Podcast Ep 85: Bank of Ireland head of Tech, Media and Telecoms Paul Swift says that with cybersecurity, every business and individual needs to be vigilant.
The ransomware attack on the HSE in May of this year was unprecedented in the history of the Irish State. Already beleaguered by more than a year of fighting Covid-19, the attack crippled almost every aspect of the Irish health system, disrupting appointments and ultimately endangering lives.
Ransomware attacks – whereby criminals use a form of malware to gain entry to a system, download data and then encrypt it and refuse to release it unless a ransom is paid – are a fact of business life in 2021.
“Cybersecurity is an ongoing incremental investment”
Another fact of life in 2021, whether you are a business or just a private individual – is that we are all on the frontline of cybersecurity attacks. Our mobile phones, our personal and work computers and even the smart speakers in our homes are under constant attack. If there’s a vulnerability, hackers somewhere have already exploited it.
In recent weeks Bank of Ireland research revealed that over 68pc of those surveyed are worried about being targeted by online fraudsters.
There has also been an increase in people receiving a fraudulent emails, texts or calls. The percentage getting these dodgy messages has risen from 55pc last year to 61pc this year.
“We need to adopt the ‘zero trust’ principle – that is never trust, always verify when it comes to online activity and protecting personal and financial information,” said Mary Aiken, a leading international cyber psychologist.
Zero trust and a high level of vigilance
Speaking with ThinkBusiness.ie Paul Swift, head of Technology, Media and Telecoms at Bank of Ireland said: “We’re all on the front line really. You will need to have a certain scepticism built into your DNA.”
Swift said that ransomware attacks like those on the HSE are more prevalent than most people realise, and it is likely businesses could be keeping such incidents and the fact that they paid up under wraps for fear of negative publicity.
In April both the National College of Ireland and Technology University Dublin were forced to take their systems offline when their systems came under attack. Fortunately, there was no evidence that data had been stolen in the attack.
But in general, says Swift, few attacks on organisations are publicised. “There have been other incidents that haven’t come to light because businesses can’t go public about it.”
The key message here, says Swift, is these attacks can happen to any individual or any organisation. “You really need to have that high level of vigilance.”
He said security needs to be baked into company culture. “The business has to really buy into it and almost adopt a philosophy around it. It’s about taking a proactive approach to cybersecurity and ensure that staff are very careful around emails, and that they aren’t downloading software from unapproved sources.”
A phishing attack in 2016 in the form of a spoof message to an employee of Meath County Council saw €4.3m of the Council’s money end up in a Hong Kong bank account. Fortunately, the Irish Gardai and Interpol were on the case.
The irony is that despite the most sophisticated firewalls and software, all it takes is one person to click on a link in an email and the entire system could be compromised.
The answer, Swift recommends, is education and constant reinforcement of the message around vigilance. “Cybersecurity is an ongoing incremental investment.”
He said that companies need to be proactive and look at ways to ensure staff are motivated to protect their systems.
“Businesses for years have had fire marshals and more recently they have had data protection officers in response to legislation around GDPR.
“I think now more and more it is important to potentially nominate a cybersecurity officer in organsations, a person that is the first line of defence and who is responsible for setting the protocols and training.”
Across the tech world there is a major skills shortage and a war for talent is under way. One of the most acute areas of skills shortages is in data security.
I put it to Swift that Ireland needs to think outside the box when it comes to cybersecurity. With the average graduate taking three to four years to pass through the university system, should we be looking at apprenticeships?
“I think the apprenticeship approach is very interesting. By the time graduates emerge from university sometimes their training isn’t as up to date. But what the Collison brothers have done with the University of Limerick [to design an Immersive Software Engineering programme that will redefine computer science education] it is essentially an apprenticeship type model that combines training with experience.
“There are arguments that cybersecurity should be taught even in secondary school. There is value to teaching kids at a younger age but at least to be alert to the dangers.
“I think it would be great to begin with [cybersecurity] micro-credentials whereby people can gain the basics and when they go to work in various firms they can be the advocate or cybersecurity champion.”
Crucially, Swift points out that every individual and organisation needs to be vigilant. “We are all on our phones. We are hyper-connected. We are all now nodes on a network. There is endless potential for us all to get caught out.
“The key message is really that everybody needs to stay alert.”