Email + Web Security Gaps = Ransomware Risk
Companies are responding to ransomware risk by investing in employee training, email protections and web security, a new survey shows.
- Phishing emails are the No. 1 way that ransomware infects company systems.
- A second, often related source of infection is inadvertent downloading of ransomware by employees from malicious websites.
- Sixty percent of companies around the world already train their employees about email’s risks; 30% use fake attacks to encourage employee awareness.
If a genie walked up to a company’s cybersecurity team and offered to grant two wishes, the first request would probably be to eliminate all phishing emails. Then the team would ask that employees be magically and permanently protected when they’re on the web.
If only it were that easy.
Phishing emails and poor web security are among the biggest sources of attacks, according to a recent Mimecast survey on ransomware preparedness in eight countries. Fifty-four percent of those taking the survey said their companies had received phishing emails with ransomware attachments. And 45% said ransomware had gotten into their systems when an employee visited a malicious website, lured there by a phishing email.
Ransomware Payments Balloon
Ransomware is a well-known and increasingly costly problem. In the first half of 2021, the average ransomware payment jumped to $570,000, from $312,000 in 2020, according to a recent report.[i] Downtime and recovery can add to the cost, whether ransom is paid or not. And then there’s the burden on management time: 85% of security executives spend at least a quarter of their day protecting against ransomware attacks, according to Mimecast’s survey. For one in six security executives, ransomware is all-consuming; that group of respondents spends 75% or more of their day on ransomware protection.
To think about the many forms that phishing attacks take is to immediately grasp how vulnerable companies are through their email. The sender can appear to be a relative, your boss, a vendor or an official government agency. There is often a “tell”: an unfamiliar tone of voice, poor grammar, uncharacteristic spelling errors. However, not everyone is sensitive to these signs. And in a company of 50, 5,000 or for that matter 50,000 people, it only takes one person clicking on a malicious email to create a time-consuming and costly problem.
Ransomware Prevention Starts With Web and Email Security
Web security was seen as the most crucial technology in preventing ransomware attacks, with 47% of the Mimecast survey respondents citing it as critical to their efforts. End-point protection, which has to do with securing devices like laptops and mobile phones, was mentioned by almost as many security professionals (45%). The next most-often-cited tool (at 40%) was security awareness training, which would include educating employees to recognize the signs of suspicious emails.
These three areas were also where security professionals said they would be making their biggest ransomware-fighting investments in 2022. Also on security professionals’ investment lists are email-specific technologies. For instance, 38% say they expect to invest in a dedicated secure email gateway in the next 12 months, and virtually the same number (36%) say they will invest in the capability to add warning banners to suspicious emails.
The Mimecast survey was conducted in September 2021 and had 742 participants.
In many cases, the ransomware-fighting investments that companies plan to make in the next 12 months are continuations or follow-ons to existing investments. Three-fifths of respondents said they already train their employees to recognize suspicious emails. A slightly lower but still significant number (48%) said their companies scan incoming emails for malicious links. Forty percent of all companies already use warning banners to flag suspicious emails.
And in a twist on the age-old idea of gathering employees at the elevator for a fire drill, 30% said they test their employees using attacks.
Containment vs Eradication
For the moment, ransomware would seem to be more a matter of containment than of eradication. The data marketing company TechTarget reported that the number of ransomware attacks nearly quadrupled in the second half of 2020, versus in the first half of 2020, as the pandemic caused more people to make use of virtual communications. This is an area of technology in which there is no magic and no genie to grant any wishes. Only better processes, increased vigilance and improved technology can keep companies out of trouble.
Pop Quiz: Can your employees tell a phish from a legitimate email?
The website of the U.S. Federal Trade Commission[i] lists the tactics that scammers use to break through with a phishing attack. Which of the following is not cited by the FTC as a possible sign of a phish?
Answer: “d.” In the informal ethos of online communications, first-name solicitations are common. In fact, using people’s first names is the default of many of the best-known online companies.
All the other attributes are common signs of a phish, according to the FTC.
The Bottom Line
Employees opening attachments in ill-intentioned emails or unwittingly downloading malicious code from the web represent the two biggest causes of ransomware attacks. Companies understand these vulnerabilities and seek to counter them through a variety of means, including by training their employees and by deploying email and web security technologies.
[i] “Extortion Payments Hit New Records as Ransomware Crisis Intensifies,” Palo Alto Networks
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!