If the CrowdStrike software glitch that crashed computers around the world in July had a silver lining it was that it forced all businesses to focus on cyber resilience.
For David McNamara, chief executive at Commsec, the speed at which CrowdStrike responded was a valuable lesson in the security that comes with opting for a well-resourced supplier. “They had the resources to deploy to fix the issue,” he says.
Supply chain risk
When assessing cybersecurity risks, the potential vulnerability arising from your third-party supply chain is often overlooked.
“Hackers often seek to identify and exploit any weaknesses relevant to the involvement of third-party vendors, whether that is the involvement of direct sourcing by companies or the use of third-party vendor software,” explains Justin Moran, head of governance and security at Three Ireland.
“More recently hackers have focused on exploiting software used industrywide, so they maximise their destructive efforts. In order to protect against such risks, it is crucial for companies to risk-assess priority business processes and systems, perform due diligence on the security posture of any third parties engaged to support those critical activities and obtain the necessary assurances that the third parties take cyber security and overall resilience seriously.”
Email fraud
Recent figures from FraudSMART, the fraud awareness initiative led by Banking & Payments Federation Ireland (BPFI), show small and medium enterprises (SMEs) lost almost €10 million through email-related fraud in 2023, including invoice-redirection and CEO impersonation scams.
Speaking at the launch of the figures, Niamh Davenport, head of financial crime at BPFI, highlighted the jump of almost 25 per cent in email-related fraud targeted at SMEs last year, with average losses of €12,000.
Invoice redirection
The majority of these cases are invoice-redirection scams. “These often start with what appears to be a legitimate email from a supplier known to the business advising of new bank details for payment, but which has been hacked or closely copied by fraudsters,” said Davenport.
In such cases the fraudsters don’t usually request any payment upfront but ask for the bank account details on file to be changed for future invoice payments, providing a new IBAN and BIC code for the “new account”.
Quishing
Phishing refers to the way hackers seek to secure your passwords by sending emails and hoping you will click on a link. Smishing has the same objective, only via text. Quishing is the latest iteration, according to David McNamara of Commsec. It’s also pretty dastardly, as embedding QR codes in emails can bypass traditional security products.
Social engineering
Employers and employees alike are keen to maximise the use of social media to promote their business. But while such platforms are valuable and necessary communication tools, employees need to be mindful of the information shared, says Moran.
“Such platforms provide valuable information for hackers to profile their potential targets as part of their reconnaissance activities,” he adds. “For example, an employee sharing attendance at a specific vendor exhibition or vendor product event can provide valuable information in respect of software which may be used by the company. Hackers use such information to help plan their attack by researching potential vulnerabilities attaching to such systems or software in use by a company.”
Whaling
Hackers often target senior executives in “whaling” attempts – cyber threats targeting an organisation’s high-profile individuals.
“It is important that companies have a clear policy on the extent of information shared on social media platforms and remain cautious on the extent of sharing, in particular where such employees may have access to critical systems and data or be in positions which involve elevated system privileges, making them a potential attractive target for hackers,” says Moran
AI-fuelled fraud
The emergence of artificial intelligence (AI) is having an impact. “While the development of AI will deliver enormous benefits for society, fraudsters will also gain from the development of AI – but unfortunately use such technologies for illegal purpose and fraudulent gains,” adds Moran.
“For example, the emergence of ‘fraud GPT’ significantly improves the ability of fraudsters to create phishing pages, create hacking tools and support the development of scams.”
Deepfakes
Deepfake videos generate AI versions of real senior executives. These have been used to successfully execute fraudulent payment schemes, even outwitting employees.
“High quality AI-generated audio, images and videos are no longer in the realms of sci-fi – this is now a very real threat,” says Moran. “It is therefore crucial that companies now raise awareness amongst their employees of the latest threats and trends.”
Weak link exploitation
In the realm of enterprise security, an overlooked issue is the “unwarranted trust within internal networks,” warns Anthony Walsh, country director of Cato Networks in Ireland.
“Despite the critical nature of secure communication, many enterprises continue to rely on unsecured protocols across their wide area networks (WAN). Alarmingly, 62 per cent of all web application traffic is transmitted over HTTP, a protocol lacking encryption.
“Equally concerning, 54 per cent of all traffic uses telnet, an outdated and unsecured method for remote communication. Furthermore, 46 per cent of traffic relies on SMBv1 or v2 protocols instead of the more secure SMBv3.”
Poor patching
“Threat actors frequently bypass the latest vulnerabilities, opting instead to exploit systems that remain unpatched,” says Walsh, an oversight which he says highlights a critical gap in enterprise security practices.
“It’s not just about guarding against the cutting-edge threats but also ensuring that known vulnerabilities are promptly addressed,” he adds. “In the battle for cybersecurity, vigilance against both the newest and the most neglected threats is paramount.”
