Ransomware is now the biggest threat to UK businesses, according to the National Cyber Security Centre (NCSC). Throughout the pandemic, breaches have soared as threat actors targeted distracted home workers and insecure devices and networks. For many smaller businesses, a serious ransomware attack could represent an existential threat. In this context, security operations (SecOps) teams have plenty to keep them busy. But while monitoring for ever-changing tactics, techniques and procedures (TTPs), they must also remember the one constant in many attacks: human error.
That means knitting continuous security awareness training programs into the fabric of the corporate cybersecurity strategy. The stakes are too high to overlook insider risk.
Why Ransomware Hurts
NCSC boss Lindy Cameron was spot on in her threat assessment of ransomware. Attacks soared by an astonishing 485% year-on-year in 2020, according to one report. Like Colonial Pipeline and JBS in the US, big-name victims attract most of the media coverage — the former leading to unprecedented fuel supply shortages up and down the US East Coast earlier this year. But the truth is that SMBs still comprise the majority of victims. According to one report, in Q1 2021, organizations with up to 100 employees accounted for nearly two-fifths (37%) of targeted companies. Add organizations with 100 –1000 employees, and you have 73% of corporate victims during the period.
Why is ransomware so difficult to stop? Well, as we’ve seen in a recent attack on IT software provider Kaseya, they can come from out of the blue, even your MSP. The Ransomware-as-a-Service (RaaS) model, which now accounts for most attacks, has lowered the barrier to entry for budding ransomware groups. Much of the hard work is already done for them, including the resource-intensive job of developing the original malware.
Ransom costs can vary greatly and are often calculated based on official corporate revenue figures, although it is strongly recommended not to pay. It will only perpetuate the problem and may not result in either a working decryption key or deletion of stolen data. However, there are many other costs to consider: from lost productivity and sales to IT overtime, forensics and clean-up, and potentially long-term customer churn. For smaller organizations, a serious outage could be enough to force permanent closure.
The Human Factor
If payment isn’t an option, what are the alternatives? Number one has to be prevention, followed by rapid detection and response. Looking at the former, we have to consider human error: a near-omnipresent factor behind the modern cyber risk.
The top three attack vectors for ransomware groups are software vulnerabilities, RDP hijacking and phishing. Humans play a part in all three. They write the buggy code exploited by attackers and fail to protect RDP endpoints with solid credentials and/or multi-factor authentication. But perhaps the most widespread example of human error is phishing and social engineering. According to one study from May 2021, 85% of breaches over the previous 12 months featured a human element, and phishing increased 11% year on year.
What to do Next
So how do you mitigate human-shaped cyber-risk? It must start with regular training sessions designed to simulate real-world phishing attacks and test employees’ responses. All staff—from the CEO down to temps and contractors—must be included. And sessions should be kept to frequent, short bursts of 10 minutes or so for maximum impact.
Outside expertise can be the most useful to craft a program that will truly inspire company-wide cultural change among employees. Data is crucial here: you should be able to study the results of sessions to tweak awareness and training programs and help specific users if necessary. Third-party providers can also advise on what types of simulation to use based on the attacks they often see in the threat landscape. And they can run red team exercises designed to test how resilient staff is to phishing lures when faced with ‘attacks’ outside the classroom.
Organizations should also build on these training sessions and exercises by improving cyber awareness at a board level. That means regularly communicating security strategy to the leadership team and updating it on any new vulnerabilities or threats that could represent serious business risk. SecOps and NetOps teams have a crucial role to play here, as these are the individuals are on the cyber-front line.
Training on its own won’t be enough. You still need proactive SecOps, extended detection and response (XDR), prompt patching, and regular risk and vulnerability assessments, among other things. But it’s a great start. Humans are arguably easier to hack than networks. So this is usually where the bad guys start their attacks and where you should focus your defensive efforts.