Despite more than 3 years since the world was crippled by the Wannacry ransomware attacks of 2017, the UK’s public sector is still woefully unprepared for another similar attack.
A Recent study from Clearswift Research revealed that while some measures had been taken to improve security awareness, the majority of organisations are still have enormous cyber threat surfaces, leaving them wide open for a repeat attack.
The survey, which covered over 1,000 employees from UK public sector organisations found that an astonishing 77% had been given no instruction on how to recognise a ransomware attack. Perhaps even more concerning is that 48% had still never even heard of ransomware.
Considering the Wannacry attacks 2017 cost the UK’s National Health Service over £92 million and caused the cancellation of over 19,000 appointments across 81 of its 236 trusts, one would think ransomware attacks and security awareness should be at the forefront of public sector thinking.
The ransom message victims received when hit by the wannarcy attacks.
At the time of the attacks, one of the primary weaknesses in organisations (both public and private) was the level of employee cyber awareness. Unfortunately, this is still the case today.
There are multiple factors that lead to a computer’s susceptibility to a ransomware attack, outdated operating systems and anti-malware software play a significant role. That 11% of respondents are still using Windows 7, which Microsoft officially stopped supporting in January 2020, is rather disappointing.
Another huge factor is phishing emails, one of the most common methods of delivering ransomware payloads. Learning and being tested how to spot phishing emails should be part of every employees regular training in order to protect both their organisation and themselves (phishing emails get into personal mailboxes too). So it is a great shame to see that 25% of survey respondents had never even heard of phishing emails, let alone could point one out.
Regular security awareness training is the most effective way to reduce an organisation’s susceptibility to attacks like these, the key word here being “regular“. Users demonstrate the highest levels of cyber awareness when trained at least once per month. A common approach is simply to offer cyber security training when the employee joins an organisation, then the expectation is they remember this training many months/years later when they are tested in the real world. Not ideal really.
The report by Clearswift Research confirmed this tactic to still be readily in use, with only 11% of respondents receiving security training as often as once per month and over 3 times that amount trained less than once per year.
If nothing else, huge cyber attacks such as the wannacry attacks of 2017 should teach us to better prepare ourselves and our organisations. Simply “hoping it doesn’t happen again” is exactly the mindset that allows hackers to damage organisations the world over year after year.
At Phishing Tackle, we encourage all our readers to learn more about the cyber resilience of their own organisation, even if it is just using one of our free tools. The Free Click-Prone® Test reveals how many of your organisation’s users are susceptible to falling for a phishing attack and may just provide the stimulus your organisation needs to improve it’s cyber threat surface.
2020 has already proven a challenging year for myriad organisations and a spectacularly successful year for hackers preying on those working from home without adequate cyber awareness.
Don’t let your organisation become the next victim. Take the initiative, train your staff and prevent the next attack from damaging the lives of you and your employees.