It’s unrealistic to think exposing users to a few hours of security awareness training, conducted at best once a year, will be effective at stopping attacks
Phishing attacks were responsible for as much as 73 per cent of malware being delivered to organisations.
Meanwhile, 77 per cent of all detected ransomware was in four industries – business and professional services (28 per cent), government (19 per cent), healthcare (15 per cent), and retail (15 per cent).
These are among the key findings of the latest NTT Global Threat Intelligence Report released by Dimension Data (which is part of NTT).
The report contains global attack and incident response data gathered from NTT Security and supported operating companies from October 1, 2015, to September 31, 2016.
“Attackers are targeting users more than ever, but it’s unrealistic to think exposing users to a few hours of security awareness training, conducted at best once a year, will be effective at stopping attacks,” the report states.
“End-users are often the biggest risk points, however in New Zealand experts are seeing very little investment in staff education,” says Dimension Data.
This is a concern as phishing is the most likely way a hacker will bring down a New Zealand organisation.
It points out in New Zealand, there are still security teams sitting inside IT and reporting to the IT operations manager.
When a business has a security breach all areas of the business are impacted, not just IT. Security decisions need to be business decisions – if a New Zealand company goes online then it needs to invest in digital security technologies, it states.
The report says the finance industry was the only industry to appear in the “top three most attacked industries” in all six geographic regions analysed.
The next most commonly attacked industry was manufacturing, appearing in the “top three” in five of the six regions. No other industry appeared in the top three more than twice.
Nearly 30 per cent of attacks detected worldwide targeted end-user technology like Adobe products, Java and Microsoft Internet Explorer.
The three technologies found on end-user computers which were targeted most throughout the year were Adobe Flash Player, Microsoft Internet Explorer, and Microsoft Silverlight.
The report finds healthcare organisations were also the most likely industry to obtain incident response support, and about half of their incidents related to ransomware attacks.
This may indicate that attackers have identified health care institutions as a vulnerable target more willing to pay ransom than other sectors, according to the report.
Ransoms are usually relatively low, and organisations can easily afford them. There are, however, exceptions.
In the best cases, organisations can safely restore from an uninfected backup. In the worst cases, organisations can pay ransoms over US$50,000 and not get their data restored, since there is no guarantee paying a ransom will result in decryption.
The vast majority of costs to organisations include being unable to provide service to their customers while the ransomware is in place and embarrassment to the organisation if the ransomware attack becomes publicly known.
Thus, security practices need to be more helpful to users, the report advises.
“Users need help from technologies which prevent attacks from reaching them. Users also need security support which helps users differentiate the malicious from the benign. Users must be empowered to do their jobs while protecting sensitive data. Leaving it all in users’ hands is unfair and unrealistic.”
The report points out security should be considered a basic business requirement.
Security strategy and practice are needed so the organisation can conduct business while safeguarding its sensitive information and ensuring its services are available whenever needed.
Some of the recommendations in the report to reduce the chances of being victimised by phishing attacks in general and ransomware attacks in particular are:
- Check emails, texts, and other messages for any signs of phishing before clicking on links or attachments. Whenever possible, visit the official website directly (by typing in the URL or using a bookmarked URL) instead of clicking on a link. For file attachments, avoid opening them until you can verify they are legitimate.
- If you receive requests which seem unusual in any way, verify their legitimacy before following the instructions. For example, if someone says they are calling from the help desk and they need your password to resolve a problem, get their name and tell them you’ll call them back at your organisation’s main help desk number.
- Don’t download and install new software onto your corporate desktop or laptop unless specifically authorised to do so.
Have a policy for handling ransomware incidents. Decide under which conditions a ransom payment is authorised, if any
- Require regular security awareness training for all users so they are up to speed on phishing, social engineering, and ransomware, especially how to identify attacks, what to do if they need help, and how to report possible attacks.
- Strengthen the organisation’s business continuity capabilities to help ensure quick restoration of operations if a ransomware incident happens.
- Schedule and perform regular assessments in the form of phishing attack simulations emulating real world threats.
- Have a policy for handling ransomware incidents. Decide under which conditions a ransom payment is authorised, if any.
For technical staff
- Use anti-phishing and anti-malware technologies to stop phishing emails, links to phishing sites, ransomware files, and other phishing attack components from reaching users. These technologies should be kept up-to-date at all times.
- Any anti-phishing or anti-malware technologies installed on end user devices should be set up so users can’t reconfigure or disable them.
- Ensure valid data backups are occurring at the predetermined frequency. The data backups need to be well secured, especially if they are kept online, so they cannot be encrypted by ransomware
- Ensure systems can be rebuilt quickly. For example, organisations may keep standard images or baselines for building new systems. If so, these images and baselines should be kept up-to-date at all times.
- Minimise opportunities for ransomware to be installed by giving users the least privileges possible (especially restricting access to administrator-level privileges), and keeping systems fully patched.
- Limit administrator-level privileges as much as possible. Require people to use administrator accounts only when necessary and to use regular user accounts for all other tasks. This reduces the chances attackers will be able to gain immediate access to administrator privileges through a single attack.
Follow CIO New Zealand on Twitter:@cio_nz