Lately I’ve seen the results of lots of annual data security studies popping up. I talked about the results of the Global Threat Landscape Report just last week. Yesterday I found another new report worth discussing. This one comes from the company GetApp, a resource for online software services. Honestly, some of the statistics had me scratching my head, wondering if cybersecurity awareness training has taken a back seat.
Here’s what they discovered from their survey:
- Ransomware attacks are up 13% over last year (with 12% of respondents saying they had been hit multiple times.)
- While the percentage of organizations reporting receipt of phishing messages has stayed steady – even dipped a bit — the number of users clicking on malicious links in them has gone up 14% over the past year. And is up 21% since 2019.
- Despite this, 33% of organizations say they have no incident response plan, and
- 23% report having no established processes to report a cyberattack.
- Only 26% of organizations in the survey provide social engineering training for employees.
Did you catch that second stat? While the actual number of phishing messages has leveled off and even gone down a bit, the number of employees clicking on phishing messages has gone up. Seems like things are moving in the wrong direction, no? Well, some of it is easy to explain, although disheartening. The pandemic has given the bad guys ample time and opportunity to hone their craft. (What’s that expression about idle hands being the devil’s workshop?) They’ve gotten quite clever at constructing messages that are difficult to recognize as fraudulent at first glance. Or sometimes even second or third glance. (I’m just saying…they’ve gotten that good at both their social engineering skills and technical craft. Which is bad news for the rest of us.)
But to make matters worse, the large majority of organizations surveyed actually admitted they don’t take any precautionary measures for cybersecurity at all! No cyber safety awareness training? No established nor advertised policies for reporting? Not even a response plan in the event of a potentially disastrous cyber-attack? It really feels like some organizations are just asking for trouble!
Why this matters
A real-life scary story
Halloween is around the corner, so I thought I’d share a frightening true-life tale with you. I read recently about an organization that was the victim of a massive ransomware attack. They are the only acute-care hospital in a large rural area, serving over 80,000 people. It all started with an email purporting to be about the company bonus program. An employee unsuspectingly clicked on a link in the email and downloaded a file. As you may have guessed, it was actually a malicious file and it activated a massive ransomware scheme. The organization openly admits that this employee had never been given any cybersecurity awareness training. They didn’t know how to spot the subtle indicators that the message was not legitimate. On top of that, they had never been told what to do even if they had been suspicious of the message.
The issue wasn’t discovered until after-hours by the IT support team. And within a day, the medical center’s leadership had to make the decision to shut down all computers and servers. This meant the medical staff no longer had access to any electronic health records (EHR).
It could have been much worse
Thankfully, the center did have a disaster recovery and backup plan in place. But even with that head start, the organization still had to operate for 23 days without access to any electronic health records. That’s how long it took the IT staff to rebuild and reconfigure 2,500 computers and 600 servers. We are lucky they are sharing their story publicly as a tale of lessons learned. They hope that by doing so they can be an example to other organizations on how to prepare for attempted attacks. One of their main tips: “Focus on training and testing in tandem so employees learn how to spot and avoid a cyber threat.”
Easy as A-B-C
The moral to the story above is that it was all potentially avoidable. And yes, even with the best training, policies and plans, “stuff” can still happen. Sure, you can take driving lessons, wear your seat belt and buy insurance and still get into an accident, get injured and damage your car. But that doesn’t mean you forego the lessons, the seat belt and insurance and just throw caution to the wind, do you? (Well, I’m at least hoping most of you answer, “Of course not!”) That’s what surprised me most about the stats from GetApp’s survey: Most organizations are doing nothing – or next to nothing – to keep an attack from potentially bringing them to their knees. Even though these sorts of incidents are in the news all the time lately.
The fix is not complicated: It all comes down to focusing on the human factor and applying the “ABC’s of cybersecurity”:
- Awareness: Providing staff at every level – from CEO to intern – cyber awareness training on a regular, repeated basis.
- Behavior: Teach employees both what NOT to do to avoid potential attacks (phishing training is key here) as well as what TO do (e.g., report anything even mildly suspect to IT immediately)
- Culture: Staff needs to be aware of the incredibly important role they play in cybersecurity at their organization.
Cybersecurity culture is key
As we know, the culture of any organization is cultivated at the top. So, from the highest levels down, the gravity of each and every individual’s role in protecting the organization’s assets needs to be emphasized. Create a mindset where employees know that the risks are real and their daily actions impact that risk. If everyone sees themselves as an equally important piece of the cybersecurity puzzle, that is a great step in the right direction. Enhance that “we’re all in this together” mindset with practical cybersecurity awareness training, a clear and advertised set of security policies, and a recovery plan that you will hopefully never have to use. And then maybe we can see these trends turned around in next year’s set of statistics.