Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Friday, 9 September 2016

Ransomware: Don't Die of Ignorance

According to a recent Herjavec Group report, profits from ransomware will spiral this year to over $1bn, and next year will see further explosive growth. The main vector for ransomware is always email. The reason is simple: Ignorance of the risks equals fat profits. It's that obvious. The solution is to stop users clicking dodgy attachments, but how?

For the seeds of a possible answer, cast your mind back in the mid-1980s. As the AIDS epidemic hit the UK, the government's response was a huge public awareness campaign. Everyone who was around at the time remembers "AIDS: Don't Die of Ignorance". There were TV and radio adverts, cinema and press adverts, and every home received a frank leaflet explaining everything. Cool new condom brands popped up almost overnight (pun intended). OK, since then, infection rates have risen, but the point is it seemed to help at the time, as the sharp dip in infection rates around that time implies.

Back to 2016, and according to Get Safe Online in the year to March cybercrime cost UK businesses over £1bn. The total figure will be much higher in the coming year due to ransomware. A recent Malwarebytes report claims that over half of all UK businesses have already been hit by ransomware, with 9% being left completely unable to function after the attack. Only 40% of those affected didn't pay the ransom, meaning that a whopping 60% had no choice but to cough up.

Email filtering services and next generation endpoint protection is out of the financial grasp of many SMBs, and it's the work of a few clock cycles to add some random junk to a payload to defeat traditional AV. Ransomware is getting through, and users are detonating it. There should be no doubt in anyone's mind that we're in the midst of a major and deepening crisis.

If this is blindingly obvious to the cybersecurity industry and to the pundits surrounding it, it should be equally apparent to the UK government and its advisors. But where are the hard-hitting TV and adverts and the leaflet campaigns aimed at the end user? After all, it's the end user putting themselves and the companies they work for at risk.

Ransomware awareness campaigns are happening, but they can be limited in scope, targeted at individual sectors, and at C-level executives rather than end users. Until public awareness changes fundamentally, ransomware will charge ahead at full speed, and so will the otherwise avoidable financial losses.

If this is a war, then the sky is black with metaphorical bombers. Can you imagine the outcry if, during WWII in Britain, people were unaware that they should not open their blackout curtains to look at the planes going over? Equate this to opening dodgy attachments to see what they are, and you begin to see the scale and seriousness of the problem.

No comments:

Post a Comment