The pandemic, and its hastening of our transformation into lizard people who interact almost exclusively online, has made American companies easy pickings for online scammers. According to Boston-based security firm Recorded Future, the United States saw 65,000 ransomware attacks last year. NPR did the math: that’s more than seven per hour.
Critics worry that by paying ransoms, companies are incentivizing more attacks. National Security Agency (NSA) Director Paul Nakasone predicted last week that the US will face ransomware attacks “every single day,” in the next five years.
Marc Rogers, the executive director of cybersecurity at software company Okta, calls what we’re seeing “World War Cyber.” Every HR department should be preparing for the enemy’s next attack.
Vulnerabilities abound: What’s terrifying is attackers can gain entry to company systems in seemingly innumerable ways. From phishing (fraudulent emails) to vishing (phone calls) to SMSishing (texts), employees put companies at risk of being defrauded from dawn to dusk on each one of the screens grafted to their hands.
How bad is it? Pretty, pretty bad.
- In the most egregious cases, ransomware attacks can be life-or-death: Attackers are increasingly targeting hospital systems. In 2019, one such attack and the resulting chaos may have led to the death of a newborn baby.
- The economic toll is astronomical. The average total cost of recovery sets companies back $1.85 million, according to a global survey by cybersecurity company Sophos.
How can HR help? HR’s first and best line of defense in the battle for their data is their employees. It’s crucial to design training that people want to take. Cybersecurity consultant Robert Grimes’s recs are:
- Personalize the training to the role, the responsibilities, and, for the love of God, the technology. For example, don’t train employees on the value of “clean desk policies” while they work remotely (though cat owners might heed that advice).
- Make the training timely. “When tax season rolls around, make sure all employees are trained on how to avoid fake W-2 information request schemes”; “give instructions on how to avoid fake-gift-card scams around Christmas.”
- Make MFA mandatory.
- Finally, make it F-U-N. Most trainings offered today “feel punitive” to employees.
Zoom Out: Advocates argue sharing information is crucial to building better defenses. Talion, a UK-based cybersecurity firm, launched the coalition of #RansomAware to do exactly that. Companies can share their experience with ransomware and receive tips on how to shore up defenses here. As Michael Brown, CEO of Talion told Computer Weekly, “Cyber criminals collaborate on their attacks, so we must collaborate to make our defences stronger. It is ‘us’ against ‘them.’”
Click here to read this story on our website.—SV
Do you work in HR or have information about your HR department we should know? Contact Susanna Vogel via the encrypted messaging apps Signal and Telegram (@SusannaVogel) or simply email [email protected].