You’ve just logged out from your work laptop and have met your deadline for an important webinar that is scheduled for the next day. An hour later, you get a response from your manager. You also notice another email you were expecting from a third-party vendor. You click it but it leads you to a blank web page, and without investigating much, you close your laptop and head off to sleep. The next day, you are unable to use your laptop. The screen only shows an extortion dialogue box. The only call you can now make is to your security team.
Seems familiar? You are not alone.
The Deep Instinct Ransomware Report quantified ransomware attacks to $11.5 billion in damages in 2019. The State of Ransomware 2020 by Sophos revealed that 82% of Indian organisations were targeted by ransomware in just the first six months of the year. For example, the Maze ransomware has wreaked havoc during the ongoing pandemic. Cognizant and LG Electronics, to name a few, have fallen prey to this ransomware in just the last few months. Not just ransomware, Covid-19 has brought out the creative best in hackers with phishing tactics too, to bait customers into crypto extortion.
Hackers have stayed a step ahead in harnessing human emotions to their benefit which might be why employees are considered the weakest link in an organisations’ cyber defence strategy.
Why are employees not bothered by cybersecurity?
There is a simple reason that humans act the way they do. Cybersecurity isn’t a tangible presence in their ecosystem... till it happens to them! This is because of something called the “personal fable effect” or optimism bias. Humans innately believe that nothing can happen to them, even if the rest of the world is crumbling. We all prefer the path of least resistance and this tendency spills over to our cybersecurity habits and hygiene. There is, after all, a reason why 12345 and “password” still top the list of most used passwords year after year. Breaches target such inherent flaws in the human psyche.
On July 3, 2020, the USCYbercom cybersecurity page tweeted an alert “URGENT: Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately.” It was in relation to the BIG-IP vulnerability which is a security bug that was deemed so malicious that it received a severity score of 10, the highest on the CVSSv3 [Common Vulnerability Scoring System version 3.0] scale. Despite all of this, you can appreciate the urgency with which they are pleading to merely update a software before the weekend, to prevent a disaster.
How do we overcome this?
Cybersecurity has evolved from reactive to proactive. However, with the pandemic forcing most organisations to shift to remote-working scenarios, the time has come toaster the approach and make it “predictive”. Read the psyche of your most valuable resource, humans, and why they behave the way they do.
How do you evolve your cybersecurity plan?
According to Gartner, India sold 151.9 million units and became the second highest seller of smartphones in 2019. With the forced work-from-home scenario, are the security teams sure that no proprietary data gets pushed on to unsecure mobile devices? Even a single employee accessing their work email from a mobile device which, perhaps, is not secured by an encryption, could bring your enterprise crashing down.
Why then, is our cybersecurity philosophy still so computer-centric?
How do you make your cybersecurity robust for the current times?
First and foremost, understand that any training that is too difficult tends to be revoked by the human mind. The values of foundational security concepts remain siloed within esoteric technical discussions. It is essential to make the fundamentals, such as encryption, usable and legible. Remove the abstractness and embrace simplicity.
There needs to be a clear visibility and evaluation parameters to check which employees lag behind and how. An individualised approach is superior to bombarding every employee with all material. Businesses should also start working with cyber risk quantification platforms that give a score for you to easily understand the risk posture. This should be a real-time, predictive, objective, and a mobile-device-led approach that converts each of your employees into cybersecurity assets.
Gamification of micro-learning content, from how to securely use WhatsApp and Netflix, to why one should regularly update their operating system. Remember, in 2017, the WannaCry ransomware only became a sensation, perhaps because an employee did not update the patches that Microsoft had shared.
With research suggesting that 41% of employees will continue to work from home beyond the pandemic, our cybersecurity playbooks must be robust enough to accommodate the pace at which this already dynamic industry is growing. As Winston Churchill had said “Never let a good crisis go to waste,” let us use this forced experiment to our advantage and turn a chink in our armour into our strongest defence.
Views are personal. The author is co-founder, Lucideus.