Every business is a target for cyber criminals, sometimes the smaller the better as they may be less well defended. The costs are enormous and not just in terms of direct losses.
“We are always flagging the need to invest in cyber security but unfortunately business owners’ attention to the risk of cybercrime tends to go down their list of priorities until they are affected by cyber threats,” says David Broderick, director of the Small Firms Association.
“That’s an issue for two reasons. The first is the scam itself. But the other risk is of being locked out of a supply chain if you are not on top of your cybersecurity.”
With so many small businesses part of the supply chain of larger companies, they need to take action or risk losing out.
“Cybersecurity is obviously a top priority for larger companies so they are looking down their supply chain to see if there are any weaknesses,” he says.
Professional services firm Deloitte is seeing what it says is an alarming increase in the volume of cyber attacks in Ireland, with attackers continuously trying new and ever more unscrupulous ways to fraudulently obtain access to the data or funds of family enterprises.
“As cyber criminals continue to evolve their tactics, Irish family businesses find themselves increasingly vulnerable to a range of cyber threats. They are often perceived by attackers as less well-defended, well-funded and therefore become prime targets for malicious activities,” explains Colm McDonnell, Deloitte technology and transformation partner.
The Deloitte 2024 Family Office Cybersecurity Report found 43 per cent of family offices globally had experienced a cyberattack over the previous 12-24 months, with 25 per cent experiencing three or more attacks.
The most common forms of attacks were phishing, malware and social engineering.
Phishing remains a prevalent threat for all family enterprise organisations, he says, with cyber criminals employing deceptive emails, phone calls, or text messages to extract sensitive information such as usernames, passwords, and credit card details.
Malware including viruses, worms, and trojans, can infiltrate systems through infected email attachments, downloads, or compromised websites. A common example is ransomware, which holds victims’ IT systems hostage until monetary demands are met.
“Social engineering is perhaps one of the cruellest approaches taken by cyber attackers,” says McDonnell.
It involves targeting an individual and persuading them to take an unsafe action, such as transferring funds or releasing sensitive information.
“The most common forms of social engineering involve gaining a victim’s trust and manipulating him or her into believing that the cyber criminal is someone they are not. Family enterprises are particularly vulnerable as the attackers can seek to penetrate the business safeguards by emotional exploitation involving family members,” he says.
Requests for funds to be sent to a child from an unknown number due to a lost, stolen or broken phone are increasingly common
Attackers often try to clone a user’s SIM card, allowing them to send texts and make calls from what looks like the legitimate number.
A scam can come via third parties too, such as a supplier, contractor or business partner with access to an organisation’s system or files. It can also be an insider threat, generally carried out by a disgruntled employee.
“Despite the high prevalence of cyber attacks, many family enterprises do not have a cyber incident response plan in place or an agreed upon consensus about whether a ransom would be paid,” says McDonnell.
In the meantime even simple steps can help enormously, including the use of strong passwords, multifactor authentication, and regular software updates.
Staff cybersecurity training measures can be very effective in fending off attacks, while cybersecurity maturity assessments help you to review your overall readiness to prevent, detect, contain, and respond to cyber threats.
Implementing a disaster recovery plan, obtaining cybersecurity insurance and adopting know-your-vendor protocols all help too.
“Overall a clear and robust cybersecurity strategy should be a high priority for all family enterprises in Ireland. Obtaining an independent review of your organisation’s internal cybersecurity controls is a very valuable task to undertake,” says McDonnell.
This should be refreshed every few years, he adds. “The bad actors are always inventing new ways to attack.”
