Dr Patrick Scolyer-Gray
03 Sep. 2021


Ransomware: what technologists don’t want to hear

In my last piece on Australia’s Ransomware Crisis we covered the basics on ransomware and why it’s such a clear and present danger. Now, let’s take a look at the limitations of what has been the traditional approach used to try and resolve these issues.

This is also where things might get a little controversial for some, although the fact that such controversy is even able to manifest is symptomatic of a problem in and of itself…

We’ve been focusing on the wrong thing

For the duration that a system is encrypted by ransomware, it is almost completely useless. And there’s often nothing you can do about it except ditch the infected system and switch to a backup (assuming that you have one). It’s either that, or you can pay the ransom and hope for the best.

What technologists really don’t want to hear, and something much of the cybersecurity industry does not seem to have fully grasped yet, is that cybersecurity risks like ransomware are dependent on, facilitated and ultimately resolved by human behaviour and decision-making processes.

Australia’s Ransomware Crisis

It’s not JUST technology that we need to be investing in, it’s the people!

Ransomware is created by humans to deceive other humans into making poor decisions that benefit the attacker at the victim’s expense. Does that sound like something that can be remedied by running software or calling tech support?

Ransomware’s effects are only made possible when a human makes a mistake or is manipulated by virtue of the inescapable fallibility of human cognitive and perceptual processes. When did you last patch your employees and remember to restart them so that the update could take effect?

The answer is behavioural change and education

Ransomware can only really be prevented by improving people’s cyber and technological literacy. Only then will people know when not to click on a link, when they should think twice before they download an attachment and why they should challenge a stranger wandering around a server room with a thumb drive in hand.

To quote the Australian 2020 Cybersecurity Strategy, “one size does not fit all”. You cannot go out and buy a better OS for humans and, even if you could, you would need to buy a different one that was tailor-made for every single employee.

Once computer systems are encrypted, there is a rather severe limit to what anyone can do to try and fix the problem on those systems – it doesn’t matter how great your cyber defensive technology might be, because once a system is encrypted, it’s simply inaccessible. The best computer engineers in the world can’t help you with a system that has been turned into inoperable gibberish; social engineers won this round long ago.

To deal with ransomware, you need to rely on the foresight and decision-making of humans.

Outnumbered and Outgunned: The Struggle to Alter Perceptions

Ransomware is a unique threat because it (like all cyber risks) is almost entirely defined by what, how and why people do the things that they do. It is not a problem we can solve with a stream of new technologies.

However, understanding the nuances of human behaviour is not exactly the strong suit of IT or cybersecurity industries. This might be partly why there has been such a dramatic increase recently in the number of techno-centric ‘solutions’ being brought to market. In this respect, ransomware is in the middle of – and the driving force behind – not one, but two battles that are taking place at the same time.

On the one hand, we have an ongoing battle we are waging against the proliferation of ransomware attacks that must be won at all costs. Stopping ransomware is not a question of cybersecurity technology, but instead a matter of achieving significant changes in behaviour.

This is a bit like what I imagine it would be like to be on the losing side of a major military conflict when all the commanders are convinced that the best and only way to turn things around is to get more planes, boats, tanks and troops, while studiously ignoring the one voice of dissent in the room who is trying to point out that no one that is put in the driver’s seat of these machines ever receives any training on how to operate their vehicles, weapons and/or equipment.

On the other hand, the public, government and industry have been told for decades that cybersecurity is a thing that can only be managed with technology. This deeply entrenched perception is interfering with the adoption of the human centric cybersecurity solutions that those who have read this article know represent the only realistic chance we have of bringing the ransomware crisis to a close. In essence, we are losing the war, and nearly everyone on our side is absolutely convinced that their doomed approach to winning that war is going to work, so anything said to the contrary is dismissed or ignored.

HCCS is not an adversary of techno-centric cybersecurity, but its counterpart

Dealing with ransomware is not a matter of picking one approach at the expense of the other.

I am not arguing that human centric cybersecurity (HCCS) is a silver bullet that can end the crisis all on its own: it’s not. Instead, it represents at least half of that which is needed to establish an effective bulwark against ransomware threats.

But the case for HCCS is off to a bad start, because explaining its value requires making reference to the domain of cybersecurity that people already understand – and have already invested considerable sums of money into.

This is where a much overlooked aspect of HCCS needs to be urgently brought to the attention of all: HCCS solutions employ a symbiotic relationship with technology. Indeed, I can say from experience that one of the key strengths of HCCS is that it serves to optimise (and sometimes unlock) the potential of technological infrastructure already in place.

Bottom line: techno and HCCS need to work together. But how?

To find out, tune into the next instalment of this series…

This is the second in a series of four articles tackling ransomware. You can view the other articles in this series here:

Article One: Australia’s Ransomware Crisis

Article Three: Techno-Centric Cybersecurity and HCCS: Can’t we all just be friends?

Article Four: The Ransomware crisis: It’s Time to Retake Control

More insights from Dr Patrick Scolyer-Gray

Strengthening organisational capacity to withstand AI-Powered Cyber Threats

Strengthening organisational capacity to withstand AI-Powered Cyber Threats

Setting aside the hype and hysteria, watch our panellists as they interrogate AI’s implications for cyber threats and cybersecurity, focusing on providing practical strategies and tactics suitable for building cyber resilience.

Dr Patrick Scolyer-Gray | Aug 15th, 2023
Mastering Risk Management Episode #63 - Dr Patrick Scolyer-Gray

Mastering Risk Management Episode #63

When human error accounts for up to 95% of data breaches, technology clearly isn’t the problem. We are. In this […]

Dr Patrick Scolyer-Gray | May 31st, 2023

Deep Dive on Cybersecurity

Human-Centric Cybersecurity Champion, Dr Patrick Scolyer-Gray, shares his knowledge and experience on all aspects of cybersecurity.

Dr Patrick Scolyer-Gray | Feb 11th, 2022

The Ransomware crisis: It’s Time to Retake Control

The discussion so far has dovetailed into an argument for how techno-centric and HCCS can (and do) work together to resist and repel cybercrime, and although it is great to have a strategy for what we need to do, we need to remain cognisant of the sobering reality of our predicament: The ransomware crisis is far beyond the scope and capabilities of any single company or organisation.

Dr Patrick Scolyer-Gray | Sep 29th, 2021

Techno-Centric Cybersecurity and HCCS: Can’t we all just be friends?

In my last article, I made the argument that Human Centric Cybersecurity (HCCS) and conventional technical elements of cybersecurity need to work together as a unified front when combating ransomware. So, how does that work in practice when applied to combating ransomware?

Dr Patrick Scolyer-Gray | Sep 17th, 2021

Australia’s Ransomware Crisis

Cybercrime has long been the stuff of the Internet’s collective cultural imagination; a well-worn stereotype of the hooded figure hunched over a keyboard. It might sound dramatic but make no mistake; ransomware attacks have grown in scale and frequency to a point where they now threaten the safety and wellbeing of all Australians.

Dr Patrick Scolyer-Gray | Aug 20th, 2021

The Egg Story: the delicate connection between you & your security technology

Your organisation’s sensitive information is like the inside of an egg. To ensure their security against cyber attacks, most organisations today add layers of protection, constantly updating and investing in different methods to improve the protective properties of their ‘eggshell’. do you know how safe your egg is?

Dr Patrick Scolyer-Gray | Feb 4th, 2021