Aamir Lakhani, a researcher at FortiGuard Labs, explains why organizations should extend cyber awareness training across the enterprise, from Luddites to executives.
These days, ransomware is seemingly ubiquitous. It’s no longer just a topic of discussion for cybersecurity professionals and researchers, these days it seems like rarely a week goes by without it being in the mainstream media.
It has quickly become a common word, and in some respects this increased visibility is a welcome development. While it’s not a good thing for everyone to talk about it in relation to the recent attacks, the good thing is that awareness is (hopefully) increasing as well. Because in today’s world, basically everyone is a potential target for ransomware, and that means security professionals have a lot of work ahead of them.
Greater vulnerability in general.
Even the most well-known Luddites among us probably have at least a small fingerprint, whether they know it or not. If you buy food with a debit card, visit a doctor, or pay taxes, there is personal information about you in a digital format somewhere. And that’s just to name a few examples.
That means the “Oh, I don’t have anything cybercriminals care about” mentality should be put aside for good. Yes, you do, and even if you don’t think you’re doing it directly, you’re probably connected to someone else with more valuable digital assets, and bad actors will try to use you as a path. And as security professionals, we must make everyone understand this.
The explosion of attacks is the result of threat actors harvesting the cheapest fruit with incredibly powerful digital “gatherers” and scalable resources, including automated approaches and machine learning. For example, consider how they are using spear-phishing through armed machine learning to target executives. It also means that now low-security IoT devices, unpatched system updates, and more can be detected more easily and efficiently than ever.
Lowest hanging fruit is not always the best target.
While not all hackers are out for money, if so, they become particularly adept at plying their trade. What malicious actors are often looking for are the most lucrative and critically important “keys to the realm” – information, passwords, contacts, or accounts, usually found within the C-suite. And top management targets not only have the most valuable organizational data, but they are also the ones making the decisions about whether to pay a ransom.
This creates two situations that put executives under even greater threat. First, it makes a ransomware attack on a decision maker incredibly efficient, achieving the maximum return on investment for threat actors. Second, it makes a senior executive’s personal communications incredibly valuable and particularly vulnerable. The stricter cybercriminals are on shameful commercial and private communications threatened with release, the greater their ability to pay and often the more they can demand.
The sad reality is that most executives, and particularly their direct reports, are incredibly soft targets. Today’s cybercriminals have increasingly sophisticated technology. When using tools like AI-generated deep fake technology, the simplicity of ransomware is deceptive in more ways than one. When threat actors gain access to personal communications, it’s ridiculously easy to use AI to reflect the tone and style of people you’d never suspect – not just another C-suite member or business leader, but a friend. close friend, a spouse or a family member.
More cybersecurity training is needed.
Social engineering schemes, such as phishing attacks, continue to be one of the most common vectors for ransomware and other cybersecurity attacks. And while many organizations are supposedly training employees, those workers apparently do not retain what they have been taught.
A recent report by Cloudian found that phishing attacks were successful even though 54 percent of all respondents, and 65 percent of those who reported it as the entry point of a ransomware attack, had taken training. against phishing for employees.
Increased awareness is the fundamental principle on which a strong cybersecurity strategy is based. Although many organizations focus on daily cyber awareness cybernetics ethics, they should also consider the value of training their network and security professionals.
To maximize investments and improve cybersecurity, cyber awareness training should ensure that technical security professionals gain the knowledge necessary to optimize solution implementations for enhanced security. By taking steps to prioritize cybersecurity awareness training, organizations and their employees can stay ahead of threats before they can have an impact.
At the same time, cybersecurity training must take place across the board, including executives, who cannot be overlooked given the access they have and the huge goals behind them.
Don’t discriminate – Educate.
Ransomware does not discriminate. Today, everyone is a potential target. If you have even the smallest fingerprint, you face the risk of ransomware and other types of attacks. That’s even truer for executives, who have access to more sensitive data. Given this reality, organizations must expand cyber awareness training across the enterprise. No employee is too big or too small for this type of education. In a world where everyone is at risk, it makes sense to equip each employee with the information they need to help defeat cybercrime.
Author: Aamir Lakhani