Armis released new data uncovering the lack of knowledge and general awareness of major cyberattacks on critical infrastructure and an understanding of security hygiene. The survey of over 2,000 respondents from across the United States found that end users are not paying attention to the major cybersecurity attacks plaguing operational technology and critical infrastructure across the country, signaling the importance of businesses prioritizing a focus on security as employees return to the office. In the past year, 65,000 ransomware attacks occurred in the United States. In other words, approximately 7 attacks per hour, a rate that is expected to continue to rise. As the U.S. looks at its vulnerable industries, the responsibility is falling on businesses to ensure that they are keeping the organization and employees safe and secure.
From the Colonial Pipeline attack shutting down services, to the Florida Water Facility hack endangering the water supply, to the ransomware attack on JBS, which could raise meat prices and also restrict access to necessary nutrients in developing countries — the impact of cyber attacks on our critical infrastructure has been evident. We’ve also seen ransomware hit healthcare in a major way, with attacks on Scripps Health's technology systems and a chain of Las Vegas hospitals. Despite the spotlight on these attacks, the data shows that many consumers are simply not taking notice — and the responsibility of security falls on the businesses themselves.
As the risk of attack continues to rise, and businesses move toward a hybrid in-office/work from home model, it is imperative that businesses are considering security and ensuring the proper policies and protections are in place. Thinking critically about security early on, and weaving it into your company’s everyday practices, can be the difference-maker as employees return to the office.
Key Findings of the Survey include:
- Education and Awareness Of Cyberattacks Is Still Lacking: Despite these major attacks making headlines on the national stage, respondents showed a lack of awareness of these attacks and their impact on consumers and businesses. Over 21% of respondents have not even heard about the cyberattack on the largest U.S. fuel pipeline, and almost half (45%) of working Americans did not hear about the attempted tampering of Florida’s water supply.
- The Severity Of The Attacks Is Not Sticking: Despite the complete shutdown of the Colonial Pipeline following the attack, and the halting of production at JBS, consumers don’t see the lasting effects of these attacks. 24% of respondents believe that the Colonial Pipeline attack will not have any long-lasting effects on the U.S. fuel industry.
- Healthcare Could be The Next Frontier For Hackers: According to a commissioned study conducted by Forrester Consulting on behalf of Armis, 63% of healthcare delivery organizations have experienced a security incident related to unmanaged and IoT devices over the past two years. Yet today’s data shows that when it comes to device security, over 60% of healthcare employees believe that their personal devices do not pose any security threat to their organization. What’s more, 26% said that their companies do not have any policies in place to secure both work and personal devices.
- Employees are Putting Businesses at Risk Through Devices: As COVID restrictions begin to lighten, enterprises are starting to talk about the return to the office, but as we go back, businesses need to be thinking about overall enterprise security, especially as employees have expressed their intention to continue some potentially risky habits. The data shows that over 71% of employees intend to bring their WFH devices back to the office, with over 82% of that group being IT professionals, whose main job function is to ensure the security of the organization. Despite the risks prevalent, 54% don’t believe their personal devices pose any security risk/threat to their organization.
Here's what Security executives have to say about the report:
Sounil Yu, Chief Information Security Officer at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions:
Awareness is insufficient. It helps when that awareness is understood and but even better when that understanding is translated to incentivized action. For example, most people are aware of the 9/11 attacks. But how many understand the motivations that led to the attack, what were the controls failures, or how each individual can do their part to improve airport security? Do people know why it’s important to have cars keep moving when dropping off or picking up people from the airport? Or why you should not accept packages or luggage from friendly strangers? People will generally understand the reason for the latter but not the former and as such will gripe less about excessive luggage fees and more about having to repeatedly circle the airport waiting to pick up their arriving passengers or pay exorbitant parking fees. People may not understand why these rules and guidelines are in place or have any awareness of previously attacks that may have been enabled by careless actions, but as long as people are incentivized to comply, they are doing their part in helping airport security to some degree. But is that enough?
This report from Armis suggests that the general populace remains woefully unaware of significant cyberattacks, but even if 100% were aware, is it clear that they know what part they play in keeping organizations (or airports) secure? How significant of a role should they play (relative to TSA)? Would security policies prohibiting or controlling the introduction of personal or IoT devices have prevented the attacks on Colonial Pipeline and the water treatment plant? That is like saying the rules for keeping cars moving and not accepting packages would have prevented 9/11.
AJ King, Chief Information Security Officer at BreachQuest, a Dallas, Texas-based leader in incident response:
Security awareness has been viewed as a compliance checkbox outside of the information security community for quite some time. As a result most security awareness content is done poorly, designed to be compliance focused rather than risk informing so it’s not a surprise for a significant group of people to be out of the loop. If you don’t know the danger, you can’t make decisions to avoid the risk. Think about the Goiania incident in South America where people died of radiation poisoning because they didn’t know the material they were handling was radioactive. If an accounts payable employee, who’s literal job is to open up emails with attachments doesn’t receive the training to know when something looks risky they are setup for failure.
We need to start looking at employees as our first line of defense, and provide them with the training and tools they need to succeed. This means a couple of things:
- Hiring dedicated security awareness personnel that are not cybersecurity engineers, and instead are marketing professionals that know how to create engaging content.
- Invest in technical controls that prevent people from making easily preventable mistakes.
Number two is deceptively harder than it seems, and isn’t a quick fix. It requires strategy and investment from leaders in an organization to make progress, and when it comes to BYOD the vast majority of firms are lacking in both policy and technical controls. Here are a few actionable items that organizational leaders should ensure are in place as quickly as possible:
- Multifactor Authentication (MFA) – Specifically on email systems, VPN connectivity, and privileged accounts.
- Removal of Local Admin Privileges for standard users
- Implement a password manager tool organization wide the makes password security easy for your users. Passwords.txt on an employee desktop is an easy target for attackers.
John Bambenek, Threat Intelligence Advisor at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider:
It’s not surprising that the bulk of the workforce who have their own areas of expertise are not fully updated and experts on cybersecurity. While cybersecurity awareness and hygiene are important, putting all the onus of our technological failures on non-technical staff is foolhardy. Cancer kills millions but we don’t expect people to become experts in oncology and read the New England Journal of Medicine. Employees aren’t going to become more aware until it’s relevant to them and their own areas of expertise. Technology companies need to make their platforms and tools more resilient and secure, first and foremost.
Security awareness needs to be tailored to what is relevant to the employees and ideally delivered near time to them during incidents. Knowing the specifics of recent utility attacks doesn’t translate into employees knowing which attachments to not open or which phishing links to not click on. When employees generate security alerts, having a discussion with them in a very non-hostile way to use those moments as educational are important. Phishing simulations have also yielded some results but the more that you can make security awareness relevant to what the employee actually sees is critical.
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a Washington D.C. based provider of cloud identity security solutions:
One of the biggest errors security professionals can make is to accept that other employees have the same understanding for good cyber hygiene as they do. By assuming that everybody is a possible walking vulnerability, security teams can better implement proactive measures and educational programs to keep the entire staff, especially those who have privileged access credentials, aware of security risks that can happen at any time.
The typical worker isn’t trained in cyber hygiene and best practices, making them easy targets for cybercriminals looking to access an organization's networks quickly and easily via a phishing attack or clever social engineering. By ensuring that employees at every level are given sufficient training, such as how to identify malware-laced emails and other rudimentary attempts at credential theft, can be a major step to help reduce the success rate of an attack or at least raise an alert. By normalizing training within the culture of the workplace, organizations can help maintain attentiveness for these practices long term.