Cyberattacks affect people too – not just machines
- Written by Aaron Bugal, Global Solutions Engineer at Sophos
Ransomware continues to be a growing threat to businesses of all sizes and types around the world. As of 2021, 45 per cent of Australian organisations were hit by ransomware, with some paying ransoms as low as $3 to as high as $1.5 million. These figures coupled with news headlines make it easy to see how ransomware tangibly damages a business on a financial and reputational standpoint, but what isn’t so obvious is the impact ransomware has on its victims on a human level.
The human factor behind an attack
When we hear about an organisation being hit by ransomware, it is easy to forget that there are real people in that organisation being emotionally impacted by the attack – there is more at stake than the financial and reputational standing of the business.
Sophos research indicates that human psychology plays a significant role in how organisations approach cybersecurity. In fact, the confidence of IT managers and their approach to battling cyberattacks differ significantly depending on whether their organisation has been previously attacked by ransomware. Sophos research reveals that ransomware has an impact on confidence: IT managers whose organisations were hit by ransomware are nearly three times more likely (17%) to feel ‘significantly behind’ on cyberthreats than those who weren’t (6%).
The role of skilled professionals in IT has never been more critical, yet it is a well-established fact that the industry is suffering a massive talent shortage. While advances in automation and various other technologies are helping to fill some of those skills gaps, they will never be truly effective without a human expert to protect against human-led attacks. Within six months of an attack, 43 per cent of ransomware victims plan to implement human-led hunting, compared to 33 per cent of those that didn’t suffer an attack.
Recover and rebuild: where to from here?
According to the Australian Cyber Security Centre (ACSC) Small Business report, $300 million is the estimated amunt the country loses to cybercrime annually, yet, almost half of small- to medium-sized busineses (SMBs) reported they spent less than $500 a year on cybersecurity. Moreover, one in five SMBs didn’t know the term “phishing”, with nearly one in 10 unable to explain any of these cyber risks listed in the survey – malware, phishing, ransomware, trojan, key logger, insider threat, drive-by download, spear phishing, person-in-the-middle attack.
As threats evolve, all staff, irrespective of their position or industry they work in must also evolve to help protect the business against attacks. After falling victim to an attack, priorities often shift and businesses have to recalibrate. With attacks becoming stealthier and better at bypassing legitimate security strategies and systems, the value to of human-led threat hunting becomes more prominent.
Cybersecurity is often seen as an IT issue, however it’s important for employees to understand that every one of them is responsibe for maintaining cybersecurity. With human error making up 38 per cent of data breaches, it’s imperative that everyone remains vigilant and educated on cybersecurity best practices to ensure the protection of confidential information.
Although automation undoubtedly enhances cybersecurity measures, it can never truly replicate what a security professional can do. A hybrid approach increases efficiency by handling the mundane tasks and overarching issues letting humans focus on more valuable tasks. Building a stronger security posture by implementing threat hunting solutions can complement the advanced algorithms of next generation security software with 24/7 human expertise evaluating the nuances of an attack in a way software can’t.
