Originally published on 460degrees.com
WE’VE BEEN FOCUSING ON THE WRONG THING
For the duration that a system is encrypted by ransomware, it is almost completely useless. And there’s often nothing you can do about it except ditch the infected system and switch to a backup (assuming that you have one). It’s either that, or you can pay the ransom and hope for the best.
What technologists really don’t want to hear, and something much of the cyber security industry does not seem to have fully grasped yet, is that cybers ecurity risks like ransomware are dependent on, facilitated, and ultimately resolved by human behaviour and decision-making processes.
IT’S NOT JUST TECHNOLOGY THAT WE NEED TO BE INVESTING IN, IT’S THE PEOPLE!
Ransomware is created by humans to deceive other humans into making poor decisions that benefit the attacker at the victim’s expense. Does that sound like something that can be remedied by running software or calling tech support?
Ransomware’s effects are only made possible when a human makes a mistake or is manipulated by virtue of the inescapable fallibility of human cognitive and perceptual processes. When did you last patch your employees and remember to restart them so that the update could take effect?
THE ANSWER IS BEHAVIOURAL CHANGE AND EDUCATION
Ransomware can only really be prevented by improving people’s cyber and technological literacy. Only then will people know when not to click on a link, when they should think twice before they download an attachment and why they should challenge a stranger wandering around a server room with a thumb drive in hand.
To quote the Australian 2020 Cybersecurity Strategy, “one size does not fit all”. You cannot go out and buy a better OS for humans and, even if you could, you would need to buy a different one that was tailor-made for every single employee.
Once computer systems are encrypted, there is a rather severe limit to what anyone can do to try and fix the problem on those systems – it doesn’t matter how great your cyber defensive technology might be, because once a system is encrypted, it’s simply inaccessible. The best computer engineers in the world can’t help you with a system that has been turned into inoperable gibberish; social engineers won this round long ago.
To deal with ransomware, you need to rely on the foresight and decision-making of humans.
OUTNUMBERED AND OUTGUNNED: THE STRUGGLE TO ALTER PERCEPTIONS
Ransomware is a unique threat because it (like all cyber risks) is almost entirely defined by what, how and why people do the things that they do. It is not a problem we can solve with a stream of new technologies.
However, understanding the nuances of human behaviour is not exactly the strong suit of IT or cyber security industries. This might be partly why there has been such a dramatic increase recently in the number of techno-centric ‘solutions’ being brought to market. In this respect, ransomware is in the middle of – and the driving force behind – not one, but two battles that are taking place at the same time.
On the one hand, we have an ongoing battle we are waging against the proliferation of ransomware attacks that must be won at all costs. Stopping ransomware is not a question of cyber security technology, but instead a matter of achieving significant changes in behaviour.
This is a bit like what we imagine it would be like to be on the losing side of a major military conflict when all the commanders are convinced that the best and only way to turn things around is to get more planes, boats, tanks and troops, while studiously ignoring the one voice of dissent in the room who is trying to point out that no one that is put in the driver’s seat of these machines ever receives any training on how to operate their vehicles, weapons and/or equipment.
On the other hand, the public, government and industry have been told for decades that cyber security is a thing that can only be managed with technology. This deeply entrenched perception is interfering with the adoption of the human centric cyber security solutions that those who have read this article know represent the only realistic chance we have of bringing the ransomware crisis to a close. In essence, we are losing the war, and nearly everyone on our side is absolutely convinced that their doomed approach to winning that war is going to work, so anything said to the contrary is dismissed or ignored.
HCCS IS NOT AN ADVERSARY OF TECHNO-CENTRIC CYBERSECURITY, BUT ITS COUNTERPART
Dealing with ransomware is not a matter of picking one approach at the expense of the other.
I am not arguing that human centric cyber security (HCCS) is a silver bullet that can end the crisis all on its own: it’s not. Instead, it represents at least half of that which is needed to establish an effective bulwark against ransomware threats.
But the case for HCCS is off to a bad start, because explaining its value requires making reference to the domain of cyber security that people already understand – and have already invested considerable sums of money into.
This is where a much-overlooked aspect of HCCS needs to be urgently brought to the attention of all: HCCS solutions employ a symbiotic relationship with technology. Indeed, we can say from experience that one of the key strengths of HCCS is that it serves to optimise (and sometimes unlock) the potential of technological infrastructure already in place.
Bottom line: Techno and HCCS need to work together.