The first half of 2021 has already seen a 102% increase in ransomware attacks compared to the beginning of last year. And it was reported on the news just this week that ransomware is up over 200% from 2020. Those numbers are mind-blowing and underscore the critical need to defend against ransomware and other cyberattacks.
Even if hackers enter an organization through its email system, it could have a catastrophic impact on physical security, meaning the machines and process lines in production facilities. As we are all aware, impacting production lines can have devastating or even deadly results.
We are seeing just how defenseless the United States is against cyberattacks. The White House recently issued an open letter urging companies to treat the threat of ransomware attacks with greater urgency, saying companies that “view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.” We are the strongest country in the world, and yet we are being made to look like fools.
Security professionals like myself have been warning leadership of these threats for years, but repeatedly were told that “we have not been hit yet” and “no one knows who we are,” so the funding has gone elsewhere. These attacks should not be a surprise to anyone. The ironic part is we are on the brink of a cyber 911 type of attack.
We know that most ransomware is distributed through phishing attacks, which gives the hackers broad access to a company’s systems. Organizations need to embrace training their employees. The responsibility lies at the executive level of the organization, up to and including its Board of Directors.
Cyberattacks as we once knew them were infrequent events, but now we are being hit by foreign adversaries on a daily basis. These events are impacting our everyday lives – whether it is the Colonial Pipeline driving up fuel prices and prompting panic-buying or the attack on JBS that will impact the price of meats as well as create a slowdown and panic-buying situation once again. But way before that, we had hospitals, municipalities, you name the type of organization impacted by social engineering attacks that have at times ended up in ransomware situations.
In reality, as soon as we post information about an attack, like clockwork another organization is hit again. There is no organization in the world that is secure anymore, and we all sit here waiting to be sucker-punched! We need to start thinking about how the United States and countries around the world are going to address criminal issues. Countries must not be allowed to serve as safe harbors for criminal actors; they must be punished for doing so.
It is hard for organizations to have perfect defense every day, and we all must strengthen our security defenses to reduce the blast radius. Security awareness training is a critical component of that effort to defend against ransomware.
Once again, I will repeat my training mantra – Phish – Train – Remedial Training – Repeat.
Author: Suzanne Gorman, CISSP, CRISC
Vice President, Information Security and Risk Management Evangelist at GLS