Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action

This week: Ransomware is not just about backups, Connecticut is incentivising firms to improve their cybersecurity defences, and Human Intelligence still beats the tech.

This week’s action: Hug your staff!

>>>>> THREE ARTICLES

1: Ransomware is not just about backups. It’s about business disruption. You need to survive the disruption.

This blog post by Forrester reminds us that recovering from ransomware is not just about restoring backups. It’s also about surviving the downtime while systems are being restored.

“When hit with ransomware, [the victims] need to choose between indefinite suspension of critical business processes or paying the ransom. Shutting down a crucial resource for an indeterminate amount of time is simply not a sustainable option for a business, and it backs [victims] into a corner, where their only option is to pay up.”

Their recommendations include:

  1. Strong passwords
  2. Multi-factor authentication
  3. Check your backups
  4. Restrict the use of privileged accounts (e.g. accounts with administrator privileges)
  5. Update and TEST your incident response plan
  6. Up-to-date patching and anti-virus / endpoint protection
  7. Block dangerous file attachments from reaching inboxes.

One critical recommendation that is missing? Staff awareness training & testing. In many (most?) attacks, the initial entry point is a staff member being fooled by an email.

Read more: https://go.forrester.com/blogs/ransomware-survive-by-outrunning-the-guy-next-to-you/

2: Artificial Intelligence is still no match for Human Intelligence

This article published by a security training and testing vendor may be biased, but that doesn’t make it wrong.

“The value of humans, our fellow employees, in phishing defense has been a hotly contested topic for quite some time.[..] For a user to click on a link in a phishing email, the email first had to get past our [..] organization’s security technology.

[..] Here lies the crux of the argument: People are not perfect; but neither is technology. [..] Technology is great for dealing with standardized problems. When the complexity increases exponentially, however, human intelligence stands a better chance at inferring malicious intent. Additionally, humans can scale, each applying a unique intelligence. “

Everyone is talking about AI (artificial intelligence). But we continue to undervalue HI (Human Intelligence). We continue to undervalue our staff’s ability to spot nuances and red flags that pass the technology by.

Humans might be your greatest security weakness, But they can also be your greatest, most dynamic, and most intelligent security defence.

Read more: https://cofense.com/value-human-intelligence-phishing-defense/

3: A shield from data breach liability if you adopt and maintain approved levels of cybersecurity

Here’s an interesting approach to encouraging firms to take cybersecurity seriously: A law has just been passed in Connecticut that shields ”businesses from liability for data breaches as long as they adopt and maintain approved cybersecurity protocols”. I wonder was there a behavioural scientist behind “legislation designed to incentivize companies to strengthen their network defenses with the promise of protection against certain lawsuits.

Adopting a recognised cybersecurity framework reduces the risk of a successful cyber-attack, but now it could also reduce the cost of the lawsuits you’d face in the event of a successful attack. Connecticut could be on to something here.

Read more: https://www.hartfordbusiness.com/article/lamont-signs-bill-offering-companies-a-shield-from-data-breach-lawsuits via https://securethevillage.org/news

>>>>> TWO STATISTICS <<<<<

1: 5 years

The NoMoreRansom.org website has now been in existence for 5 years. It provides 120 tools that can decrypt up to 150 types of ransomware and have been downloaded over 6 million times. As Graham Cluley says, “There’s no guarantee that the ransomware your computer has been hit with can be cured through the tools available, but every little helps – especially if you find yourself in the sticky pickle of not having kept secure backups of your important data.”

Read more: https://grahamcluley.com/no-more-ransom-website-celebrates-five-years-of-providing-free-ransomware-recovery-tools-and-advice/

2: 75%

According to HP, email is still the most popular way for malware and other threats to be delivered, with more than 75% of threats being sent through email messages.

Read more: https://www.zdnet.com/article/hp-finds-75-of-threats-were-delivered-by-email-in-first-six-months-of-2021/ via https://ISACA.org

>>>>> ONE ACTION <<<<<

1: Remind your staff about how special they are

HP claim that 75% of threats arrive via email – To spin that another way, your staff could prevent 75% of threats.

Humans can spot things that technology can’t, but they need training and support. You have plenty of Human Intelligence in your organisation – Use it.

Remind people about how they are targeted, show them examples of current scam emails, tell them what to do if they receive an email that they are unsure about.