Continued advancements in internet technologies have been a boon to business, particularly smaller firms, but the growing popularity of eCommerce and using online applications for business processes has focused the minds of criminals too, and Irish companies are not immune to their attentions.
A new study carried out by the Centre for Cybercrime Investigation, along with the Information Systems Security Association (ISSA) and University College Dublin's School of Computer Science and Informatics, found over half of all Irish companies that experienced some form of cybercrime ended up reporting losses of more than EUR25,000 as a direct result.
The survey, which included input from academics, industry and An Garda Siochana computer experts, noted that although companies were aware of the presence of threats from hackers and malicious programs like computer viruses, a disturbing 68 percent of respondents said incidents are predominantly discovered only by accident and -- more worryingly -- usually after the damage is already done.
Company policy
Report co-author Owen O'Connor of the ISSA has set out some guidelines for Irish SMEs in the wake of the publication of the report in February. He says the most important thing to do is to sit down and work out straightforward IT policies for all staff; make a few simple preparations in case of an external cyber attack - or a statistically more likely case of internal misuse - and don't rush into spending huge sums on expensive security systems.
"The most common types of these IT problems experienced by Irish firms are non-criminal and relate to misuse of information or systems information is stored on," says O'Connor. Staff running their own business on their employer's network or illegitimate access to private customer or client information are surprisingly common issues that can often become major technical and legal headaches.
"Preparation can be as simple as ringing the local Gardai to find out who would deal with these kind of complaints if they arise," says O'Connor. "Having specific mention of IT rules as an important strand of HR policy, and continual training for all staff, are simple, common sense precautions that help to prevent internal problems escalating."
For external IT attacks, such as email viruses or a hacked website, staff training is also vital. "It's no good if all the staff know there's a problem but managers who can direct resources to fix it don't know about it," says O'Connor. He recommends appraising all employees of what the proper procedures are for reporting suspected cybercrime, whether it's inappropriate emails or a full-blown assault on the firm's information infrastructure.
In this respect it's worth noting that nearly 40 percent of organisations surveyed by the ISSA said they had terminated the employment of staff members due to incidents of cybercrime.
Purchasing products
With regard to eSecurity products, the advice is still to consider the human element. "There's no point in an SME blowing EUR50,000 on the best firewall security product if all staff can still get access to sensitive data such as payroll," warns O'Connor, who advises researching the relevance of available security products.
The prevailing wisdom is that so-called "best of breed" products are rarely necessary for SMEs, and it's worthwhile checking the level of partnership basic security packages have with established business software houses such as Microsoft, Novell and SAP. The majority of small firms in Ireland use a Microsoft system so O'Connor advises checking the level of accreditation Microsoft gives to a product. The higher the rating - for example, gold or platinum - the more likely the security software will be regularly updated.
"Suppliers of software to SMEs really need to step up to the mark and advise on the security aspects of their payroll or business support software," says O'Connor. He advises purchasers to always investigate the security aspects of any new IT purchase, and ask how it will integrate into the firm's existing security procedures.
Access all areas?
The other important feature to look out for is defining and restricting access to information. O'Connor's example is that the front office receptionist rarely needs access to back office systems, and vice versa. "Being prepared for something going wrong in the future is a trade-off between what's really necessary and what is supportable," he says.
To this end the advice for SMEs is to acquaint themselves with IT experts who can advise on security matters. This is best done before, rather than after, a firm is exposed to an incident of cybercrime. The ISSA study shows that 50 percent of companies end up engaging expensive outside consultants after their system has been hacked, or an issue arises with unacceptable employee usage of company IT equipment.
"There's no silver bullet for this problem and as long as businesses use IT there will be problems with it," concludes O'Connor. "Being prepared is ultimately the best defence."
The ISSA report on cybercrime (PDF format) can be downloaded here.
In the next issue of eBusiness Live, we'll take a look at what steps to take if your company does fall victim to a cyber attack.