Dr Sandra Bell has briefed UK governments on National Security Strategy and overseen safety at high-risk Olympic venues. As ransomware continues to create havoc, she is now advising CEOS to ‘be ready’
Since making a name for itself in the 2017 WannaCry outbreak, ransomware has grown in notoriety, as a major source of disruption to companies and as an effective tool to extract money from them. In the latest incident, it’s just been revealed that Ryuk ransomware successfully extorted almost $4,000,000 in just six months by selectively targeting companies with the deepest pockets.
So why is ransomware so effective? Put simply, the threat can’t be negated solely through the efforts of just the CSO and IT departments. While its objective is to attack organisations, Ransomware hunts individuals on the network, using intense psychological pressure and exploiting human biases to gain access to IT systems. To combat this, organisations must establish a business-wide culture of vigilance and openness from the top-down. This means CEOs must be armed with the relevant knowledge; who it targets, how employees react to it and what to do to prevent it.
It targets your people, not your IT system
Unlike traditional ransoms, IT systems are both the asset being held ‘prisoner’ and the vehicle delivering a ransom note. The actual target is the IT user and, if the target is within a business, the victim is then the business. Locking down the IT system and data it contains will only reduce the opportunity of it being held prisoner. It’s therefore not just a case of getting your workforce to abide by security rules but recognising your unique psychological susceptibilities and designing work practices that prevent individuals within your workforce becoming attractive targets – and you a victim.
It works by preventing access to something your people want
Ransomware is rendered useless if the asset has no unique value. Unlike people, data is easily copied or cloned. If you always have a copy, or ability to create one, there’s no point in paying a ransom to have the original released. Likewise, it’s now the norm to access our data through multiple devices, which means locking one access route has limited impact on the target.
The perpetrator demands the victim reacts quickly”
The psychological factors work best when the target is isolated
‘Locker’ and ‘Crypto,’ the two main types of ransomware, deploy different tactics and are successful within different populations of people. Crypto plays to time pressure, with the promise of positive results. The perpetrator demands the victim reacts quickly – without notifying senior figures in IT admin – in order to avoid repercussions and potentially being identified as the person responsible. By contrast, Locker often works by deception. The perpetrator poses as an authority figure who has supposedly identified a misdemeanour and convinces the user to comply with their wishes by suggesting that anything they have done wrong will be used against them. The effects of both are greatly amplified if the target either perceives themselves to be, or can be, physically isolated from their colleagues and organisational support network. Ransomware risk can therefore be reduced by fostering a corporate culture that reduces the feelings of real or perceived isolation.
Good defence is desirable – but quick reactions and strong leadership are essential
An attack is almost always still taking place when you
launch your response and recovery. This means that if you only have a single
plan, without the means to deviate from it, your opponent will quickly learn
what it is and overcome it. Even with a solid backup strategy, your response
will be unsuccessful unless you also have the Crisis Leadership skills to adapt
in real-time and lead your organisation through the complex, unstable
environment created by a large-scale attack.
To summarise…
There is no single solution but organisations that are most successful at managing the risk have departed from the traditional tactics employed for unique physical assets. The only certain way from preventing digital business assets from becoming ransom prisoners is by taking advantage of the features that data and IT systems offer: a unique physical asset exists only in one place; therefore, it can be held to ransom; if there are copies, back-ups available or alternative ways of accessing the asset, a ransom becomes redundant.
Businesses must leverage the ease in which a copy of mission-critical data can be kept off-premise, ready to be implemented if the primary is locked out. They must also recognise that much can be done, not only to safeguard their people from becoming targets but in preventing themselves becoming victims at organisational level.