Chair of Cybersecurity in Munster Technological University, Dr. Donna O'Shea, and Head of School of Informatics & Cybersecurity at TU Dublin, Dr. Anthony Keane contributed to this article in the Independent.ie

In recent years, cyber security has emerged as a key issue for businesses in Ireland and across the world.

Small enterprises are exposed to the same digital threats as larger businesses, but may lack the resources to defend themselves. It has been estimated that almost half of SMEs that suffer a serious cyber attack can go out of business within months.

Enhanced cyber security is a matter of great societal importance, because SMEs operating in myriad industries such as retail, health care and construction are the backbone of the Irish economy. They constitute 99pc of all businesses and account for more than half of EU Gross Domestic Product (GDP). SMEs play a vital role in adding value to all sector of the economy, but they may lack essential skills on how to protect their businesses, which are often heavily dependent on digital systems that are vulnerable to cyber-attacks.

The urgency of addressing this skills gap was highlighted by the COVID-19 pandemic, which forced many businesses online, exposing them to a higher risk of cyber attacks with little support available. Irish businesses operating online often possess a low cyber security awareness, have inadequate knowledge of GDPR requirements in the protection of critical and sensitive information, and have a low level of Information and Communications Technology (ICT) skills to protect their business. They can also experience significant budgetary constraints that lead them to view cyber security as a relatively significant cost, rather than an important investment in their business resilience.

In addition, many SMEs have direct and indirect business relationships with larger organisations. For this reason, cyber criminals often focus on SMEs as a gateway into the larger organisations, knowing that these smaller businesses’ cyber awareness and defensive structures are typically less robust than those of the criminals’ larger targets.

Recently, the National Cyber Security Centre (NCSC) and the Garda National Crime Bureau have written to the Small Firms Association to warn business owners of the ongoing series of ransomware attacks. They have observed a growing trend of small and medium sized enterprises being targeted by cybercrime groups with ransomware malicious software that is designed to block access to a computer system.

Another common cyber crime tactic is threatening to leak sensitive stolen data until a sum of money is paid. The NCSC said it has noticed a change in tactics whereby hackers are now turning their attention away from big business and Government departments, towards smaller businesses.

Providing businesses with cyber skills

Professor Donna O’Shea is Chair of Cybersecurity in Munster Technological University and currently leads a Higher Education Authority (HEA) Human Capital Initiative (HCI) project called CYBER-SKILLS: a nationally funded project in collaboration with University of Limerick, Technological University (TU) Dublin, and Commonwealth Cyber Initiative, Virginia Tech U.S. This ground-breaking initiative aims to address the cybersecurity skills challenge in Irish SMEs.

Prof. O’Shea says, “Growing up, my family owned an electrical retail store, so I really understood the challenges that small businesses face, their limitations in terms of time and how cost can sometimes be a barrier. When designing the course Certificate in Cybersecurity for Business for CYBER-SKILLS, we really wanted a pathway to be open to everyone and we wanted to reduce the barriers to participating in the course, by reducing the cost, making it flexible in delivery, focusing on applied skills and providing the essential necessary knowledge and skills to protect small businesses everywhere against cyber attacks.”

Irish professionals and businesses have expressed a growing interest in cybersecurity courses and careers, as borne out by the recently published Cyber Ireland and Cyber Skills cybersecurity sectoral analysis report. This report highlighted the importance of the industry sector to the Irish economy, with approximately 7,300 cybersecurity professionals working across 489 firms in Ireland.

One of the main challenges for SMEs is that cybersecurity courses in Ireland are usually geared towards individual learners who wish to upskill and become cybersecurity professionals, rather than business owners who need to apply the relevant knowledge and skills to protect their own businesses against cyber attacks. The Certificate in Cybersecurity for Business was specifically designed for this purpose.

Business owners and employees of SMEs from across the country are eligible to apply and participate in this course, irrespective of their background or experience. The only requirement is that they own a small or medium sized enterprise, like a retail or hairdressing business that uses digital technology – such as one or more computers – has a website, and takes credit card payments.

Dr. Anthony Keane, Head of School of Informatics & Cybersecurity at TU Dublin, is a Project Partner with CYBER-SKILLS. He says, “Analysis of cyber-attacks against SMEs have shown that ransomware and malware spear-phishing attacks are impacting on the ability of SMEs to operate their businesses. The disruption costs of a cyber-attack or data breach can be too high for an SME to absorb and thus have serious consequences on the ability of the SME to survive. It is a case of prevention is better than the cure, and this is a great challenge for SME businesses.”

“The TU Dublin based Collaboratory has recently completed an extensive survey of SMEs in the region and the cybersecurity issues identified were included in the design of the Certificate in Cybersecurity for Businesses, so that the course content directly addressed SME requirements to reduce their risk from cyber attacks.”

Key upskilling needs met in three modules

SMEs regularly process critical financial and personal information like credit card information, bank details, or personal identity data, but often lack adequate protection of this information. Examples of such protective measures include patching of software, running regular backups and encrypting data in storage and transfer. In addition, SMEs do not tend to have a high level of skill in managing cybersecurity risk effectively as part of their overall business strategy.

The team behind the Certificate in Cybersecurity for Business wanted to design a pathway for SMEs that specifically addressed these risks through three core modules:

• Cybersecurity Awareness: Looks at key threats such as email, personal and physical security, the challenges related to malicious software, social engineering, security when travelling and how to report a cyber incident.
• Cybersecurity for Business: Identifies the main threats and risks a business has, and simple effective measures that are used to mitigate against them. The module also includes outcomes related to password management, improving cybersecurity culture through cybersecurity awareness programmes, developing a business continuity plan in the event of an attack and concerns related to storing data in the cloud. This module also covers the cyber security insurance market and mitigating the risk.
• Practical Cybersecurity: Provides learners with the necessary knowledge, skills and abilities to secure their data, application, hosts, network, web and the cloud. It also covers physical security and emerging topics such as the Internet of Things (IoT).

Learners can enrol on the pathway Certificate in Cybersecurity for Business and take the three modules, or they can enrol on any of the individual modules and obtain a micro credential/digital badge.

All pathways and modules are delivered exclusively online, with lectures being delivered virtually and recorded to facilitate the hectic lifestyle and busy working schedules that SMEs owners face. The pathway and modules are fully university accredited by the leading cybersecurity education providers in Ireland, namely MTU, TU Dublin and UL. Learners of the pathway will be awarded a joint award from these academic institutions.

Learners will also have access to a state-of-the-art cybersecurity virtualisation infrastructure, called a Cyber Range. This cyber-range is a key differentiator from any other cybersecurity skills provider nationally, providing a safe, secure, sandboxed environment for learners to practice the skills needed to secure their business.

Prof. O’Shea explains, “A key objective was to provide cybersecurity education for SMEs, given that the skills shortage is particularly critical for indigenous SMEs as they cannot compete with MNCs (multi-national corporations) for talent. We also wanted to facilitate SMEs in upskilling employees to safeguard their digital property in the face of post-Brexit uncertainty which is presenting opportunities for cyber criminals.”

Dr. Keane says, "At the very least, business owners and their staff will be more aware of the risks that cyber-attacks can have on their business operations. Being able to prepare for the contingency of a cyber-attack will help improve the resilience of the business and its ability to recover quickly from an attack by reducing the initial impact and any lasting damage to the business. SMEs will only be resilience when they are properly resourced in terms of knowledge and skills."