Lack of Security Awareness Playing a Key Role in Ransomware Attacks

The CyberEdge Group released its fourth annual Cyberthreat Defense Report earlier this month, and it should come as no surprise that ransomware was a central topic of the study. It should also come as no surprise that the news isn’t very good.

Of the 1,100 IT security professionals (spanning 15 countries and 19 industries) who participated in the study, 61% said their organization fell victim to a ransomware attack in 2016. Of these, 33% paid the ransom; 54% refused to pay but were able to recover their data anyway; and 13% refused to pay and lost their data.

Though there is a fair amount of variation in both the publicly reported ransom payment rates and the rise in volume of these types of attacks, there is no disputing that ransomware is a force to be reckoned with. And with many ransomware attacks originating via email, end users make up a significant portion of the attack surface. (IBM X-Force Research found that around 40% of spam in 2016 contained ransomware, though some organizations have estimated the figure to be wildly higher.) Unfortunately, lack of security awareness training and ransomware awareness overall is putting organizations at greater risk.

Now Is the Time to Advance Your Employees’ Knowledge About Ransomware

One of the key findings of the Cybertheft Defense Report was that “low security awareness among employees” was the biggest inhibitor to network security — and this has been the top response among study participants for four years in a row.

The CyberEdge Group is not the only organization to highlight the problems associated with undereducated end users and a lack of security awareness. The IBM X-Force Research report, Ransomware: How Consumers and Businesses Value Their Data, indicated that only 31% of U.S. consumers have heard of ransomware. Our survey of 2,000 U.S. and UK end users for our 2017 State of the Phish™ Report yielded similar results, with only 36% of respondents correctly identifying what ransomware is (at 38%, the UK participants fared slightly better than the U.S.’s 34%).

It’s highly unlikely that security postures will improve without advancing end-user knowledge. And employees can’t do it on their own.   

Visit our Ransomware Awareness Resource Center and start raising your end users' ransomware IQ.

Steve Piper, CEO of CyberEdge Group, shared his thoughts on this, saying, “If the definition of insanity is doing the same thing repeatedly and expecting a different result, then perhaps, as an industry, we’re going insane. Each year, we invest more in security, yet frequency and severity of data breaches rise. But why? I believe I can offer two partial explanations, inspired by this year’s Cyberthreat Defense Report.

“First, for the fourth-consecutive year, respondents indicate that ‘low security awareness among employees’ is the greatest inhibitor. OK, then invest more in training! And second, we consistently hear that most data breaches stem from exploiting old vulnerabilities. OK, then get patching! Investing in best-of-breed security defenses is always prudent, but to stop the bleeding, we’ve got to invest more in our human firewalls and reducing our network attack surfaces.”

Prepare Your Employees and Protect Your Data

We mentioned above that there’s a fairly wide swath of numbers included in reported rates of ransomware attacks and subsequent ransom payments. Looking beyond the CyberEdge study:

• Of the infosec professionals who participated in our State of the Phish Report survey, 34% reported being victimized by ransomware attacks and, of those, only 2% paid the ransom.
• In the Malwarebytes/Osterman Research report, Understanding the Depth of the Global Ransomware Problem, 39% of organizations said they had faced a ransomware attack in the preceding 12 months. On average, 37% of those who were infected paid the ransom, but the rates varied significantly by country (for example, only 3% of U.S. organizations said they paid while a whopping 75% of Canadian companies succumbed to ransom demands).
• The aforementioned IBM X-Force Research study found that, on average, 55% of medium and large companies have dealt with ransomware. But the real surprise is that among all businesses that have experienced a ransomware attack, 70% said they paid to get their data back.

Clearly, with this wide variation in figures, it’s difficult to pinpoint rates with accuracy. Much of that is likely due to the fact that measurement of ransomware attacks has only begun in earnest over the past couple of years (and many organizations are reluctant to discuss — or even admit to — a successful attack). But even with measurement in its infancy, law enforcement officials and infosec experts repeatedly caution against paying ransoms; first, payment is no guarantee of a return of data, and second, rewarding extortionists only increases the behavior.

Preparedness is key to coming through a ransomware attack as unscathed as possible. I’m reminded of the five P’s, one of my old coach’s favorite mantras: prior planning prevents poor performance.

The frank reality is that nothing will eliminate all successful ransomware attacks. But overlooking the human element will leave you at greater risk. In addition to keeping software systems up to date and patching known vulnerabilities, here are a few key ways to increase ransomware awareness among employees and make things more difficult for the bad guys:

• Back up and isolate your most important data. Ransomware can extend past a single machine to compromise networked servers and cloud backups. It may sound like a technological step backward, but “cold storage” of mission-critical information can offer a failsafe in the face of an extreme attack.
• Assess your end users’ propensity to fall for a ransomware attack without exposing your network. Our ThreatSim simulated phishing attacks allow you to mimic scams seen in the wild — and measure the likelihood of your organization being exposed to dangerous (and crippling) malware strains.
• Teach your users how to recognize, report, and respond to threats. You cannot expect occasional emails, videos, and newsletter articles to translate into actionable behavior change. You need to provide interactive training to your end users so they know what to do and how to do it.
• Think beyond the phish. Email hygiene is certainly necessary to a stronger security posture, but phishing messages are not the only threat vector that can hurt you. Your organization and your end users can benefit from cybersecurity education that explains mobile device security and best practices, the hidden dangers of open-access WiFi, safer social media behaviors, and the benefits of stronger passwords (to name a few).

We’ve said it before, but it bears repeating: Hope is not a strategy. End users will continue to be part of the problem when there is a lack of security awareness, unless you empower them to be part of the solution.