Information security and awareness programs for critical urban infrastructure operators offer a non-technical line of defense against ransomware attacks

December 8, 2017

IBM's If the price is right, ransomware wins

Cybersecurity experts agree it is crucial to educate early, so that good user practices are presented and enforced after an attack.  “Education” in this context usually takes two forms: building awareness about the importance of regular software updates and implementing awareness training about the need for vigilant interaction with common phishing emails, and pop-ups containing harmful links.

The need to encourage awareness about security updates was brought into public view recently by the Windows XP vulnerability that left thousands of victims in its wake and particularly affected hospital systems. Timely updates can be instrumental in preventing attacks. While some may think of this is a technical strategy, often a human is the one who needs to initiate the update. Yet, it is delayed or abandoned because updates pose an inconvenience to users and sometimes introduce instability into an operating environment. Successfully deploying regular software updates involves the trifecta of a dedicated information security staff designing and enforcing protocol for the updates, the software companies that make patches or updates publicly available, and employee education on the update’s importance along with the urgency to install the update.

Phishing, convincing a person to click a link via email which compromises their computer, is still the primary means of entry for most hackers. Anti-phishing tools have improved, but some of the most famous hacks, such as the one that caused blackouts to Ukraine's electric grid, have shown a surprising propensity for targeted and convincing e-mails. These emails could be so specific that they refer to your real bank or even a dinner you might have just had. This is called spear phishing. Government officials have been shown to be particularly vulnerable to such attacks (as seen in the dinner example) because of their public image. An attacker might craft an email that appears to be from one’s own IT division, sprinkling legitimate names and links in with malicious ones. Organizations can combat phishing by training workers to avoid clicking suspicious links and verifying company emails with a digital signature.

A further step in raising employee awareness and conducting cybersecurity education is to build a “security culture” or secure mindset, where each employee is encouraged to be a healthy skeptic about all digital interactions and is reminded to always  trust but verify. Fostering a security culture dramatically reduces the chances of major data breaches caused by errant clicking on phishing emails or ad pop-ups. In reality, one training session at the beginning of someone’s employment will not foster a security culture. Further, one-off trainings won’t remind employees that security is a priority for everyone. There are now products that cater to the need for self-phishing campaigns to ensure those who are not security aware are identified and retrained - at least in terms of phishing. In this way, it may be best to assess security awareness in an organization through security drills similar to fire drills. However, even companies who train their employees to adopt risk-averse behavior often fail to regularly assess whether employees are practicing continued security awareness, or allowing gaps in their security posture. This is especially true for smaller entities as detailed in a report by IBM.  

While there are clear benefits to the cyberdefense strategies of education and awareness, non-technical strategies will not be sufficient.  They cannot be used on their own to defend organizations from attack. On the other hand, interviews with critical urban infrastructure operators reveal that some organizations rely almost entirely on technological defenses. Robust defensive social engineering strategies, beyond some basic awareness training, are not even considered. This needs to change to protect our cities from cyberattack.