Every day, there is news about the latest data breaches, phishing attacks, the number of records that were exposed, how organizations are not doing enough to protect themselves. All of this information, while relevant, looks at the downside of information security, what organizations and possibly people are not doing right. With the new year, let’s take a fresh approach and look back at 2019 to recognize what has gone right in cybersecurity. The cybersecurity industry should not always be focused on the FUD -- fear, uncertainty and doubt, but the good, the better and the best.
Over the past year, there have been several events where an organization’s information security program has been beneficial and its policies and procedures can serve as a template for others to follow. Ironically, some of these are easy to implement, like security awareness and incident handling response programs. This past year, there have been significant events occuring in information security that can make information security professionals proud that security programs are on the right track. Let’s be honest, organizations may be on the right track, but still have a ways to go.
In the middle of March in 2019, an aluminum manufacturer was hit with ransomware and it took down their manufacturing systems to the point where it was difficult for them to complete orders. It’s a general rule of thumb, especially for small and medium businesses, that if you’re unable to produce for several days, there is a strong possibility that you will end up bankrupt or closing your doors. When organizations get hit with ransomware, it’s not good for business. For this particular customer, when their systems were hit with the LockerGaga ransomware, it shut down their systems for over a week. During this time, they had to restore from their backups, which is one part of the positive outcomes in this example. The other part, besides not paying the ransom to the criminal, was the transparency they utilized to communicate to anyone that would listen about their incident response operations. Press releases, online webcast conferences and open question and answer sessions were held on a daily basis to inform the media and their customers about the situation as they recovered. While the ransomware attack was unfortunate and detrimental to their business, the quick actions of the security and incident response team along with the transparency provided by upper management set the bar for other organizations to emulate when it comes to future incidents.
There has been a significant increase in ransomware attacks over the past several years. A better case for a ransomware attack response is an organization's ability to be responsible and not pay. They can either increase their infrastructure or their procedures to support a successful restore and elimination of the ransomware. One reason ransomware has been successful is due to the anonymity of receiving funds and the ease at which attackers are able to convince end users in organizations to click on phishing email links and attachments.
With the increase in ransomware, organizations are scrambling to get proper and updated backup procedures in place in the event of an attack. One concern that always materializes within the organization is whether they pay the ransom or not. Paying the ransom to the attackers will potentially allow the organization to obtain the decryption key and recover their data and files. I say potentially because it’s not always the case that the criminals deliver the decryption key. When the criminal doesn’t deliver the decryption key, the organization has to go back to square one and hopefully restore from backup or they have to rebuild from scratch.
All that aside, several municipalities and several city governments that were hit with ransomware refused to pay the ransom. They either paid to update and strengthen their infrastructure or restored the data from backup. These organizations ended up spending an increased amount greater than the actual ransom requested. They realized that they didn’t want to be caught again and subsequently spent the time, resources and money to update their networks and to train their employees on how to spot phishing emails to prevent future attacks. These organizations realized they didn’t want to pay and took it upon themselves to improve their security posture and hygiene through backups and security awareness training.
The best in information security over the past year has been an increase in organizations’ realizations that they need to increase their employees’ security awareness through training. KnowBe4’s new-school security awareness training is a prime example of supporting organizations, as it has increased its customer base from 22,000 in January of 2019 to over 30,000 by December 2019. While KnowBe4 is a technology unicorn and is in the upper right corner of the Magic Quadrant for security awareness training, it’s not a mystery that the success in new customers is happening across the industry with other service providers as well. This is an excellent first step and one that should not be a cherry on top of an organization's security program or “cake”, but the need for security awareness training is the sugar, which is baked in and part of the strong foundation of a great tasting cake.
Over the past year, there has been a significant increase in malware, vulnerabilities and data breaches. Cybersecurity professionals can look at these attacks and consider using fear, uncertainty and doubt to raise concerns to decision makers to encourage them to implement more into a security program. However, it is important to see how successful security awareness training helped organizations to be secure and safe. Whether the transparency during a ransomware recovery, not paying the ransom and strengthening the infrastructure or reducing the employees risk quotient by providing security awareness training, these deliver the good, the better and the best capabilities of cybersecurity.