Put yourself in the shoes of any organisation which experienced a ransomware attack. Ransomware takes a victim's critical IT systems hostage', denying access to the rightful owners and demanding payment to unlock it. In most cases, organisations are forced to go back to pen and paper to try and manage their operations, often for longer than anticipated. The potential for disruption from an incident like this is enormous. A 2023 report from IBM found that 50% of small businesses impacted by a ransomware attack were unprofitable within a month. A large part of this is related to the extended downtime experienced by the business and the cost of managing the recovery project.
If a similar incident happened in your business, what would happen..
..if a sales team couldn't access customer information?
..if the accounts department were locked out of their financial systems, unable to issue invoices or pay suppliers?
..if the stock room could not fulfil orders, and customer emails went unanswered?
These are the kinds of questions that senior management and boards now need to grapple with. Business disruption carries a cost, so cybercrime can have a double hit on a company's finances by defrauding victims. More than one in five firms has been impacted by a scam called invoice fraud, where criminals email companies pose as existing suppliers and convince victims that the payment details have changed. That's according to a survey of over 200 firms by LHK Group, a Leinster-based general insurance and financial planning broker. The latest Garda Siochana annual report also shows that this kind of economic crime is increasing.
So now let's ask some more targeted questions: who's in charge of cybersecurity in your business? That's up to you, but giving someone the responsibility for thinking about it and reporting on it is vital.
What are your most critical systems? They're the ones that will need protection the most.
What's your risk appetite? Could your business tolerate being without IT for one hour, day, or minutes?
Where should you target investment? Are you protecting your most important information first?
Do you know where that information is (and it might not be in just one place)?
Few of the questions I've listed above call for any in-depth cybersecurity knowledge. What is required is awareness of the problem and a willingness to tackle it. The fact is, cybersecurity expertise is increasingly hard to source. So you don't have to wade into the market to attract or retain specialist skills. Working with a trusted technology partner will often give access to round-the-clock monitoring of your most essential systems, watching for signs of suspicious activity.
It's incumbent on owners, board members and senior managers to understand cyber risk. They don't have to become experts, as I've shown above, but the time has passed, and they can no longer afford to ignore it.