A new study says that insider negligence is to blame for most ransomware attacks. This really isn’t much of a stretch given that, for the most part, ransomware is primarily installed by users who are tricked into believing it is something else (though the possibility that some of these folks are disgruntled employees remains). The report I’m talking about is the one that Varonis commissions every year from the Ponemon Institute.
While the report was issued back in early August, analysis of it is ongoing. Some additional and very troubling findings from the US and European firms sampled have emerged this week.
The vast majority of IT respondents, 61 percent, correctly view security as a high or very high priority. This suggests that 39 percent of IT shops are not on the right page.
However, only 38 percent of users share this belief. In a world of ransomware largely installed by users, this suggests a level of exposure that should be unacceptable to company boards. Ransomware attacks have hit a broad variety of organizations covering both public and private segments; hospitals and even police departments haven’t been immune. If the employees don’t take these threats seriously, no wonder these attacks have been so successful. Employee education to mitigate security exposures is one critical area that currently isn’t being funded or executed in line with the threat.
Productivity Is an Appropriate Security Tradeoff
On its surface, the fact that 38 percent of practitioners and 48 percent of users think productivity is more important than security seems reasonable. However, given the current environment where one major breach can cripple a firm or ransomware can literally shut it down, trading productivity for an increased chance of a catastrophic event would seem a tad negligent.
Granted, you wouldn’t want to be so secure users can’t get things done. On the other hand, trading off adequate security just to make a job marginally easier would look incredibly foolish after a major breach or successful ransomware attack.
Data Protection Isn’t a Priority
The fact that data protection isn't a priority for many organizations is hard to believe given how much we’ve covered things like the Snowden and Manning data breaches and Hillary Clinton’s email. But according to the survey, only 53 percent of practitioners and just 35 percent of users think protecting company data should be a high priority.
This really suggests a lot of firms have lost touch with the reality of today’s massive data breach exposures and that they should undertake corrective action in terms of educating people on the repercussions for major data breaches. My guess is that, given all of the coverage, these kinds of problems are becoming noise. But the fact that big problems are happening frequently doesn’t mean you can just walk away from addressing them.
By the way, this apparently goes to the top because only 35 percent of users believe their top executives think security is a high priority. IT isn’t far off as only 53 percent of IT folks think top execs care adequately about security.
In my own experience, some of the worst security offenders were top execs who felt their position in the firm should allow them the “benefit” of not following security rules. I’ve seen several get fired over the years, including one CEO, for getting this wrong.
Users Are to Blame
One thing that both users and practitioners seem to agree on (50 percent practitioners, 58 percent users) is that when a breach occurs, the cause is twice as likely to be an inside user as an outside attacker. Today, it largely remains far easier to trick a user into creating a breach than to just electronically pound on a firm’s defenses. Most of these users are just negligent, though about a third are intentionally doing their firms harm. I guess they figure since they are likely to create a breach they might as well do it right. It is interesting to note that 73 percent of users blame users for data breaches while IT folks are a tad kinder and only 46 percent of them agree.
This study suggests that, unless things change, many of you will be experiencing a major public avoidable breach or ransomware attack in the next few months. The results could change elections, have major adverse impact on the stock market or even trigger a war, depending on when or where it takes place.
This study should motivate us to take security more seriously, I’m afraid, given the declining results, it may instead be prophetic of a disaster yet to come.
Photo courtesy of Shutterstock.