Ransomware attacks on a daily basis
Ransomware attacks are now daily news as new malware families emerge with nearly the same frequency and enterprises increasingly become the targets. In fact, ransomware has become so pervasive the US and Canada this month issued a joint cyber alert warning about the recent surge in attacks.
Ransomware typically enters a network as a seemingly innocent email attachment. Once open, ransomware travels throughout a network and encrypts all of the files it can, notifying users of its presence only when it demands a ransom payment to decrypt the data. Despite whimsical names like Jigsaw, Locky and KeRanger, ransomware can cause real damage, as Hollywood Presbyterian Medical Center discovered in February when a ransomware attack forced them to transfer patients and return to paper-and-pencil record-taking.
Incidents like this will likely continue. The recently released Verizon Data Breach Investigations Report (DBIR) shows the “Person” line continuing to trend upward as the asset category of choice for criminals. And once the hackers are in, the prognosis is just as worrying: in our recent study with Nasdaq about the cybersecurity “accountability gap” widening in organizations worldwide, we found more than one-third of all respondents (38%) don’t consider their malware, antivirus software and patches to be 100% up-to-date at all times. When looking at the most vulnerable companies surveyed, the number jumps to a staggering 87%. The Ponemon Institute’s 2016 State of Endpoint Report revealed 56% of companies surveyed are not ready to fend off ransomware attacks.
Start with behavior change
Technology alone will not solve every cybersecurity issue. The best cybersecurity approaches strengthen the interface between technology, information and people. Most security issues are caused by 1) a basic hygiene issue that could have easily been identified and corrected with the proper network visibility and tools, and 2) simple human error. Therefore, protecting a network from the impact of ransomware — and all malware — comes down two very basic principles: ensuring anti-malware software and patches are up-to-date and changing employee behavior toward safer technology practices.
Traditionally, employees have understood cybersecurity as belonging solely to “the tech guys.” Yet, behind most of an organization’s endpoints are employees, and educating staff that cybersecurity is everyone’s responsibility within an organization, no matter where they sit, is the first step toward behavior change. Only 3% of targeted individuals alerted the management of phishing attempts in 2015, according to the DBIR. All employees in a company should understand their roles as a gateway for threats, both external and internal and how to recognize them. In the Tanium-Nasdaq study, only 17% of the most vulnerable respondents said they understood the risks to company systems that can come from employees. When compared to the least vulnerable companies surveyed — where 100% understood the risks — it’s clear that an educated workforce lends itself to a more resilient network.
“Culture of responsibility”
To achieve this “Culture of Responsibility,” a credible tone from the top is important, as is the adoption of that culture throughout the management layers, augmented by employee training. Executives should ensure appropriate budgets and resources are allocated to cybersecurity awareness training for all employees. Also, they should consider doing a baseline audit of their employees’ activities and the resulting risk. An audit isn’t just about understanding the risk to your IT assets; it’s also about understanding your workforce, the products they us and their daily routines to identify where risky behavior might live.
Personalizing and even gamifying security, is a great way to ensure everyone in an organization is involved in cybersecurity. Some companies create a risk profile or risk score for all employees. Just as individuals use wearable technology to receive actionable insights about sleep, exercise and eating, IT security teams can provide employees with their risk score in a way that helps them understand where they are succeeding and where they are lacking. You can also share trends and motivate people to get a higher score.
The least vulnerable respondents in our study were eight times more likely than the most vulnerable to have identified the sources of their highest vulnerabilities and empowered employees on cybersecurity. When thinking about your security posture and investments in light of new threats, consider the direct correlation between building a culture of responsibility and reducing your vulnerability to cyberattacks. Your network depends on it.