Steve Piper, CEO of CyberEdge Group, shared his thoughts on this, saying, “If the definition of insanity is doing the same thing repeatedly and expecting a different result, then perhaps, as an industry, we’re going insane. Each year, we invest more in security, yet frequency and severity of data breaches rise. But why? I believe I can offer two partial explanations, inspired by this year’s Cyberthreat Defense Report.
“First, for the fourth-consecutive year, respondents indicate that ‘low security awareness among employees’ is the greatest inhibitor. OK, then invest more in training! And second, we consistently hear that most data breaches stem from exploiting old vulnerabilities. OK, then get patching! Investing in best-of-breed security defenses is always prudent, but to stop the bleeding, we’ve got to invest more in our human firewalls and reducing our network attack surfaces.”
Prepare Your Employees and Protect Your Data
We mentioned above that there’s a fairly wide swath of numbers included in reported rates of ransomware attacks and subsequent ransom payments. Looking beyond the CyberEdge study:
- Of the infosec professionals who participated in our State of the Phish Report survey, 34% reported being victimized by ransomware attacks and, of those, only 2% paid the ransom.
- In the Malwarebytes/Osterman Research report, Understanding the Depth of the Global Ransomware Problem, 39% of organizations said they had faced a ransomware attack in the preceding 12 months. On average, 37% of those who were infected paid the ransom, but the rates varied significantly by country (for example, only 3% of U.S. organizations said they paid while a whopping 75% of Canadian companies succumbed to ransom demands).
- The aforementioned IBM X-Force Research study found that, on average, 55% of medium and large companies have dealt with ransomware. But the real surprise is that among all businesses that have experienced a ransomware attack, 70% said they paid to get their data back.
Clearly, with this wide variation in figures, it’s difficult to pinpoint rates with accuracy. Much of that is likely due to the fact that measurement of ransomware attacks has only begun in earnest over the past couple of years (and many organizations are reluctant to discuss — or even admit to — a successful attack). But even with measurement in its infancy, law enforcement officials and infosec experts repeatedly caution against paying ransoms; first, payment is no guarantee of a return of data, and second, rewarding extortionists only increases the behavior.
Preparedness is key to coming through a ransomware attack as unscathed as possible. I’m reminded of the five P’s, one of my old coach’s favorite mantras: prior planning prevents poor performance.
The frank reality is that nothing will eliminate all successful ransomware attacks. But overlooking the human element will leave you at greater risk. In addition to keeping software systems up to date and patching known vulnerabilities, here are a few key ways to increase ransomware awareness among employees and make things more difficult for the bad guys:
- Back up and isolate your most important data. Ransomware can extend past a single machine to compromise networked servers and cloud backups. It may sound like a technological step backward, but “cold storage” of mission-critical information can offer a failsafe in the face of an extreme attack.
- Assess your end users’ propensity to fall for a ransomware attack without exposing your network. Our ThreatSim simulated phishing attacks allow you to mimic scams seen in the wild — and measure the likelihood of your organization being exposed to dangerous (and crippling) malware strains.
- Teach your users how to recognize, report, and respond to threats. You cannot expect occasional emails, videos, and newsletter articles to translate into actionable behavior change. You need to provide interactive training to your end users so they know what to do and how to do it.
- Think beyond the phish. Email hygiene is certainly necessary to a stronger security posture, but phishing messages are not the only threat vector that can hurt you. Your organization and your end users can benefit from cybersecurity education that explains mobile device security and best practices, the hidden dangers of open-access WiFi, safer social media behaviors, and the benefits of stronger passwords (to name a few).
We’ve said it before, but it bears repeating: Hope is not a strategy. End users will continue to be part of the problem when there is a lack of security awareness, unless you empower them to be part of the solution.