Every country will have their ‘HSE moment’ where the general population are in a state of shock at the sheer devastation caused by a ransomware attack. The Irish health system is still reeling from the aftereffects of theirs and if rumours are true, the decryption tool was only provided because it brought both heat and bad PR to the criminal organisation behind it.
It is believed that this entire event was brought about by an employee clicking on a link sent to them in an email. So how does an organisation such as the HSE prevent this from re-occurring? Yes, they will be updating, replacing & upgrading IT systems such as servers, workstations, kiosks, switches, firewalls and so on. The projects will be of huge scale and the already weary, hard-working IT teams will have a long road ahead of them.
But the obvious question that will be asked to and within IT will be “How do we prevent staff from opening a similar email again?” You can argue why the email got through in the first place, but no email security solution is infallible. No employee is either for that matter and that is why their help is so important. The next step in the process is to introduce a permanent and sustained campaign of cybersecurity and awareness training.
Most employees have sat in on manual handling courses, first-aid training, safe pass, health & safety meetings but few have ever participated in cyber training. If the inbox is the biggest threat to the business, then the casual nature of how it is used by staff must change. Business must adapt and almost weaponize their response so that staff understand how real the threat is. The solution that IT.ie offer to their clients, for example, will automatically and perpetually phish the employee. The reason why it must be perpetual and consistent is that the employee needs to question everything and be curious about nothing. The same solution will enrol staff onto training courses, and it brings a sense of gamification to the organisation that centres its focus back to the inbox. If an employee is identified as a potential risk, they will be enrolled on the necessary training courses.
Crucially, meaningful reports are sent to IT and/or Management and they can make informed decisions on what to do based on the data presented to them.
The threat of ransomware does not dissipate. It is relentless and businesses will have to adapt by changing employee attitudes to treat email with the care it needs. A good cyber awareness campaign will challenge every employee and will not wait for them to challenge themselves.