Colin McTrusty | May 23, 2017

WannaCry Exposed Organizations' Weakest Link: How we Make it Stronger

In just a few days in mid-May, the world seemed to go into meltdown as a now-infamous ransomware campaign locked down hundreds of thousands of endpoints. From the NHS to Deutsche Bahn, Telefonica to FedEx, it seemed like no organization was safe.

While the true scale of the WannaCry epidemic has yet to be revealed, the cybersecurity industry should already be learning from the incident, to make sure it’s never repeated.

Yet to fully insulate themselves against the threat of devastating cyberattacks like this, organizations will need to do something pretty challenging; turn their weakest link – their employees – into their last line of defense. This will require a new approach to user education, to effect real behavioral change.

Simple and effective

WannaCry was both a complex and devastatingly simple attack. Although details are still emerging, we know that it leveraged two NSA exploits recently made public by the Shadow Brokers hacking group: EternalBlue and DoublePulsar. The latter is a backdoor exploit used by the hackers to provide easier access, while the former exploits a critical Windows Server Message Block (SMB) vulnerability (MS17-010) to spread the threat out to other computers on the internet and laterally inside a victim organization.

Once files on the victim network are encrypted, the hackers ask for around $300 in Bitcoin in return for providing a decryption key. Failure to pay could mean organizations lose access to these files forever. Even for those who have backed up, the process of cleaning up infected endpoints and networks and restoring data can be time and resource intensive, putting systems out of action for days. The NHS has suffered more than most, with scores of Trusts reporting problems in the UK, affecting patient care.

In the aftermath, many have questioned why so many organizations either hadn’t patched the key bug exploited by WannaCry, or were running unsupported systems like XP. In truth, there’s a more important issue at play - early reports suggested that the threat first arrived on machines because users clicked through on phishing emails. If organizations want to mitigate the threat from WannaCry and other cyber-threats, they must therefore address this challenge, and that can only be done by focusing on continuous employee education.

The problem with phishing

Phishing is on the rise. Verizon’s latest Data Breach Investigations Report claims the tactic was present in 21% of attacks last year, up from just 8% in the previous 12 months. In fact, 2016 saw over 1.2m recorded phishing attacks worldwide, up a whopping 65% from 2015, according to the Anti-Phishing Working Group. This has severe implications for the IT department. New and as-yet unpublished research from Wombat revealed that, nearly one in five (19%) phishing attacks that respondents experienced were received on a work device.

Plus, end-users are more likely to fall for a corporate-themed email than a consumer-based phish. A template called “Message from Administrator” had the highest average click rate of 34%, according to our State of the Phish 2017 report.

What does this tell us? Certainly, there’s still a worrying lack of awareness when it comes to phishing. Our upcoming consumer research on this tells us that over a quarter of people either don’t know what phishing is or think it’s something else. On the other hand, there’s also evidence to suggest some users are over-confident, believing they’re smarter than the phishers.

These problems are compounded by the fact that attacks are getting more sophisticated.  For example, people need to be wary of the fact that flawless spelling and grammar are now far more common in phishing emails, adding further authenticity and helping such attacks to evade spam filters.

Such attacks show phishing not simply as a vector for ransomware, but the first stage in a potentially devastating data breach or cyber espionage raid. Nearly two-thirds (61%) of UK and US firms we spoke to claimed to have experienced spear phishing last year.

Engaging users

Technology filters are undeniably important in the fight against cybercrime, but IT and security bosses should be in no doubt: the decisions that employees make every day on your network could make or break your organizational cybersecurity. A third of organizations that we polled in 2016 claimed they’re still not measuring their susceptibility to phishing. Measurement is a vital first step to any education program, helping to set goals and baselines.

Ensure that whatever simulation tools you use to test employee awareness are highly customizable and are regularly updated to cover a wide range of current attack scenarios. Remember: continuous training is the key to success. Keep lessons short and sweet so they’re easy-to-digest and pepper them multiple times throughout the year, via brief, focused computer-based training modules which focus on specific topics and provide immediate feedback. These Learning Science Principles have been proven to offer the best chance of engaging learners and changing their long-term behavior.

If the events of recent days have taught us anything, it’s that an organization’s very important last line of defense against the ever evolving security threat landscape should be its employees.