September 3, 2021

Ransomware: what technologists don’t want to hear

In my last piece on Australia’s Ransomware Crisis we covered the basics on ransomware and why it’s such a clear and present danger. Now, let’s take a look at the limitations of what has been the traditional approach used to try and resolve these issues.

This is also where things might get a little controversial for some, although the fact that such controversy is even able to manifest is symptomatic of a problem in and of itself…

We’ve been focusing on the wrong thing

For the duration that a system is encrypted by ransomware, it is almost completely useless. And there’s often nothing you can do about it except ditch the infected system and switch to a backup (assuming that you have one). It’s either that, or you can pay the ransom and hope for the best.

What technologists really don’t want to hear, and something much of the cybersecurity industry does not seem to have fully grasped yet, is that cybersecurity risks like ransomware are dependent on, facilitated and ultimately resolved by human behaviour and decision-making processes.

Australia’s Ransomware Crisis

It’s not JUST technology that we need to be investing in, it’s the people!

Ransomware is created by humans to deceive other humans into making poor decisions that benefit the attacker at the victim’s expense. Does that sound like something that can be remedied by running software or calling tech support?

Ransomware’s effects are only made possible when a human makes a mistake or is manipulated by virtue of the inescapable fallibility of human cognitive and perceptual processes. When did you last patch your employees and remember to restart them so that the update could take effect?

The answer is behavioural change and education

Ransomware can only really be prevented by improving people’s cyber and technological literacy. Only then will people know when not to click on a link, when they should think twice before they download an attachment and why they should challenge a stranger wandering around a server room with a thumb drive in hand.

To quote the Australian 2020 Cybersecurity Strategy, “one size does not fit all”. You cannot go out and buy a better OS for humans and, even if you could, you would need to buy a different one that was tailor-made for every single employee.