‘A cyberattack would cripple an Irish SME’

With office workers back working at home, the opportunities for hackers to hit businesses have increased substantially, warns Palo Alto Networks’ Paul Donegan.

The crippling ransomware attack on the HSE in May of this year was a high-profile incident. But of less profile is the harsh reality that many businesses in this part of the world fall prey to these attacks every week but no one talks about it. No one can accurately quantify how much money has been paid to hackers by Irish firms keen to get their data back but keep their trauma out of the press.

With the vast majority of office workers now working from home, after a brief spell for many back at the office, few businesses realise that the so-called “attack surface” for hackers has greatly expanded. Many workers use their own home broadband networks to access corporate networks. But attached to these Wi-Fi networks are personal smartphones and a countless array of other consumer electronic devices from smart projectors to smart speakers, many of dubious security.

“Many Irish IT decision-makers felt confident they were secure but when we probed deeper it was clear there is room for improvement,”

This is not to mention the countless devices that executives choose to use with their work-issue laptops and smartphones from smart watches to the Bluetooth in their cars and more.

According to a 2021 Internet of Things Global Report by Palo Alto Networks, three-quarters of respondents in Ireland (75pc) who have IoT devices connected to their organisation’s network reported an increase in non-business IoT devices connecting to corporate networks in the last year. Smart light bulbs, heart rate monitors, connected gym equipment, coffee machines, game consoles and even pet feeders are among the list of the strange devices commonly found on such networks in this year’s study.

IT-decision makers in Ireland are amongst the most confident in EMEA that they have visibility of the IoT devices connecting to their organisation’s network (86pc) overall and of remote workers’ IoT devices that connect to their network as well (62pc).

You have the street smarts – do you have the cyber smarts?

However, when probed some more that confidence begins to slip, remarks Paul Donegan, country manager for Ireland at Palo Alto Networks.

“The key here is education and it is one of the most important elements of defending against cyber-attacks. Before the Covid pandemic many businesses were already moving towards software as a service (SaaS) and a ‘data anywhere’ model and Covid no doubt accelerated that. The perimeter used to be your company network but now every business has to have a perimeter everywhere.”

Donegan has a point. Every employee equipped with a company smartphone or laptop is a node on a network. Even working on an unsecured Wi-Fi network in a coffee shop or airport is as good as handing hackers the keys to the office safe.

“It’s an ever-evolving problem and the landscape is constantly changing. Hackers are now using technologies like artificial intelligence (AI) and machine learning to attack your business. But if you don’t have the right education in place, to stop them clicking on the wrong link or WhatsApp, you risk opening the organisation to attack.”

Again, Donegan is correct. All it takes is one employee falling victim to a phishing attack or clicking on the wrong link and it is too late. The majority of people are being schooled in this daily and run the gauntlet of phishing and smishing attacks and direct calls from hackers trying to scam access to bank accounts.

A phishing attack in 2016 in the form of a spoof message to an employee of Meath County Council saw €4.3m of the Council’s money end up in a Hong Kong bank account. Fortunately, the Irish Gardai and Interpol were on the case.

“Our study indicated that many Irish IT decision-makers felt confident they were secure but when we probed deeper it was clear there is room for improvement,” Donegan said.

As well as the weakest link being human, it is the vast array of internet of things (IoT) devices festooned around homes and offices that Donegan believes we need to be more wary about.

He pointed to the example of a colleague who recently bought a Wi-Fi-connected smart projector to broadcast Halloween images onto their house. As soon as the cheap device was switched on and connected to the Wi-Fi network it started pinging unknown IP addresses in China.

“That’s just one device that was acting as some kind of homing device. There are many more of these out there. A lot of the time the devices people are buying are so cheap that the manufacturers aren’t building security into them.”

With so many workers working from homes festooned with all kinds of Wi-Fi and Bluetooth-connected devices and the “attack surface” certainly widens.

Technology has been the saviour of the business world since the pandemic began, enabling millions of workers across the globe to stay connected and stay productive. Indeed, many organisations admit their digital transformation journey has been accelerated by years.

But it now must be borne in mind that technology is also an Achilles Heel. It’s one thing battling hackers armed with sophisticated AI weaponry, it’s another when cheap IoT devices and staff lacking basic cyber smarts serve to widen the attack surface.

The only defences Donegan believes are education and smarter perimeter defences down to the file level.

“This will be hard on SMEs in particular. It is very hard for them to bounce back because the impact is greater for them. It is a key concern for the Irish economy because SMEs are the economy’s lifesblood.

“A cyber-attack could cripple an Irish SME,” Donegan warned. “We need businesses to ensure that their staff are educated.”

Palo Alto Networks Global IoT Security Report
John Kennedy
Award-winning ThinkBusiness.ie editor John Kennedy is one of Ireland's most experienced business and technology journalists.