How easy would it be for criminals to exploit your organisation using ransomware: what's ahead in 2017?
27 January 2017
If 2016 saw a number of seismic changes on the political front, the cyber security arena has continued to evolve, albeit at a slightly slower pace.
Last year I suggested that 2015 was the tipping point whereby most people could articulate the impacts of poor cyber security – such as a breach of personal data or direct financial loss – even if the concept of ‘cyber’ remained difficult to define. So what were the key highlights of 2016?
Data breaches continued to hit the headlines, including the largest breach seen to date. In the UK, the Information Commissioner’s Office is taking increasingly punitive action against companies it considers lax, and issued their largest fine, £400,000, to date.
Yet it could have been worse financially. In May last year, the European Union finally sanctioned the General Data Protection Regulation (GDPR) to come into effect from 24 May 2018, which will harmonise data protection and privacy legislation across the EU into a single law. GDPR not only introduces mandatory breach reporting and imposes a deadline for that reporting to the national regulator, the ability for the EU to fine up to 4% of global turnover has got the attention of every data protection officer. Quite what it means for individual companies and institutions and what changes are required will come clearer in 2017 as organisations move from understanding and the planning phase, into real activity.
If that was a prediction, then my second prediction concerns the growing threat of ransomware. As a business disrupter, ransomware seems to be spreading exponentially as criminals look to profit from a simple method of attack. Rather than spend many hours social engineering to get hold of administrator passwords or trying the find a vulnerability in a corporate IT estate, how much easier is it for criminals to exploit poor user awareness? Getting someone to open an infected email which subsequently kicks off an encryption programme (only to be decrypted on payment of a ransom) appears to be getting quicker and greater returns for criminals.
From an anecdotal perspective, I posed a question on an Information Security forum whether ransomware was over-hyped or if people in operational roles were actually seeing it. The response was clear: everyone felt that ransomware is a real threat to organisations (and indeed, individuals), and is likely to get worse. This is further borne out by independent research; a recent survey by Sentinel found that within the UK, 39% of organisations surveyed admitted to suffering a ransomware attack in the previous 12 months. In a separate survey by Trend Micro, 69% of IT professionals felt their own organisation would be targeted in the coming twelve months.
So what methods are being used to deploy ransomware? 81% of all organisations surveyed stated that attackers had gained access to their network through phishing via email or social media.
This again demonstrates that good cyber security cannot solely be achieved through technology solutions. User education and awareness – identifying what looks suspicious and knowing when to report it and not to click on it – is vital in the fight against these sorts of attacks.
Mandatory training, or preferably, a cultural awareness programme of these challenges is essential in combatting the massive business disruption organisations face in the event of a successful ransomware attack. The public sector is targeted just as much as the private sector and so there is no place for complacency in either arena.
Where you can get help
If you recognise that you need to protect your business from cyber threats but don’t know where to start, then the Ten Steps to Cyber Security published by HMG, is a useful resource. Getting the basics right – such as regular anti-virus updates and timely patches to IT systems – will go some way in deterring certain attacks. However, this is not just an IT solution; education, awareness, and a developing a security culture is fundamental in securing the enterprise.
The difference between a successful cultural awareness programme and one which, despite cost and time, still results in breaches and disruption, is the manner in which employee engagement has been considered. Naturally, this is tricky and every organisation will be different, but taking time to understand existing cultures and developing a programme where employees understand and personally feel the benefit, will pay dividends very quickly.