Northern Ireland Assembly has issued warnings to staff following cyber-attacks on its IT system, according to reports by the Belfast Telegraph.
The publication revealed that attacks from an external source have attempted to access staff email accounts using numerous passwords.
According to an email sent to staff and seen by the newspaper, IT staff are working closely with Microsoft and the National Cyber Security Centre to address the issue.
A spokesman for the Assembly told the publication that “the Assembly Commission's IT system has been subjected to unauthorised attempts to access email accounts. We are taking all necessary steps to manage and mitigate this and are working with the appropriate authorities, both locally and nationally.”
"The Assembly takes the security of its IT systems very seriously and strives continually to ensure that all systems are secure. The Commission does not wish to comment any further at this stage."
Tony Pepper, CEO of Egress, told SC Media UK that the attack against the Northern Ireland Assembly comes less than a year after a very similar attack on the Houses of Parliament.
“Both attacks have targeted email systems, trying to take advantage staffs' weak passwords to gain access to sensitive information contained in mailboxes. Cyber-criminals come back to this type of attack time and time again because human error is always the greatest area of weakness when it comes to cyber-security,” he said.
"In this attack, and countless others, hackers were banking on poor security practices to help them through the door, such as weak or re-used passwords, and urging staff to update their credentials is simply not enough.”
He added that organisations need to put technologies and procedures in place to reduce the impact of human error. “Should hackers find a weakness, organisations need to be confident that they can't access the sensitive information that is shared via, and therefore stored in, email systems,” said Pepper.
Bill Evans, senior director at One Identity, told SC Media UK that it sounds like the IT team was doing the appropriate thing.
“They were inspecting the systems and alerting users to the attack. But again, an ounce of prevention is worth a pound of cure. End user education may have limited some of the risk. One of the first things users need to learn is the use of strong passwords and the risks of weak passwords. Asking users to change from weak to strong passwords after an attack is like locking the barn door after the horses have been stolen,” he said.
“For example, encryption that secures email content at rest is one way to protect critical assets should the worst happen and a hacker gain access. Good security should work with staff, accepting their behaviour will be unpredictable and helping them to be productive while making sure they are not letting cyber-criminals access sensitive content, and in this case potentially putting the public at risk,” he added.
He advised organisations looking to prevent such an attack to enact the four basic security measures: multi-factor authentication, management of privileged accounts, govern access to “ensure only the right people have access to the right things at the right time and educate those users!”
