InfoSec Insider

Managing the Human Security Factor in the Age of Ransomware

Convincing employees to take security seriously takes more than awareness campaigns.

Security analysts have determined that cybercrime cost the global economy $1.5 trillion in 2018. Ransomware, in particular, is estimated to grow by as much as 350 percent over the next year. And while the ransom for a generic ransomware attack has now risen to nearly $13,000, with recent targeted ransomware attacks demanding as much as $50,000 (which, according to the FBI, you shouldn’t pay) – the real cost is in downtime and recovery. The total cost of a successful ransomware attack ranges from $713,000 for smaller companies to millions for large organizations and municipalities. That’s because nearly three out of four companies infected with ransomware suffer two days or more without access to their files, with 30 percent going five days or longer.

This is in spite of the fortunes being spent on sophisticated security tools designed to detect and prevent cyberattacks. There are a lot of reasons for this. Misconfigured devices are a serious culprit, as are overly complicated security systems plagued by vendor and solution sprawl that can actually reduce visibility and control. But of all of the cybersecurity issues that organizations need to address, the biggest threat vector may be one you least suspect.

The Problem Might Be Your Employees

Over 90 percent of all successful network compromises, especially for things like ransomware, start with a simple phishing email, and someone opening a malicious file or clicking on a link sent to them by someone they don’t know. Of course, it’s not entirely their fault. Studies have found as many as 94 percent of employees – and 96 percent of executives – can’t tell the difference between real and phishing emails. This is especially difficult when dealing with targeted ransomware attacks, where emails may be specially crafted to fool specific targets within an organization, an attack known as spearphishing, or whale phishing if the target is a board member or someone in the C-suite.

Just as alarming, nearly two-thirds of organizations have a large number of employees who have literally never changed their password. And according to a 2018 User Risk Report, two-thirds of users who do not use a password manager tool admit to reusing their passwords across online accounts.

The Cybersecurity Paradox

The obvious answer to these problems is to increase employee awareness and cybersecurity training. However, one of the most interesting paradoxes in cybersecurity today is that most of your employees are already aware of cybersecurity issues and best practices. For example, the vast majority know that passwords need to be complex and should be changed often, that they shouldn’t click on attachments in emails (especially from people they don’t know), that important data should be encrypted, and that they need to update their devices and software. The issue is, they just don’t do any of these things.

The reason is complicated. Part of the reason is that we have spent years training people to behave in this way. For example, rather than developing a simplified system for managing secure access to all of their online accounts, users are required to keep track of those passwords on their own. As a result, they use their pet’s name, their kid’s nickname or the year they graduated for their password. We have also encouraged them to shop and bank online, which has created a false sense of security. When online merchants send out email fliers, they depend on prospective customers to open their advertisements, click on coupons and then shop in their online stores. What we have done is actually make it harder to successfully avoid being compromised.

The other part of the reason, though, is that people don’t take ownership of corporate security. In one recent survey, nearly half of employees indicated that they believe that, while important, cyber- and data security are someone else’s responsibility. The assumption is that if something arrives on their computer, it should have already been vetted and therefore can automatically be trusted.

Where to Start

Addressing this challenge requires two things.

First, you need to enlist employees to be part of the security team. This starts by explaining, in real terms, how a security event affects them personally. When a ransomware attack shuts down some or all of a network, the result is more than just the hassle of having to use pencil and paper for a few days to keep track of things. It also costs money, sometimes millions, and that can affect bonuses, raises and even jobs.

They also need to understand that security is never 100 percent effective. In spite of the security team’s best efforts, phishing emails and malware can get through. And to close that gap, they need to view themselves as critical members of the corporate security team with the job to protect everyone.

This starts with simple engagement from the top down. Your CISO needs to be a regular member of board meetings, and should meet consistently with various leaders to enlist their full commitment to promoting and modeling good security behavior. At the same time, members of the security team should also periodically join the staff meetings of teams across the company to provide updates on the security issues the company faces and how employees can help protect corporate resources.

For example, your front-office staff is more than just assistants and receptionists. They are your front line of defense. They need to understand that successful spearphishing campaigns that can cost millions of dollars often start with social engineering and information gathering. Which means they need to be circumspect about what information they share with people. By meeting regularly with someone from the security team to discuss issues and review strategies, they will feel engaged and responsible.

Second, you need to also reset some very basic behaviors. It is human nature to simply not say anything, even when something bad is clearly happening. Which is why less than 5 percent of employees will speak up or report suspicious behaviors, such as unknown individuals tailgating through a secure door. One way to address this is to put a reward system in place that recognizes individuals who do the right thing.

Many organizations, for example, run internal phishing campaigns to identify individuals who click on potentially malicious links. But rather than just directing individuals who fail these tests to some sort of remediation training, there should also be a system in place that recognizes those people who see and report a suspicious email back to the security team. This same carrot-and-stick strategy, with an emphasis on the carrot, can be used for other behaviors you want to change.

Changing Your Risk Profile

By properly enlisting employees into your security efforts, you can significantly reduce your exposure to critical security events such as phishing attacks and ransomware. This requires getting the security team out of their usual comfort zone of analyzing threat intelligence and having them become corporate cheerleaders and motivators, developing programs that engage users [such as gamification], providing tools such as password vaults that make their security responsibilities easier, and implementing training and reward systems that motivate users to willingly change their behaviors.

Derek Manky is chief of security insights and global threat alliances at Fortinet.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles

Cyberattackers Put the Pedal to the Medal: Podcast

Fortinet’s Derek Manky discusses the exponential increase in the speed that attackers weaponize fresh vulnerabilities, where botnets and offensive automation fit in, and the ramifications for security teams.