Don’t be held to ransom

Our final blog in the series for National Cyber Security Awareness Month focuses on the human factors within Cyber Security covering ransomware and incident management and response.

Cyber-attacks are on the increase with threat actors finding more and more opportunities to exploit vulnerabilities, and businesses are investing more and more in new technologies to try to stop the attacks. According to the Cyber Breaches Survey 2020, over a quarter of all businesses reported a breach or attack relating to malware or ransomware. This number rises when looking at just medium and large businesses where over 40% identify these attacks as an issue.

During 2020 alone the media have reported a number of damaging ransomware attacks and this is only forecast to increase. Even in the last month, the NCSC Weekly Threat Report for 16th October 2020 highlighted a ransomware attack on the cruise operator Carnival.

The cost of ransomware

Cyber criminals will continue to launch ransomware due to the low execution cost versus the possible high rates of return and low rates of prosecution. A ransomware attack can be catastrophic for businesses, with the odds stacked firmly in favour of the attacker. An attacker only needs one opportunity to gain access to systems and data. The cost to you is not only the impact of retrieving control of your data, it is also the downtime, recovery, and reputational damage to your business.

Human factors in cyber security

Human behaviour is fundamentally goal and task-driven. The majority of users will choose productivity over security, and generally this is a direct reflection of the environment in which they work. Therefore, your information security strategy has to promote a security-conscious culture based around individual awareness and personal accountability for conduct. Organisational behaviour is key to changing and challenging organisational culture and this begins at board level.

The human factor of cyber security is essential especially when creating and implementing policies and processes around mitigating incidents and should not be underestimated. To quote the National Cyber Security Centre (NCSC):

“The way to make security that works is to make security that works for the people.”

Are the right processes in place?

Do your employees know what to do if they think they have or actually have been a victim of a malware or ransomware attack? Has their awareness training covered not only what to look for, but what steps to take if the worst-case scenario has happened? Do they know who to report the incident to? When people are faced with a stressful incident they will immediately go into fight or flight mode. Having the right processes in place is key as it provides focus and details on the steps to be taken. And not only are the right processes important for the user who may have initiated the incident, but also the security staff who will be responsible for dealing with the matter.

Creating incident response playbooks

Businesses need to ensure they have thorough but easy to follow steps for incident response. The best way to achieve this is the use of playbooks. There are different approaches which can be used to create playbooks but, fundamentally, they should provide sufficient guidance and process so that any incident can be dealt with in a consistent and timely manner, which will also help to prevent further incidents. The use of playbooks takes away the worry and responsibility from security staff trying to work out what to do next, particularly in a stressful situation such as a ransomware outbreak. Playbooks should be used for all incidents, regardless of severity. The reason being their use becomes second nature for your staff and in the event of a serious incident, reinforces the action of reaching for the playbook to determine the next steps.

Preparation is the key to incident response

As with other security policies and procedures, the key to an efficient incident response plan is good preparation. It is essential that individuals who are critical to the success of the plan are briefed on the tasks they are or may not be expected to undertake. Another important task is the testing of the plan and the playbooks. Obviously, you don’t want to be testing these during a real-life ransomware attack. There are various different ways to check the efficiency of your plan including table-top exercises and simulated events. It is worth considering having a person responsible for note taking during these exercises. You want to document what works well, what doesn’t and what needs to be improved. Once the testing has completed, your plan should be amended to include these “lessons learned”. Having an inclusive security strategy and culture will bolster your resilience to attacks.

Invest in awareness training

Consistent awareness training must be invested in, as well as ensuring the policies and processes you are asking users to follow are fit for purpose, otherwise, workarounds will be sought. Ask yourself if your security “works for the people”? Also, by educating staff on threats such as malware and ransomware you are helping to protect your business. Now more than ever, with remote working becoming the norm and the increase of the use of BYOD, threat actors are looking for new ways to gain access to your data. As businesses, we have a responsibility to educate our employees in this connected world, remembering that cyber security is for life, not just for October, and this change in culture starts at the very top of your business.

How can Nexor help?

Nexor’s experienced cyber security consultants can work with your business to develop effective incident response plans, create playbooks and implement a testing schedule which is specific to your own requirements. Get in touch with our consultants today.



Author Bio – Dawn O'Connor

Dawn O’Connor is an associate of Nexor with an extensive business background across different market sectors including retail, local and central government and law enforcement. She is a member of the Chartered Institute of Information Security and co-chairs the Nottingham/Derby/Leicester Branch.  Dawn holds the Certificate in Information Security Principles and the ISO 27001 Foundation certification.



Be the first to know about developments in secure information exchange