All Services

From back-end infrastructure to personal productivity, Ergo has the knowledge and experience to match technology to all our client requirements. Our strength is understanding your business. The end goal is always the same, to make businesses more agile and competitive.

More About Our Services
Managed Services

Focus on your core business and leave ICT operations and management to the experts. From 24/7 service desk support to managing hybrid clouds, Ergo have the depth and experience to meet the most demanding service level requirements and ensure continuous improvement. 

More About Managed Services

Highlighted Services

Managed People

Competition for talented technology professionals is huge, which is why we make hiring more personal, taking time to match the right people to the right roles. Our technical experience and recruiting know-how help find the perfect fit for both parties.  

More About Managed People

Highlighted Services

Consultancy Services

Speed of change demands a new generation of digital investments that will drive business enablement and profitability. We support IT leaders, wherever they are on their digital transformation journeys, with our digital assessment methodology. 

More About Consultancy Services

Highlighted Services

Print and Document Solutions

Our goal is to deliver the best possible print and document service for you, leveraging the latest technologies and innovation to ensure the performance of your print environment is optimised to maximise employee productivity.  We take out costs, add efficiencies, wrap it in end-to-end security and make print integral to digital transformation. 

More About Print and Document Solutions

Highlighted Services

Cloud

Agility is key to business success and the cloud is where to get it. We offer a wide range of cloud services – public, private, hybrid – and provide the best of both worlds by integrating or migrating legacy systems to streamline the way your IT is consumed. 

More About Cloud

Highlighted Services

Digital Enablement

Ergo provides a clear roadmap for digital transformation with practical steps to make businesses more agile and customer-centric

More About Digital Enablement

Highlighted Services

Mobility and Collaboration

Ergo has provided many of Ireland’s largest organisations with an ecosystem of mobile applications and collaboration services that drive productivity without compromising on security

More About Mobility and Collaboration

Highlighted Services

Software Licensing

Businesses struggle to manage software assets and don’t always get the best value. We can help streamline your software purchasing, simplify deployments and maximise your investments. 

More About Software Licensing

Highlighted Services

Security, Risk and Compliance

Risks around cyber security and data protection are an ever-increasing challenge for businesses. We provide security lifecycle management, from perimeter testing and threat analysis to mitigating the impact of a breach. 

More About Security, Risk and Compliance

Highlighted Services

Microsoft Technology Specialisations

With the largest team of Microsoft IT professionals in Ireland – including two Most Valuable Professionals our expertise spans a comprehensive portfolio of products/services

More About Microsoft Technology Specialisations

Type your query and press the "Search now" button

The Human Firewall

The Human Firewall

The Human Firewall
Return to News

The Human Firewall

The first step in fighting off cyber criminals successfully is to know your enemy, writes Róisín Kiberd

Cyber criminals only need to get lucky once. Make sure your people are making it hard for them.In 2016, cyber crime is an ever-changing thing, with agile attackers employing increasingly creative, exhaustive methods to find their prey. ‘Spear phishing’ rather than regular phishing, ransomware, exploit kits and ‘crimeware’ sold on the deep web have all played their part in fuelling a global cybersecurity market worth $75 billion.

For victims of these attacks, the consequences go beyond financial loss – a single hack can destroy your reputation, or have a ripple effect and compromise every company you interact with. Those who are least prepared suffer the worst consequences: weeks can go by without noticing the fraud, and by the time it’s discovered the money has been moved from account to account and rendered untraceable.

For Michael Conway, director of Renaissance, IT security distributors and business continuity experts, the first step is knowing your enemy. “We get asked ‘how do I stay one step ahead of the bad guys?’, and the answer is you don’t. You can’t stay one step ahead of them. If you’re doing really well you’ll be one step behind them . . .” It’s important to note that everyone is at risk: you’ll have read headlines about incidents like 2015’s Talk Talk hack (cost: an estimated £35 million), a DDoS attack on the National Lottery and another on Irish government websites in January of this year, but more and more SMEs find themselves targeted and opt to pay off their attackers and stay silent rather than reporting them.

Derek Mizak, solutions consultant with IT provider Ergo, described the compromise many businesses find themselves in: “a state-sponsored DDoS attack requires significant resources, but ransomware requires very little, and can target even the smallest businesses. And by paying the ransom, these businesses are feeding cybercrime. We always tell our clients not to pay, but they don’t always have the means to recover. Which leads to the question, what can they do as prevention, instead?”

The Human Firewall
Derek Mizak, Solutions Consultant, Ergo

“A lot of incidents aren’t big sexy data breaches,” said Pat Larkin, chief executive of Ward Solutions, which provides information security services and consultancy “It’s the relatively small incidents which happen all the time. “There’s a 91 per cent increase in targeted, custom attacks levelled at specific organisations, individuals or verticals. They target the chief executive or chief financial officer, the person with the most rights in the organisation. It’s a move from phishing attacks to ‘whale phishing’ attacks. The return is more substantial."

Engineering these attacks takes time and information, all too readily available in the age of social media. The attackers compile a profile on their target, including their email address, their role in the organisation, and their relationship to coworkers and other outside businesses. They then spoof the email address of an associate, often claiming to be the chief executive, and asking for an immediate financial transfer to be carried out in the next ten minutes.

“It all looks very credible,” Larkin said. “You’re not transferring funds to Australia or something. The spelling mistakes, the clumsy representation of company logo, that’s all gone.” Another tactic is to imitate or hack a supplier doing business with a larger company, the end target, and to send an email claiming to have changed bank accounts. They’ll also often attach what appears to be an invoice, but is instead loaded up with a Trojan virus.

Jonathan Boyle, security specialist at Data Solutions, explained how your company might be part of a larger plot: “If you were trying to get into a big enterprise, you might think the best way in would be through a smaller HR firm that they deal with. To hack into the HR firm infects the files and contacts they have, and then the real target can be compromised through a hack on the smaller business”.

Ransomware also poses a threat, with security professionals reporting a reporting a rise in the number of incidences. Conway explained how the typical attack works: “It’s nastier and more horrible. You innocently click on something, a PDF or letter or email, and instantly get infected. Typically it’s a zero day attack, which normal antivirus software won’t be able to find. Then suddenly you get a message saying ‘Good news, your data is very well encrypted. Bad news, unless you send us money your data will be left encrypted and unavailable to you.’” Often this ransom, which for smaller business averages €1,000, will double if it isn’t paid within twenty-four hours.

A yet more nefarious outcome is when the criminals start sorting through your data, selling off email addresses and bank information, or leaking personal details as per the Ashley Madison hacks. Prevention serves far better than a cure: back up your systems as frequently as possible, and limit employee access to your most sensitive data.

Dr Vivienne Mee, founder of VM Forensics, sees ‘social engineering’ attacks (aka attacks reliant on human error) all too often. “Humans, at the end of the day, are your weakest link. They’re the ones with the passwords. Threats are generated differently every time, and they’re getting cleverer. You can have the best tech measures in place, but if the user still opens that attachment or clicks the wrong link, it doesn’t make any difference.” Mee stressed the importance of encryption and setting up firewalls, but acknowledged that such measures are only the start. “User awareness training is key. We do a roadshow with security training seminars, giving people challenges. We might even do a couple of attacks on a corporation ourselves before we go in. We find it more practical to show people how they fell for something already,” she said.

Mee also noted how after these seminars clients are less afraid to ask questions, or doubt the veracity of email requests. “We always say there’s no such thing as a stupid question. Better to ask now than get hauled in after work hours and asked if you’re the reason the whole network is down.” And once you’ve done all you can to educate and strengthen your ‘human firewall’?

It’s time to bring in the professionals. As Mizak puts it, “It’s like your health. Prevention is better than cure, but if you do get sick don’t go on internet trying to find a way to cure yourself. Go to a GP instead.”

Hadi Hosn, EMEA managing principal for Security and Risk Consulting at Dell Secureworks, pointed out that an outside security expert might well work longer with you than your own employees: “Retaining skilled security staff is difficult even for large organisations, so employing a Managed Security Services Provider (MSSP) will help to alleviate some of this pressure.” Cover the basics – don’t store passwords in browsers, avoid suspicious free wifi and stay on top of updates to both your web browser and your operating system – then invest in security software. Hosn recommended a password manager (be sure to choose a complex master password and change it every six months), ananti-malware product with ‘heuristic protections’ enabled and an email with two-factor authentication.

Freeware is a hazard for businesses – you end up paying for it with adware or even malware which can sneak in and slow your system down. Boyle recommended sandbox applications which can isolate and investigate threats before granting them access to your computer and its network. “Checkpoint’s Sand-Blast and Threat Emulation are good. If there’s code (in an email attachment) operating in the background, it’ll open it and warn you if it’s not regular. Technology like that is good, and doesn’t necessarily interfere with your business workflow.” He also listed mobile device management as key, not least when employees use the same device at work as during their off-time: “There’s software out there that can contain the business part of your phone. It gives you a separate email, separate apps, and you can still keep part of the phone for personal use. Then if the phone is lost, or stolen, you can remotely wipe files and documents from it.”

If educating your people is the first step, and investing in good technology is the second, then the third step is staying up to date. Conway reported an inevitable apathy among clients dealing with constant system update notifications: “People complain and tell me they did a Windows update recently. But Window’s is not your main concern anymore. It’s Adobe. It’s Java. It’s Flash.” Hackers find their way in through programmes, rather than the main system, which often isn’t even up to date on security in the first place. “If you have an IT technology solution in place, and it’s stayed the same without evolving or developing in the years since you bought it, then you’re probably wasting your money.”

Outdated software gives businesses little more than a false sense of security: it’s as good as a disconnected house alarm. Boyle agreed: “If a hacker gets in, and they will, you want to limit your exposure. A machine could be compromised for months without anyone noticing, so you need to install software that can spot irregularities straight away and lock down the system. “A firewall that just identifies that there was an attack some time ago, without explaining if the threat is still active or how far it got, is not enough. You need instant and actionable intelligence that can say ‘This is happening right now, and we can stop it right now.’” 

Conway recommended clients look for software with a ‘heartbeat monitor’, which can track and report malicious threats instantly and address them. “They can tell you when a computer is trying to connect with a malicious site. That’s how it completes the cycle of ransomware.” Products from names like Sophos and Heimdal offer a chance to evaluate what’s happening and clean up the infection in real time, as well as auto-updating with minimal inconvenience to their users. “If you don’t patch your systems, you’re leaving your doors open. Ask some ‘do you want to patch this product now and restart your machine?’ and no one is going to want to do it, but we’ve seen a massive uptake in the last year in silent updating solutions, which minimise risk and make updating easy.”

Finally, the last step for complete cybersecurity, or as ‘complete’ as it can possibly be, is to propagate information throughout every part of your company, from the highest ranked employees to the most junior. As Mizak put it: “Security is not a ‘technical issue’. Security should be discussed at board meetings. It comes down to training, staff screening, a proper HR department . . . there’s no one magic silver bullet
here.”

Hosn said: “Better education of end users is critical - they are, after all, at the front line of security. Endpoints including laptops, smartphones and tablets are fertile ground for security attacks, creating numerous access points and vulnerabilities.” 

Similarly, Boyle cited simple errors in endpoint security as the main threat: “The biggest threat to businesses in general are their users. It’s bad passwords, failure to change passwords or bad password choice, or not using two factor identification. The users are always going to be the variable that can compromise.”

The universal advice is to stay sceptical, and to educate as much as possible. It’s as much about communication as compliance: security measures are essential at every level of a business, and for businesses of
every size. Mee cited a client who has worked out a good way to stay on top of threats: “I work with an organisation where we do security bulletins every month where we send around samples of new threats and remind employees that they can call the help desk if they’re uncertain. It’s about keeping in with the native security forums, seeing what’s trending, and relaying that knowledge back to the organisation, from the top down to the end user. Knowledge is key, at the end of the day.”

Click here to learn more about Ergo's IT Security Solutions.

News and Blog Posts

Power BI: 6 Steps to building reports that really work
Kate Cunningham
17 May 2018 • Posted By Kate Cunningham

Power BI: 6 Steps to building reports that really work

In an era of Big Data, analytical strategic decision making is becoming pivotal for success. Managers at every level are...

Read now
Transforming to Cloud CRM: 4 things you need to know
Phil Ryan
03 May 2018 • Posted By Phil Ryan CRM Solutions Manager

Transforming to Cloud CRM: 4 things you need to know

It's all about the priorities The chances are that your existing CRM was procured over five years ago, at...

Read now
Managed Print and Document Services: Navigating a Sea of Data
News 10 May 2018

Managed Print and Document Services: Navigating a Sea of Data

Read Now
CRM: Don’t just jump on the bandwagon
News 14 March 2018

CRM: Don’t just jump on the bandwagon

Read Now
Business Analytics and Big Data: How to Read the Future
News 14 March 2018

Business Analytics and Big Data: How to Read the Future

Read Now

Subscribe to Our Blog

Scroll to Top