Nearly half of employees in organizations and industries in North America don’t know what to do should a ransomware attack hit their companies, a new Kaspersky study found.
Despite ransomware’s growing popularity among hackers, employees' awareness of how to act in a cyber extortion crisis doesn’t match up. For example, some 37 percent of respondents were unable to accurately define the term let alone understand what it means when a computer system is held to ransom, restricting access to files and demanding the user pays a ransom to remove the restriction, Kaspersky said. Of those survey respondents who have suffered from a ransomware attack, 40 percent said they would not know the immediate steps to take in response. In addition, 30 percent believe that disconnecting a computer from the internet would be the best first step to arrest an attack.
Ransomware Attacks and Employee Education
Of course, educating and training employees on what to do if they are mired in a ransomware incident is square in the wheelhouse of managed security service providers (MSSPs).
The survey’s results are particularly striking considering that more than one million victims are targeted by a ransomware infection every six months. In 2019, at least 966 U.S. government agencies, educational establishments and healthcare providers were infected by a ransomware attack at a potential cost in excess of $7.5 billion, according to security specialist Emsisoft. Moreover, ransomware demands by cyber extortionists are staggering. Victims have handed over more than $140 million to ransomware attackers since 2014, a study by the Federal Bureau of Investigation found. And, to date the average ransomware demand is about $84,000 with one-third of victims paying the ransom, Emsisoft figures.
Inasmuch as ransomware is a financially motivated attack, many businesses succumb to meeting ransom demands to the hijackers. The Kaspersky study found that while 39 percent of respondents believe that their business organization is responsible for paying the ransom, 67 percent would not be willing to pay anything to recover personal digital files or devices they could no longer access if they fell victim to a ransomware attack. In the U.S., 45 percent of employees would want their social security numbers recovered first followed by banking details.
Ransomware Attacks: Who Owns Cybersecurity Awareness Training?
Whose responsibility is it to safeguard an organization from ransomware attacks? Nearly seven in 10 of the survey participants believe the onus falls on their company's IT security team.
Refusing to pay a ransom no matter the circumstances is a position Kaspersky supports. “When it comes to the question of paying a ransom, our recommendation is to never pay a ransom, and there are a few reasons for this,” said Brian Bartholomew, the security provider’s principal security researcher in its global research and analysis team. “First, paying a ransom will never guarantee that all of your data will be returned – it might be partially returned or not at all. There is also no way to tell if your information has been sold in underground markets once obtained,” he said. “Second, paying a ransom only encourages cyber criminals to further carry out these attacks as they are one of the most financially profitable attacks malefactors can perform. The more business organizations give in to ransomware attacks, the more we will see them continue to trend in the threat landscape.”
Ransomware Mitigation: Best Practices
Nonetheless, the survey's data found that 35 percent of employees in North America wouldn’t know what to do if an organization didn’t pay the ransom and their personal information was at stake. According to Kaspersky, businesses and employees can help to minimize ransomware attacks by following these guidelines:
- Install all security updates as soon as they appear. Most cyber attacks exploit vulnerabilities that have already been reported and addressed, so installing the latest security updates lowers the chances of an attack.
- Protect remote access to corporate networks by virtual private network and use secure passwords for domain accounts.
- Ransomware is a criminal offense, and you shouldn’t pay a ransom. If you become a victim, report it to your local law enforcement agency.
- Educate employees about cybersecurity hygiene to prevent attacks from happening.
Kaspersky sponsored the survey of some 2,000 adult business employees in the U.S. and 1,000 in Canada on their knowledge of ransomware in the workplace. The study was conducted in November 2019.