Ransomware is to data as Glaucoma is to Optometry. One steals away data as the other steals away sight. Ransomware, a type of malware that threatens to perpetually block access to a victim’s data unless a ransom is paid, affects everything from small businesses right up to the largest of organisations and government institutions.
Some reports suggest that ransomware attacks are becoming more prevalent. In 2020, a CheckPoint study saw a 50% increase in the daily average of ransomware attacks in Q3, compared to the first half of the year (1). One survey found that half of all respondents detected a ransomware attack in 2019, resulting in business disruption and possible data loss in nearly 75% of cases (2). In fact the consensus in the security industry with regards to being compromised by malware is becoming a ‘when, not if’.
Risk factors can be managed by appropriate security, backup and software patching provisions. These are crucial not only for prevention but also the recovery process post-infection.
That said, is there more that can be done to protect ourselves beyond these technical safeguards?
According to the Centre for Internet Security (CIS), a non-profit industry leader in designing best-practice standards for securing IT and data systems, the most common vector for ransomware infections is “user-initiated actions” (3). Indeed, this is broadly true of malware historically. In responding to this, training is key.
What are “user-initiated actions”?
CIS defines these as “actions such as clicking on a malicious link in a spam email or visiting a malicious or compromised website”. In short, “user-initiated actions” are actions that involve ’the human element’, the activities of the person using the device. Therefore, it stands to reason that if we can mitigate ’the human element’, we can go a long way to improving our defences.
Given it is neither practical nor legal to eliminate humans, we are left with the route of mitigation through training.
A 2020 industry study produced by CyberEdge (4) found that one of the largest obstacles to security is “low security awareness among employees”.
Here are a few high-level training steps to help minimise the risk of a Ransomware attack:
No sports team takes to the pitch with a paper plan only, nor does any team take to the pitch without their players having been trained or having trained together. Training and rehearsals should be active and scenario-based, as opposed to passive information dumps via email and presentations.
Play out scenarios, run practical tests, gamify the training (many companies provide services to do exactly this). We teach our patients good optical hygiene through practical demonstration, not just through marketing materials, we should do the same for our cyber hygiene.