What is it about the month of May and cybersecurity? Three major reports happened to land this month, and that’s before we get to some other milestones from recent years. Cyber Ireland and Cyber Skills’ report promises an in-depth analysis of Ireland’s cybersecurity sector, with its opportunities and challenges. Next is Hiscox Insurance’s sixth annual Cyber Readiness Report, which catalogues common threats and risks to businesses in Ireland. Last is the Eurobarometer study of cybercrime’s impact on small and medium businesses across the EU, with a section dedicated to Ireland.
Before we cover those reports in more detail below, I couldn’t help but be struck by the timing. I was speaking at a conference last week and I mentioned that May 2017 was when the WannaCry ransomware emerged. And we only had to cast our minds back a year to a major ransomware incident involving Colonial Pipeline. That attack was the largest of its kind against critical infrastructure in the United States. Also in May 2021, the Conti ransomware crippled the Health Service Executive in Ireland. (We blogged about the extremely thorough and transparent post-incident review it published late last year.)
Some of those ransomware incidents drove greater awareness among people outside the technology realm about the business and societal risks associated with poor cybersecurity. For years, I’ve argued this needed to happen; to shift away from seeing cybersecurity purely as an IT problem.
Good news and bad news
Now that it’s happening, it’s both good news and bad news. The good news is: businesses and governments are taking the subject more seriously than before. The bad news is: this is leading to challenges such as having enough skilled people to respond to the threats. Which leads me on to Cyber Ireland’s State of the Cyber Security Sector in Ireland, and a key challenge it highlights. Even as 83 per cent of companies in the sector expect to grow by 25 per cent or more over the next 12 months, 61 per cent have issues with recruiting staff. In fact, RTE’s coverage of the report led with this angle.
To address the skills gap and promote sustainable growth, the report makes recommendations for government, industry and academia. The first of these is developing a talent pipeline. This isn’t a new trend: for some time, the sector has faced a skills shortage. Part of this problem is a question of definition: the industry felt it necessary to employ people with security-specific skills. If cybersecurity is no longer just an IT issue, then it makes sense to move beyond only recruiting technical people.
As an industry, we must be more inventive and imaginative in where we look for people to enter the field. Cybersecurity offers a very interesting, varied and rewarding career. There are many qualities that are suitable for cybersecurity roles, such as risk management, communications, and awareness. Instead of focusing only on hiring technical skills – which can be learned on the job – we need to attract people from a diverse range of backgrounds who can bring invaluable insights to the roles and strengthen our ability to improve security in the organisations we work for or represent.
Let’s start by challenging some obvious stereotypes like gender representation. I’m proud to say BH Consulting’s team is 55 per cent female and 45 per cent male.
We’re a part of the successful and growing cybersecurity industry that the Cyber Ireland report documents. Between multinationals located here and the many very talented domestic providers, it’s encouraging to see the report talking up the industry’s growth potential. Right now, there are 7,351 cybersecurity professionals employed in Ireland, in 489 firms offering products or services to the market or employing staff in internal cyber security operations. Based on current estimates, the report suggests the ecosystem could employ more than 17,000 people by 2030. Business Plus went for this more upbeat take on the findings.
The cybersecurity industry’s growth opportunity
If you’re a glass half full person, you might argue that challenge is another way to say opportunity. Clearly, as the report shows, Ireland’s cybersecurity sector is well placed to continue thriving and contributing to the Irish economy.
In our experience, many organisations work with external providers like us to manage their security needs if they don’t have a senior security executive in the business. For example, chief information security officer [CISO] as a service provides an experienced senior professional who can help them understand and manage their security risks.
The report also includes some aspirational goals about positioning Ireland as a leader in cybersecurity. Historically, countries that have led the cybersecurity field have tended to be ones with extensive military R&D activity, such as the US, the UK, or Israel, where cybersecurity has often been a by-product.
I don’t see their position being eroded, but it’s equally true to say Ireland can develop a distinct and unique offering. As a neutral state, Ireland has built a positive reputation through its work with the United Nations peacekeeping forces and tackling terrorism domestically. We also have a highly educated active technology sector, as the Cyber Ireland report details.
Tracking the threat
That expertise will be needed in years to come. As the latest Hiscox report found, 48 per cent of companies across eight countries reported a cyber attack in the past 12 months. And the number is increasing, up from 43 per cent in the previous year. Seven out of the eight countries surveyed rank a cyber attack as the number one threat to their business.
Turning to the Irish-specific findings, the report breaks out some arresting numbers. The frequency of attacks in Ireland rose by 26 per cent in the past year. And, back to ransomware once more, Irish businesses report paying ransoms more frequently.
The single largest ransom paid in Ireland last year was €42,693 (for the record, I know of other cases where criminals demanded a higher ransom, but the victims refused to pay). The average cost of an incident was €15,300 – up by almost one third. (Ireland also happened to be the outlier that didn’t rank a cyber attack as the biggest threat to business.)
Meanwhile, Eurobarometer’s survey found that 28 per cent of SMEs in Europe suffered an incident during 2021. It’s worth noting it focuses on SMEs which could help to explain the difference between some of its findings and Hiscox’s numbers. What we can say for sure is that the same broad trend is common to both. Cybersecurity incidents are a rising threat that carry greater risk than ever to normal business operations.
The importance of cybersecurity awareness
That’s why I welcome the call in the Cyber Ireland report for the Government to become active in awareness raising. The more it can do to promote cybersecurity’s importance among businesses and individuals, the safer we will all be.
And as a final May-related footnote, last week the European Parliament and EU Member States reached agreement on the NIS 2 Directive. This new directive aims to strengthen the cybersecurity requirements for companies in those critical sectors and broadens the net to cover medium and large entities that are critical for the economy and society. In a month that can often bring bad news, this is a welcome case of good timing.
Brian Honan is founder and CEO of BH Consulting.