Protecting the human attack surface from the next ransomware attack

As we head into 2021, ransomware is making another resurgence, particularly in targeted attacks from highly organized hacker groups. In fact, cybercrime is surging since the start of the pandemic.

When IT and security professionals plan how to respond, they must not underestimate the degree to which many of the transformative changes to our working patterns enacted due to COVID-19 have already changed our risk of ransomware attacks.

After the first “shelter in place” orders were issued, many organizations swung into action to accommodate work-from-anywhere policies. The ability of these teams to accommodate their businesses and the flexibility in modifying working practices which, in some cases, had been set in stone for years, was remarkable.

Now, many organizations are assuming a more distributed and hybrid workforce as their new normal in order to provide resilience, agility and a far broader reach in the battle for talent. However, this change has led to an uptick in focused ransomware campaigns by targeting the “human attack surface” of such organizations in a more subtle, insidious manner.

In a survey of 582 information security professionals, 50% say they do not believe their organization is prepared to repel a ransomware attack. Adding to this, 75% of companies infected with ransomware were running up-to-date endpoint protection. Covering each and every endpoint is no longer enough to guarantee security. In order to protect organizations from the next big ransomware attack, security teams must invest in protecting the human attack surface and understanding the enterprise technology habits within its organizations that make it most vulnerable.

We know that hacker teams leveraging ransomware are highly aware of the way that human behavior can make an attack more successful and profitable. For example, a high proportion of ransom triggers — the final stage of a ransomware attack where the data on infected systems is rendered inaccessible through cryptography — is launched on the weekend, when the organization’s staff are least able to respond. Ransomware is not just about the technology, but also about deployment tactics.

The threat model changes for an organization with a newly distributed workforce, with human error creating additional vulnerabilities. Instead of accessing an enterprise’s critical systems and customer data from a small number of secure corporate offices, the attack surface now extends to the private residences of thousands of employees.

Putting aside the network and endpoint security challenges, we need to think about the differences between the focus we used to carry into the workplace and our lives at home, surrounded by our loved ones and multi-tasking between professional and personal demands.

In such a scenario, the human attack surface extends to employees who aren’t necessarily in the same state of mind as they would be at the office, where focus can be more intense and the atmosphere more professional. And this behavioral change is what cybercriminals are targeting with the phishing emails that constitute the initial penetration phase of a ransomware attack. They are relying on a momentary lack of focus in order to begin a successful attack.

Financial institutions in particular are stepping up and addressing this challenge in two major ways. First, since this is a people problem, we need to develop and sustain better work-from-home practices and policies and ensure they are shared across the organization. Practices such as drawing boundaries between the personal and the professional are vital in this respect (for example, ensuring that employees do not begin to conduct personal business on company email accounts).

Second, organizations are adopting methods to ensure that employees’ relationships to critical company systems are better understood and permissions reduced using the principles of least privilege. Identity and access management has long been a general weakness within many enterprises, which was accepted due to the complexities involved in managing access over time, such as addressing “permission bloat” as workers move between roles.

In a world where the attack surface is now extended to thousands of homes, businesses require better visibility, governance, and access management in order to reduce the paths through which malware can propagate to critical systems and data stores. And this imperative extends beyond user to application access to application relationships that are often the second or third hop in a ransomware attack. This is the impetus for many new zero trust projects launching in 2021.

The move to a more distributed workforce has brought many blessings and is likely to become part of the new normal. However, when it comes to addressing the challenges of the human attack surface, prevention is better than double extortion attempts or the millions of dollars in damages caused by a single breach.