Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Nothing random about ransomware victims as attacks increase

Ransomware: it hasn’t gone away, you know. Europol recently warned that ransomware operators are choosing their targets based on their ability to pay higher financial costs, and their need to get back running quickly after an attack. (The agency’s 2021 Internet Organised Crime Threat Assessment report has more details.) But how do organisations gauge their ability to pay? And do they realise what ransomware is really costing them? Check Point Research claims the total cost of an incident is over seven times higher than the average ransom paid. That’s because many businesses overlook considerations like paying to restore critical systems quickly, legal advice, and other hidden costs. It also says ransomware attacks have increased by 24 per cent year on year. (Allan Liska’s helpful graphic shows new ransomware variants over the last six months.)

Meanwhile, a survey of 1,200 IT professionals across 17 countries found that nearly two-thirds of victims pay their extortionists. In all, 85 per cent of respondents suffered a successful cyberattack in 2021, and 63 per cent of ransomware victims paid. CyberEdge said this practice encouraged cybercriminals to increase their attacks. Separately, Zerto identified resource and skills gaps in organisations that hinder their ability to respond to, and recover from, ransomware.

This too will pass. Word. 

On February 24th 2004, Bill Gates predicted at RSA that people would rely less and less on passwords over time. (And overexcitable headline writers promptly pronounced the ‘death of the password’.) On May 5th, 2022, we marked World Password Day (for the tenth year running). So that went well. But cheap jokes and 20/20 hindsight aside, there are signs that passwords are slowly being overtaken. Better ways of protecting confidential information and logins are more readily available.

Evidence has found that using two-factor authentication (2FA) increases account safety by half, according to Google. Use of 2FA or multi-factor authentication (MFA) is increasing. GitHub, for example, will require all developers who commit code to use 2FA from 2023. As of now, only 16 per cent of active GitHub users have enabled it. SANS published a guide to preparing for MFA, noting that weak passwords or poor password use often leads to breaches. And while passwords still endure, here’s our video about good password management and keeping logins secure.

Culture club: changing the mood music around users and security

An excellent article in Dark Reading caught our attention about how to create a positive security culture. It encourages a reframing of the human errors that lead to security issues. “A positive security culture is defined by an atmosphere in which people feel safe to admit when they make a mistake, and the foundation for that is to make it harder for people to make mistakes,” writes Karen Spiegelman. The article quotes MIT professor Nancy Leveson who said “human error is a symptom of a system in need of redesign”. In other words, we all make mistakes; treat them as the symptom, not the disease.

The article shares three principles for building a safety culture. 1. Acknowledge and report errors. 2. Support a no-blame culture by speaking up and encouraging others to raise concerns. 3. Commit to process-driven learning and prevention for continuous improvement. Google’s recent ‘Anatomy of an Incident’ report has similar themes, including learning lessons, and fostering a learning culture. The 70-page document is free to download. And finally, developments in the US could propel cybersecurity into the boardroom. Forbes reports that the Securities and Exchange Commission recently proposed new rules that would require U.S. public companies to have corporate directors with cybersecurity expertise. A culture ideally pervades throughout organisations, but tone from the top can help to set the agenda for everyone else.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here