The results are out from cybersecurity guru Fortinet’s 2021 Global Threat Landscape Report. And they are shocking: The number of daily ransomware attacks shot up nearly 1,000% this year. That is a staggering number of cyberattacks! For reference, the weekly average number of attacks in June of 2020 was 14,000. But in June of this year? An unbelievable 149,000. Yes, in a single month. And as to which industries are being targeted, well, you name it. According to the report, “the key takeaway is that ransomware is a clear and present danger regardless of industry or size.” There is a lesson to be learned here: Proactive security training is an essential for every type of organization if this trend is ever to be reversed.
Successful ransomware attacks are most often the result of social engineering. Security filters designed to stop phishing and malware are not foolproof. And if employees aren’t trained to recognize – or at least question – messages that have successfully jumped the guardrails, BIG trouble is virtually guaranteed. Humans are easy prey to other humans specifically because we know how to push each other’s buttons. Social engineering is insidious, as it is specifically designed to play to our emotions. Deviant email messages crafted to manipulate feelings of fear, urgency, greed and compassion flood the mail system every day. Whether or not those emotions get triggered to the degree that we act on them (by clicking a malicious link or handing over confidential information) is dependent on how well-trained we are in knowing what to look for.
Testing, testing, 1-2-3
Organizations should be conducting cybersecurity awareness training for staff regularly, from interns to C-level leaders. And after the training, regular, routine testing is critical. For that reason, NIST, the body overseeing cybersecurity standards in the U.S., has recently updated some of their standards. In their publication “Security and Privacy Controls for Information Systems and Organizations”, they now recommend providing frequent simulated social engineering testing. They state, “Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links.”
Digging in deeper
Let’s explore a few specific recommendations from NIST:
Put it in “stealth mode”
They state that the testing should be no-notice. I think it’s pretty clear what they mean: Testing should not be announced over the loudspeaker. Sure, notify staff that testing will be conducted on an ongoing basis. But when and how it actually happens? Keep that on the “down low” if you want the most authentic check of where your staff is on the learning curve.
Don’t keep it simple (stupid)
Testing needs to be sophisticated and multi-dimensional. In other words, don’t just send out the standard “Hey, it’s Amazon and we’ve frozen your account until you give us your password” types of simulated messages. Those have their place in early training, but it’s time to be less obvious and get clever. Include well-researched, well-crafted spear phishing attacks. (If you don’t know what spear fishing is, check out Dan Callahan’s post outlining the various forms of phishing.) Anyone who is truly targeting your organization will take the time to do research to build an effective attack. (Which, honestly, is often as simple as a quick peek at someone’s Facebook account). You should test by simulating those types of more personal, targeted messages as well. And mix it up: Test to see if staff are easy to trick into downloading attachments, clicking on links, opening images and so on.
Bigger fish to fry
It is critical to test at the highest staff levels. CEOs are just as vulnerable to social engineering as anyone else, particularly since criminals have gotten so sophisticated. And “whaling” – attempts to get the credentials of CEO’s or other top executives – is becoming more and more common. It makes sense: Top-level employees have the most access to both the organization’s confidential data and assets. That high level of access, coupled with a lack of extensive security training could potentially be the perfect storm for a ransomware attack.
Fortify the castle
Clearly, this escalating pandemic of ransomware shows us just how important simulated social engineering is. The results from the Fortinet report demand a major rethinking of security training and testing at organizations worldwide. Everyone should reevaluate the frequency with which theirs is performed and the level of sophistication in their design. Your employees are quite literally the last line of defense when it comes to protecting your organization’s assets. Let’s make sure they are fully prepared and ready for battle!