Controlling the top cause of ransomware – social engineering

Javvad Malik, lead security awareness advocate at KnowBe4, explains how social engineering is the top cause of ransomware and explores the steps organisations can take to reduce the risk of attackers gaining a foothold in their networks

Ransomware is an increasing thorn in the digital ecosystem and during the pandemic, the world saw unprecedented levels of this attack tactic. From the assaults on various water supply companies, to Colonial Pipeline and attackers bringing the HSE in Ireland to a standstill – there have been some extremely high-profile ransomware attacks and also many that have flown under the radar. What’s clear is that businesses of any size are potential targets for indiscriminate cybercriminals. In fact, Emsisoft states, in 2020 alone, $18 billion was paid globally in ransom and total costs were in the hundreds of billions of dollars. Furthermore, Cybersecurity Ventures says ransomware will cost $20 billion in 2021 and is estimated to grow to $256 billion in damages by 2031.

A recent KnowBe4 whitepaper looked at the top causes for ransomware according to industry and vendor reports and it showed that by far, social engineering was the top root cause for allowing ransomware to get into organisations. Social engineering includes tactics like phishing, vishing, and any tricks a hacker can use to get employees to click on a malicious link.

Yet, the top cause of ransomware – social engineering – is also one that can be dealt with immediately to reduce the chances of letting attackers gain a foothold in organisations’ networks. Indeed, with all the press surrounding ransomware at the moment, companies can be fooled into thinking the only way to solve the problem is by throwing a lot of money at technological controls. But because the issues that arise from social engineering cannot possibly be solved by technology alone, here are some tips that companies can put into action right now to increase awareness and ultimately stop many ransomware attacks from taking place.

Dedicate time to security

For smaller organisations, it’s likely finding time to dedicate to security awareness is one of the biggest hurdles to overcome. However, business leaders must realise that cybersecurity has to be a top priority for modern businesses, it should not be viewed as a “nice to have” or “we’ll do it if we get the time” type exercise. Even blocking an hour a week to address security awareness – from research into what resources and tools to use, to sending out mini-campaigns to staff or working on security policies, this will have a big effect on reducing the risk of ransomware and other cyberattacks.

Start with people

Employees can be the biggest asset to any security programme (and also the biggest liability if not properly trained). While creating a full-blown security awareness training programme could initially seem daunting, there are plenty of free or cheap resources out there to help along the way. From training videos to share with staff, to free checklists and articles – even security awareness policy templates. The information is a quick browser search away. It may not come with all the bells and whistles of a subscription or managed service, but it sure is better than nothing – particularly for smaller businesses – and can help reduce risk of employees clicking on rogue links immediately.

Take advantage of free tools

From ransomware simulators. to help test the readiness of a company’s network against the most common infection scenarios, to free password checkers to determine the hackability of passwords – there are plenty of free tools online to help organisations ensure they have some of the most basic security hygiene bases covered. Many security companies will also offer free scans or opportunities to tell organisations where their biggest risks lie – even if these do often lead to sales calls, it may be worth the conversation for those struggling to cope with cybersecurity on their own.

Ransomware is one of the biggest threats facing modern organisations of any size today. Importantly, there are some very cheap and even free ways to decrease the risk from this tactic – it’s just a matter of making them a business priority and knowing what to do or which resources to use to reduce a huge proportion of risk stemming from social engineering attempts.