A cybersecurity expert believes an event similar to the HSE cyberattack, but on a larger scale, is only a matter of time and that it will take this to change attitudes towards cybersecurity.
Rob Allen, VP of operations at ThreatLocker, a cybersecurity firm based in Florida, told BreakingNews.ie: "People need guidance on cybersecurity and I think that is lacking everywhere, not just in Ireland."
He pointed to the United States, where a 'zero trust' cybersecurity policy is mandated for companies linked to the federal government.
This was introduced through Executive Order following the Colonial Pipeline attack in 2021.
It is similar to the policy advocated by most cybersecurity companies, but Mr Allen feels it should be in legislation.
He thinks the European Union will introduce laws like this, however, he warned it could take an incident even larger than the HSE cyberattack in May 2021, which the health service has still not fully recovered from.
"I do expect it to come it's just a question of what is the event... I thought it would be the HSE attack, it doesn't seem to me that it was though. It's a question of when, rather than if."
He added: "I think it is a matter of time, if something happens here or on a European scale and people will realise we can't just keep doing the same thing we have always done.
"One of the phrases we use in our presentations is from Henry Ford, 'If you always do what you've always done, you'll always get what you've always got.'
"Continuing to do the same things again to try to protect yourselves will not work, I think a new approach is needed, and zero trust is that approach."
In his IT work before joining ThreatLocker, Mr Allen pointed to an example of how the move to remote work hindered protection for companies. He also said threats to organisations have become much more common.
"We looked after a couple of hundred companies around the country. At one point we decided they needed better firewalls. A lot of customers took the advice, then Covid happened and everyone brought their computers home. The protection was gone, and they were more exposed than ever.
"Businesses are getting wiped out every day of the week. My personal experience is we would have only dealt with an incident once a month, they didn't reach the news. If you never hear about it, you're probably not going to take the threat as seriously as you should."
"The traditional approach of antivirus on your computer and a firewall on the outside of your network just isn't cutting it these days, the fact is people work from everywhere," he explained,
"If you can't be as well protected when you are outside the corporate network it is a waste of time."
There are two types of organisations; those who have been hit by a cyberattack and those who will be hit by a cyberattack.
While large-scale cyberattacks draw huge attention, Mr Allen said businesses are being targeted constantly.
"There are two types of organisations; those who have been hit by a cyberattack and those who will be hit by a cyberattack.
"It's a negative way to look at things, but that's the harsh reality... it is just a matter of how serious the attack will be.
"The problem is it only hits the news when it is a massive incident, the attack on the HSE or the Colonial pipeline in the US."
When asked if more companies come for help to prevent cyberattacks, or when they have already been targeted, Mr Allen said it is "a little bit of column A and a little bit of column B".
He explained that the landscape of hacking is ever-changing, with data exfiltration now at the core of "over 90 per cent of ransomware attacks".
"It's not 'we're going to encrypt your stuff, pay us and we'll let you have it back', because the bad guys are not stupid, they realise most people have backups and can get up and running again.
Dark web
"What a lot of organisations can't get back up and running from is having your data for sale up there on the dark web... the reputational damage, the trust that you lose if that kind of thing happens is what keeps a lot of IT people up at night.
"There have been examples recently of what is called a supply chain attack. Hackers could go after 10,000 individual organisations, and might get into a number of them, but if they can get into a software supplier to all those organisations and breach them... then they can push their malicious software out to those 10,000 organisations.
"Supply chain attacks are a major concern. Realistically every piece of software that you use is a potential vulnerability. Whether it's Office, Windows, Teams, Zoom... anything, every piece of software is a potential way into your network and software is full of holes.
"It's just a matter of if those vulnerabilities are known to bad actors and if they are being exploited at any given time. Obviously software companies try not to release software with bugs, but sometimes they do."
Many businesses opt to pay hackers when their data is stolen, but Mr Allen warned that this is never a good idea. "These people are criminals, and you can't trust them to delete your data even if you pay."
"The problem is they will say 'pay us x amount of bitcoin, and we will delete your data'. You can't trust them. If you pay them, that's just advertising the fact you will pay, they will come back in six months' time and demand more money.
"What they are now doing is publishing it on the dark web and selling it to your competitors as well. Why would they make money on the data once when they can do it multiple times?
"This concept of double-dipping is more and more prevalent in cyberattacks... so my advice is never pay."
He reiterated that businesses should adopt their own zero trust approach to cybersecurity.
"My favourite part of the definition is when they said 'assume a breach is inevitable, or has already likely occurred'.
"Basically work on the perspective that they are already in your network... how do you then limit the damage and stop them?
"My opinion is that it will come here sooner or later... it's just a question of a big enough attack or breach taking place. I think ultimately it is probably something that will come in legislation.
"There are some areas we are ahead of places like the US in terms of data protection, GDPR. There are others where we are behind, and I think this is one where we are a little behind."
He added: "Personally I expected there to be more of a reaction to the attack on the HSE... from the outside looking at that event and what happened I don't know if we learnt too much about it.
"Nothing really concrete has come out of it, no government action to say this is what organisations need to do to stop it happening again. That is kind of worrying.
"That was an event of such a scale you would have thought governments would have been saying 'we need to do something about this'.
"This is of course from the outside looking in, but I don't see that as having happened."
In researching data leaks on the dark web, Mr Allen said the two main destinations for exfiltrated data are Russia and China. He believed Russia would be the main destination, but was surprised to learn a lot more went to China.
Private information
One of the main fears following the HSE cyberattack was private medical information of patients ending up on the dark web, and Mr Allen said the amount of confidential data of different kinds on it is "terrifying".
"Threats are evolving, hackers do not stand still and neither should we. I've spent a lot of time in the last few weeks looking at ransomware operators' leaks on the dark web, they're not difficult to find but some of the information out there is terrifying. Company balance sheets, customer lists, accounts.
"Can you imagine your personal medical information for sale? When I looked a couple of weeks ago, I didn't want to go too deep, but a Portuguese airline TAP had been breached, and their information was there.
"It started off with customer names, email addresses, dates of birth. That was the tip of the iceberg, to get attention of what they had. When they didn't get paid, they dumped terrabites of data on the dark web for anyone to access. It is a terrifying prospect and if it's not, it should be."
Threatlocker launched its EMEA headquarters in Blanchardstown, Dublin earlier this year. It plans to create 120 Irish jobs, with 25 currently working at the Dublin HQ.
