on businesses large and small are an increasingly sophisticated enterprise, with hackers doing their surveillance on businesses and often lurking within the networks of unsuspecting firms before they hit them with a demand for ransomware.
“We would never advise people to pay a ransom … you often find that the criminal will come back for more”
Fox is the managing director of Accenture Security in Ireland and her focus is on helping client businesses build resilience from the inside out, allowing them to confidently focus on getting on with their purpose. A security veteran with more than 20 years’ experience in cybersecurity, prior to joining Accenture in 2019 she served as Deloitte Ireland cybersecurity leader.
No doubt the enormity of the ransomware attack on the HSE last year served as a reminder to firms the threats posed but also the importance of training staff and backing up data.
The HSE attack was just the tip of the iceberg and it has emerged that such cyberattacks on organisations are actually more common than the public realises. Recent research from Typetec indicated that one-third of Irish SMEs have paid a ransom to cybercriminals in the past year alone and that on average SMEs paid hackers a ransom of close to €23,000.
Crime scene investigation
None of this is a surprise to Fox. “When we go into a business, we typically go in with one of two hats on. One is that they’ve identified something they don’t feel comfortable with and aren’t confident they have the right things in place if they are attacked. Or the other hat that is worn when people have been attacked.”
Fox places value on being prepared. “Any time you invest up front before you get attacked, it is going to pay off in multiples afterwards.”
Being prepared means identifying what’s of value to the organisation and what needs to stay operational, even when the worst happens. “It’s amazing when we go into an organisation that is in incident response mode and people are in a crisis, the levels of ingenuity that people actually have and how they’ve managed to keep their business going. But there’s a lot of things they can’t do. And if they had known before hand how important something would be to keep them running their business they would have done things differently. And those are the things that are important for people to tray and catch before they get hit.
“If you’re hit with something like a ransomware attack and you’re having difficulties accessing a customer database or if you can’t even get emergency contact details for people in the organisation to help you through, then you are really in trouble.”
I put it to Fox that one of the key lessons to emerge from the attack on the HSE was the importance of backing up mission-critical data.
“I couldn’t agree more. Do you need to have a backup of every single thing, probably not. But you do need to identify the things that are important to your business.”
Another issue is the discipline around backing up data. Many businesses rely on experts to tell them what to do and often the backing up process becomes a box ticking exercise. “What they often fail to do is look and see how broad that backup is for them. They may have gotten a new system that wasn’t included in the backup plan. Invariably when we go into an organisation that has lost data through a cyberattack we often find that they actually weren’t backing up what they thought they were.”
She recommends that businesses regularly ensure that they are also capable of doing a restore of critical information.
“But the reality is that the people who have attacked you have already been inside your systems. When people have access to your data, it’s a horrible feeling. Especially when you have to pay them to get that data back because you didn’t have a backup of it. We would never advise people to pay [a ransom]. It’s a personal position for an organisation as to whether they do or don’t. But you often find that the criminal will come back for more.”
Never mind the negative PR, disclosure is paramount
She adds that by the time an organisation has been locked out of their systems and gets a ransom note, a lot more damage may have already occurred. “They’ve often been inside your system for a while, having a look around at what intellectual property you have, what your bank accounts are like, how much money is there.”
Not only will hackers be able to estimate how much a business will pay for the return of their data, between the hackers an entire business ecosystem of call centres for taking ransoms as well as a virtual catalogue of vulnerabilities. “They have a shop window that says ‘well now, in Ireland today I have these three organisations that might suit you’. They are selling their wares to the next person in the chain. Those call centres they have created are run by psychologists and negotiators who know how to push your buttons and are trained to drag you in.”
Another issue is most businesses who have fallen victim to ransomware attacks aren’t inclined to go public about it. “One of the reasons why I think it is a morally right thing to do to be open about it is because your third parties are also at risk. They [the hackers] have been in your system looking around, so they’ve got information about lots of other people as well. In addition, you also have regulatory obligations to actually inform regulators and go the whole way. Involving law enforcement is a good thing too, because if you are going to be doing an insurance claim it’s good to have done all of the right things.”
I point out that often the weakest link, despite the money spent on expensive security systems, is an employee who clicked the wrong link or responded to the wrong email. “Training, training, training and repeating that training is the only way to keep it fresh in people’s minds.”
Another point she makes is how to treat people if they’ve made an error like clicking the wrong link. “How you treat that person is important for their wellbeing, but also you don’t want to deter other people from actually reporting if they’ve made mistakes too.
“I’ve seen situations where someone’s clicked on something but it’s four o’clock on a Friday evening and they’ll deal with it on Monday. And on Monday the organisation is obliterated. I’ve dealt with situations where people have been so desperately upset because if they’re the person who made the mistake, they’ve got the weight of the world on their shoulders.
“So was well as the technical investigation, it’s really important that you get whatever HR or people support you can around that person as well,” Fox urged.
“It’s very rare that anyone would do this deliberately but honestly, we all could get caught. So having that level of sympathy and understanding is important on top of trying to train them in such a way that the training will kick in at the right moment before they click on that link.”