In the post-pandemic era the industry and institutions rely more than ever on remote working infrastructure to be able to operate effectively. The sanitary emergency is practically over but the physical office changed and is not going back to what it was before, both employees and employers experienced the benefits of the new way of working, spending less energy and time in commuting and enjoying substantial economic savings.
In parallel behind the curtain we are going through a major shift in the telecommunications infrastructure, deploying new 5G wireless networks and migrating from bare-metal servers to containers and cloud based systems, paving the way for many new exciting technologies as SD-WAN, Network Slicing, Industrial IoT, autonomous cars, etc, that would help us to have better and faster connectivity just about anywhere.
But what about data security? I have been involved in application integration projects for Telcos for many years now, and we were never allowed to perform some tasks remotely, it was taboo to even dare to suggest it because of fear of a security incident. But the pandemic forced us all to do the job remotely and to get prepared for it in a record time. Believe it or not, no major security incidents occurred and many fears dissipated in just a few months. Similarly happened to many job positions, people suddenly had to do the job remotely and they discovered it was possible to work from home with good results.
But now is the time to take security aspects more seriously and think thoroughly about anything that may constitute a risk for our organizations. With employees geographically spread just about anywhere the risks are many, and we need to adjust processes, deploy security applications and devices, perform infrastructure security assessments and many more, but this time I want to address what I think is the weakest link of the chain… the end user.
We have spent a lot of time and money deploying cyber security applications and protection mechanisms to analyze every byte of information passing through the routers or whole cybersecurity frameworks as Zero-trust to try to stop the attacks, but in many cases the cyber-criminals are not that technical sophisticated and prefer to exploit the flank of the candid end user, applying effective social engineering techniques to accomplish their evil objectives.
To illustrate this, let’s just consider the Ransomware vector, one of the most feared that had put many institutions on their knees, generating huge revenues for the criminals collecting exorbitant ransom fees to release the victims data.
According to the 2022 Data Breach Investigation Report (DBIR) 82% of the cyber attacks this year alone involved a human element.
Phishing through email is still the favorite method used by bad actors and this is because it is the natural way to reach potential victims and many are still taking the bait. According to the 2022 SonicWall Cyber Threat Report the world experienced an alarming surge of 105% on Ransomware cases last year accounting for a total of 623.3 million attacks. Governments and Health Care institutions are among the favorite targets.
A simple mistake of a candid employee clicking on an email that looks legitimate can lead to a very serious consequences of big proportions, as a matter of fact, there is an ongoing debate on considering this attacks as an act of war, because they can compromise the water, electricity, food and fuel supplies as well as hospitals and municipalities infrastructure. Aside from these critical assets, they can also put small and medium companies out of business.
So going back to the human factor, the weakest link of the chain. Security awareness training must be in the budget with equal importance as other more technical topics. Employees must be trained to be aware of the consequences of a simple distraction and where they can lead to, they must be equipped to recognize the most common risks like using a weak password and have it written in a post it note sticked by one side of the screen, connecting to an insecure public wifi network, visiting doubtful reputation websites, promiscuously sharing removable storage like usb dongles and portable drives; when it comes to phishing and ransomware they need to be able to recognize the typical elements of a malicious email message.
All this can be accomplished by a simple cybersecurity awareness training online, and perhaps an internal campaign, there are many very affordable options online that allow users to go through the course at their own pace and schedule. It is of utmost importance that this awareness initiative is supported from the very top of the organization and be of a mandatory nature to be effective.
To put all this in perspective, let’s take a look at 5 of the highest Ransomware Attacks of 2021.
5. University of California at San Francisco – Ransom paid: $1.14 million.
UCSF servers used by the school of medicine were encrypted by the attackers.
4. Travelex – Ransom paid: $2.3 million.
Their currency exchange service halted for two weeks forcing employees to work with pen and paper during this time, causing significant delays.
3. Brenntag – Ransom paid: $4.4 million.
Shot down more than 5,000 miles of pipes and stranding gasoline and diesel off the Gulf Coast.
2. Colonial Pipeline – Ransom paid: $4.4 million.
Targeted the company’s business network including the Colonial’s billing system, preventing them to track fuel distribution and to accurately bill its customers.
1. CWT Global – Ransom paid: $4.5 million.
Took down 30,000 computers and compromised two terabytes of data including Financial records, security documentation and employees personal information.
All these hard blows started by a simple deception that made a human click on an email that looked pretty normal pretending to be an authentic invoice, a utility bill, o a message from a bank they have a relationship with.
You can significantly reduce this risk by raising security awareness on the company employees and teaching them to recognize the most common techniques used by the criminals to entice and deceive victims. Just enroll them in the proper training, and in case it is possible, make an internal promotion campaign for this purpose.
Reinforce the weakest link of your cybersecurity chain, remember all chains break precisely there.
Victor Plata Mazzotti – MATI, CISSP.