The statistics in this article are disturbing on every level and add even more weight to the argument for improved end user awareness training across the board. Obviously, KnowB4, as an awareness training company, wants to emphasize that point, but it does not make the truth any less concerning.
I believe the simple answer to the title of this article is profitability and ease of use. Much of the ransomware we see in the wild is spread by SPAM and targeted phishing attempts. These messages have a relatively high infection rate because end user training is still lacking in many organizations. Weak backup and recovery solutions force many organizations to pay the ransom in hopes of recovering data, making the attack quite profitable. At the end of the day, we, the end user and support professionals, have made ransomware the successful attack it has become. We need to take back the high ground by implementing better controls and better education.
Fantastic new content from SANS and Securing the Human. I highly recommend these resources for any user awareness programs you may be developing.
I fully endorse the fundamentals laid out in this article. One of the greatest successes I have had as an IT Security professional in the realm of security awareness training was when I was able to start from the home and work my way out for the people in training. When it becomes a conversation about personal security, employees become more receptive. Then you can shift the conversation to how that security applies at work and it all clicks. I highly recommend starting security at home, through both practice and encouragement.
This article makes a strong argument against the “all eggs in one basket” approach to security in terms of browser-based encryption. SSL and TLS are certainly valuable tools, but luring consumers into a false sense of security by simply conditioning them to look for the little lock in the browser session does no one any good. It ultimately devalues awareness training and leaves no one prepared for the next generation of attacks. We need to stop conditioning consumers like animal trainers, and instead educate them. That is how society can learn to adapt and evolve to ever changing cyber threats.