One of my earliest mentors often joked that the only secure computer was one encased in concrete and dropped randomly in the Pacific Ocean. Although humorous, it does make an important point: There’s no such thing as absolute security.
No matter how impressive your defenses may be, some things will invariably slip through. Harmful URLs will be clicked. Malware will get installed. Password credentials will be phished. Confidential data will be leaked. Attachments will be irrevocably emailed to unintended recipients. Snippets of source code will be written to a public repository. Laptops, phones, removable media, and other mobile devices will be lost or stolen. Sensitive information will be forgotten on printers, in meeting rooms, and in public transport.
Security control failure is inevitable. What then are organizations doing to mitigate the threat of ransomware?
Ransomware on the Rise
In its 2022 Data Breach Investigations Report (DBIR), Verizon asserts that ransomware accounts for 25% of all data breaches, representing a sharp increase of nearly 13% from the previous year .This is interesting because many organizations tend to focus on good cybersecurity hygiene without giving much attention to the more significant threats of stolen credentials and phishing.
Verizon also found that 82% of breaches involved a human element, including use of stolen credentials, phishing, misuse and error. While I think that number could certainly be much higher, it does confirm what many readily accept to be true: malicious threat actors continue to target people as the weakest link in an organization’s defense.
Security tools to the rescue
Security tools have evolved greatly and remain an essential component of any security strategy. Gartner recently forecasted that organizations will spend a collective $188.3 billion on information security and risk management products and services in 2023 . Remote work, zero trust and cloud-based delivery are driving organizations to invest in security solutions such as access management (AM), managed detection and response (MDR) and cloud access security brokers (CASB) .
Despite this massive expense, data breaches and ransomware infections continue to make headlines at an alarming rate, with DataProt estimating that a ransomware attack occurs every 11 seconds . This might be attributed at least in part to increasingly strict breach notification laws. Another key factor is that organizations are now better equipped with the security tools, services and staff to detect and report data breaches that perhaps previously went unnoticed.
When it comes to preventing ransomware, the strategy must not stop with technological controls. Yes, we must use anti-malware, multifactor authentication, email and web content filtering, DMARC, tagging and the like, but let’s not neglect the human factor. Each of us has the ability to cause great harm. Attackers know this, so they target staff as a low-cost, easy-to-implement and highly successful tactic.
Where security training falls short
Many organizations mandate annual corporate security training. While this may be effective for disseminating information about risks, trends and threats, this alone won’t accomplish the important task of elevating security at the forefront of people’s minds on an ongoing basis. People need a safe environment in which they can practice what they learn so that it becomes nearly automatic.
Many people are completely unaware that their passwords — which they reuse and recycle across their many digital identities — might be unsafe for use. Today, security tooling helps prevent them from setting a password known to be compromised. Staff should also be trained how to determine if any of their accounts were disclosed in recent data breaches and may be at risk.
Additionally, organizations must proactively monitor the dark web for transactions involving the sale of accounts linked to their domain. In this manner, they can stay ahead of any potential damage and take preemptive actions such as disabling potentially compromised accounts and changing passwords. They can also review recent audit logs for suspicious activity using these stolen credentials.
Many believe only the truly foolish fall prey to a phishing attack, but I’m convinced that anyone can be phished — myself included. I have orchestrated numerous phishing simulations with difficulties ranging from loud and obvious to soft and sophisticated. Someone always fails the test, even when using the easiest templates containing all the telltale signs. People are human, and they will make mistakes.
Quizzing staff to spot phishing emails as part of a training curriculum is a good start, but conducting periodic phishing tests helps reinforce vigilance day in and day out. Tests also provide valuable insights into the effectiveness of an awareness program, enabling security teams to fine-tune future communications and trainings to address areas of weakness.
Report it, don’t just delete it!
Atos has implemented a one-click reporting button and encouraged our employees to use it liberally. This way, security gets notified right away and can take appropriate remedial actions, such as blocking the sender domain and malicious URLs, purging all other instances of the same email message sent to other recipients, investigating for indicators of compromise, and even resetting passwords.
When Atos employees use their report button for a phishing simulation campaign, they receive a congratulatory email thanking them for their continued vigilance.
Note: Although employees are prompted to enter their password on the phishing test site, it’s never actually captured. Rather, we simply assume that a correct password was entered when the correct account ID was entered.
Whenever someone fails the test, an automated email gently notifies them that this was a phishing test, and if this had been a real attack, their account could have been misused to gain unauthorized access to data, systems, networks and applications. Additionally, it’s noted that compromised account credentials are often sold on the dark web, potentially bringing brand damage to the company as threat intelligence feeds will assume the worst. Atos staff members are offered additional training to help sharpen their skills. A regional point-of-contact is provided to answer any questions they may have.
To sanction or not to sanction
Some might be tempted to think HR sanctions should be enforced for staff members who fail a phishing simulation, but I find such a punitive approach counterproductive. First, we must not forget those who fail the test are still victims. Second, failure is a valuable part of learning. Third, it can breed mistrust of an organization’s security team when employees think security and HR are out to trick them. They may be less inclined to report a security incident or vulnerability when it actually happens.
Full speed ahead
When reviewing your security roadmap, consider how periodic testing of security controls can enhance your program, elevate staff awareness and mitigate human risk factors.
About the authors
Marc Johnson, CISSP, has over 26 years of security experience enabling businesses to achieve their objectives through effective risk management. He currently serves as the Atos Americas Head of Security, Global Head of Security Awareness, and Chief Security Officer, North America.
Follow or contact Marc