Aamir Lakhani, researcher at FortiGuard Labs, explains why organizations must extend cyber-awareness training across the entire enterprise, from Luddites to the C-suite.
These days, ransomware is seemingly ubiquitous. No longer just a discussion topic for cybersecurity professionals and researchers, these days it seems like rarely a week goes by when it’s not in the mainstream media.
It’s rapidly become a commonplace word, and in some respects, this increased visibility is a positive development. While it’s not good that everyone’s talking about it in connection with recent attacks, what is good is that awareness (hopefully) is also increasing. Because in today’s world, essentially everyone is a potential target for ransomware – and that means security pros have their work cut out for them.
Increased Vulnerability Overall
Even the most avowed Luddites among us probably have at least a tiny digital footprint, whether they know it or not. If you buy groceries with a debit card, visit a doctor or pay taxes, there is personal information about you in a digital format somewhere. And that’s just to name a few examples.
That means the mentality of “Oh, I don’t have anything cybercriminals would be interested in” needs to be set aside for good. Yes, you do, and even if you don’t think you do directly, you’re probably connected to someone else with more valuable digital assets – and bad actors will try to use you as a pathway. And as security professionals, we need to make everyone understand this.
The explosion of attacks is the result of threat actors picking the lowest-hanging fruit with incredibly powerful digital “pickers” and scalable resources – including automated approaches and machine learning. For example, consider how they are using spear-phishing through weaponized machine learning to target executives. It also means that now low-security IoT devices, unpatched system updates and more can all be detected more easily and efficiently than ever.
The Lowest-Hanging Fruit Isn’t Always the Best Target
While not all hackers are out for the money, if they are, they become particularly crafty at plying their trade. What malicious actors are often looking for are the “keys to the kingdom” — the most lucrative mission-critical information, passwords, contacts or accounts — which is usually found within the C-suite. And not only do C-suite targets have the most valuable organizational data, but they are also the decision-makers of whether to pay a ransom.
This creates two situations that put executives under even greater threat. First, it makes a ransomware attack on a C-suite decision maker incredibly efficient, which achieves maximum ROI for threat actors. Second, it makes a C-suite executive’s personal communications incredibly valuable and particularly vulnerable. The tighter cybercriminals can twist the screws with embarrassing business and private communications threatened for release, the greater their chances for payment – and often, the more they can demand.
The sad reality is that the majority of executives, and particularly their direct reports, are incredibly soft targets. Cybercriminals today have increasingly sophisticated technology. When tools like AI-generated deep fake technology are used, ransomware’s simplicity is deceptive in more ways than one. When threat actors gain access to personal communications, it is ridiculously easy to use AI to mirror the tone and style of people you’d never suspect – not just another member of the C-suite or a business leader, but a close friend, a spouse or a family member.
More Cybersecurity Training is Needed
Social-engineering schemes such as phishing attacks continue to be one of the most common vectors for ransomware and other cybersecurity attacks. And while many organizations are allegedly doing training for employees, those workers are apparently not retaining what they’ve been taught.
A recent report by Cloudian found that phishing attacks succeeded even though 54 percent of all respondents – and 65 percent of those who reported it as the entry point of a ransomware attack – had conducted anti-phishing training for employees.
Greater awareness is the fundamental principle on which a strong cybersecurity strategy is based. Although many organizations focus on the daily end-user cyber awareness training, they should also consider the value of training their security and network professionals.
To maximize investments and enhance cybersecurity, cyber-awareness training should ensure that technical security professionals gain the knowledge required to optimize solution deployments for enhanced security. By taking steps to prioritize cybersecurity awareness training, organizations and their employees can get ahead of threats before they can make an impact.
At the same time, cybersecurity training needs to be conducted across the board – that includes executives, who can’t be overlooked, given the access they have and the huge targets on their backs.
Don’t Discriminate – Educate
Ransomware doesn’t discriminate. Today, everyone is a potential target. If you have even the smallest of digital footprints, you face the risk of ransomware and other types of attacks. That’s even truer for the C-suite, who have access to more sensitive data. Given this reality, organizations need to extend cyber-awareness training across the entire enterprise. No employee is too big or too small for this type of education. In a world where everyone’s at risk, it makes sense to equip every employee with the information they need to help defeat cybercrime.
Aamir Lakhani is a cybersecurity researcher and practitioner at Fortinet’s FortiGuard Labs.
Enjoy additional insights from SACUT’s Infosec Insiders community by visiting our microsite.