By now you’ve probably heard the bad news: 68.5% of businesses were victimized by ransomware in 2021, an increase over the previous three years and the highest figure reported to date.[1] You’ve seen the high-profile attacks, hitting every facet of society from the Colonial Pipeline to a water treatment plant in Florida to the Houston Rockets.
The ransomware threat is increasing in intensity and frequency, touching everything from critical infrastructure to entertainment. The threat is everywhere and everything is a target. Trying to mitigate the threat, it’s hard to know where to even begin. If Jalen Green’s contract isn’t safe, what chance do the rest of us have?
So what do we do?
There are those out there who would sell you some version of “Back Up Your Data” as the best response to ransomware. That’s certainly a response, and you should be backing up your data, but it’s far from perfect. The restoration process takes time, assuming you can restore at all. Ransomware affects data wherever it lives, and ransomware gangs are now moving to destroy backups as well.
So what, then, more tools? A recent Hiscox Cyber Readiness Report found that forty percent of firms “plan to lift spending on cyber technology” between five and ten percent.[2] The Buy More Stuff strategy is a safe one, but it ignores what is potentially the most powerful tool at your disposal: your people.
At Celerium, we are in the people business. Our platform enables cyber practitioners to collaborate more effectively. Doing so much work in this area, we know that every successful collaboration starts and ends with how empowered the team is. The stronger their sharing capabilities, the stronger their defense. We tie people and technology together; you can’t pick one, you need both.
There is a bottomless pit of content out there telling you that your biggest cyber weakness is people. Ninety percent of cyber events start with human error; people are the weakest link in the people-process-technology triad; phishing emails were the method of entry in sixty-five percent of ransomware attacks, according to the Hiscox report.
Why is that?
Are all of our organizations at the mercy of distracted employees, fried multi-taskers rumbling-bumbling-stumbling through their duties while being unwittingly targeted by crafty adversaries?
Perhaps. Given the epidemic of burnout that has accompanied the last year-and-a-half, it’s hard to fault anyone too much for not looking twice at an email, especially as phishing attempts have become more sophisticated. But maybe there is something else at work.
Maybe your people aren’t empowered. Maybe they don’t know what to look for. Maybe they haven’t been properly trained.
We know that human error is behind ninety percent of cyber events, and we know that phishing emails are effective, yet despite our knowing this, Hiscox reports that spending on cyber security staffing and training is down in 2021. How can we expect our teammates to report phishing emails if they don’t even know what to look for?
It’s been said that cyber security is a team sport. That team has to include everyone in the organization, even the ones – especially the ones – who never think about cybersecurity and who may not even know what phishing is. For the team to win, they need to be empowered.
Maybe it’s time to stop thinking of the people in your organization as a weak link and start thinking of them as an untapped resource. To steal a line from my favorite CISO, it’s better for everyone to know a little about cyber security than for a few people to know everything.
Basic social engineering and phishing training would help them know what to look for. Give them a reporting plan so they can report suspicious activity and tell them, when in doubt, dump it out.
It’s not just us saying this. CISA recommends implementing user training as a way to mitigate the threat of ransomware.
Training won’t eliminate the problem but empowering your employees to understand the threat and report it more efficiently can greatly mitigate your risk.
Need help getting started with cyber defense? Our Cyber Defense Network’s Cybersecurity Improvement Program can help. Learn more here.
[2] Cyber Readiness Report 2021. Hiscox, April 2021
[1] CyberEdge. "Percentage of Organizations Victimized by Ransomware Attacks Worldwide from 2018 to 2021." Statista, Statista Inc., 19 Apr 2021, https://www.statista.com/statistics/204457/businesses-ransomware-attack-rate/