Ransomware still holds the line on the cyber attack frontier. According to the 2022 Data Protection Trends Report, only 24% of companies were not attacked by ransomware.
The report also found that the most common entry points are malicious links, insecure websites and phishing emails.
This is echoed in a recent analysis of by Statista that found 66% of global organisations were victims of a ransomware attack in 2022, with Austria coming in at the top with 84%, followed by Australia at 80% and Malaysia at 79% – South Africa sits near the bottom at 51%.
“The message is clear – ransomware is another form of cyber attack that is not going anywhere and has no silver bullet to stop it,” says Anna Collard, senior vice-president: content strategy and evangelist at KnowBe4 Africa. “The only way to protect the business against cyberextortion is to do the hard work of ‘security in depth’: ensuring that you embed layers of security throughout the business.”
The first step to minimising the threat of ransomware is to create a culture of security within the company, she says. This goes beyond a few posters and emails warning employees about the risks and encouraging them to have good passwords. It is about ongoing awareness and training that embed vigilance into behaviours and approaches.
People need to understand that security is not something that is mandated by a person in IT who does not understand how much work they have to do or how frustrating it is to jump over multiple security hoops when they are on deadline.
“It is easy for employees to grow lazy with their passwords and managing their two-factor authentication protocols or recognising phishing emails,” says Collard. “When you are tired or under pressure, you do not want to have to enter in a 24-letter password or repeatedly authenticate your identity, you want access to the system so you can get your job done. However, as much as security can be tedious and frustrating, a compromise is even more so. This is why training is important.”
When employees understand the knock-on impact of a breach, of cyber extortionists stealing or encrypting all their files, they are more likely to practice good security hygiene and pay attention to the protocols. If they are given the right levels of training and if this training is reinforced on a regular basis, then they will be more likely to detect phishing and social engineering attacks as well.
“If you consistently remind people of the role they play in keeping the company secure, then they will be more engaged with security and keeping up their end,” says Collard. “Of course, training and awareness are only one side of the coin. It is also critical for the company to have robust security in place across endpoint detection, threat detection, incident response processes, patch management and cyber insurance.
“Minimising the risk of ransomware is not a single approach – it is layers of security from the people level all the way through to email, firewalls, protocols, processes and insurance. Every element playing a role in mitigating the threat and, should the worst happen, minimising its overall impact on the business.”
Ransomware is not going away. It is getting smarter, more invasive, the criminals more intrepid in their approaches. The Veeam report found that 24% of companies paying the ransom never recover their data. It is a growing threat that is aggressive and complex, so companies must prioritise a holistic security approach to reduce the threat and its impact.
“Do the training, invest into the security, but, most importantly, be prepared for the worst,” says Collard. “It is the best strategy for any business wanting to protect its assets and its environment.”