Ransomware may be a big culprit for data loss – but it’s the wrong fall guy

(c)iStock.com/Big_Ryan

With researchers seeing a 3500% increase in the use of net infrastructure which criminals use to run ransomware campaigns, it’s not surprising that ransomware has been making big headlines.

The media laments the growing rings of cyber criminals that launch ransomware threats, but there’s another culprit that tends to slip under the radar: people like you and me. Sure, we’re not instigating the campaign – that’s on the hacker – but employees often let the bad actor through the front door, so to speak. Employees access an insecure web page, download infected software or click a phishing link in an email. In fact, of all the data breaches reported in the UK during Q1 2016, ICO data reveals that 62% were caused by human error.

Worse, ransomware and other incidents related to human error are putting businesses at a greater risk of data loss. In a Foursys survey of 400 UK-based IT managers, 11% of those that had reported security breaches caused by threats such as ransomware said they had experienced data loss as a result. According to research by the University of Portsmouth, fraud and human error are costing UK organisations £98.6 billion a year. Unfortunately, that number is likely even larger, as it doesn’t include instances that have gone undiscovered or unreported.

And while some might think that storing data in the cloud puts it out of reach of ransomware, they’re wrong. Ransomware has the ability to encrypt files on hardware and cloud services alike. And, of course, data in the cloud is always susceptible to human error.

If despite your best efforts, an employee or vendor deletes your data, having current backups is the key to restoring the files without a severe impact on your business. If your systems are taken hostage by ransomware, data backups are the key to being able to recover access to your files without paying the ransom (which is never recommended, as it only encourages hackers).

This two-part series will discuss some of the common ways human error can lead to data loss or ransomware infections and address how your business can prepare for these threats.

Cloud provider risks

Under the EU’s General Data Protection Regulation (GDPR), all organisations handling personal data will be responsible for ensuring that information is protected and are responsible for breaches of this data. This responsibility extends to third-party cloud providers, which is why vendor due diligence is critical.

Non-compliance can result in fines of as much as 5% of annual worldwide turnover or €1 million, whichever is greater. With such high stakes, it’s important to ensure vendors have proper policies and procedures in place to ensure the availability and security of any data they process.

You might find that the vendor’s terms of service meet your needs, but be aware that terms of service can change without notice. That’s what happened to one man, a distinguished lecturer for a content network, who woke up one day to discover that his cloud vendor had deleted more than five years of archives for 15 retired machines. After lengthy back-and-forth discussions with the vendor’s tech support, he discovered that a change in the corporation’s retention policy – of which he’d been unaware – had allowed the backups to be deleted. They were eventually restored, but if he hadn’t been vigilant, he very well could have lost his backups permanently.

Shadow IT

Human error and ransomware alone are enough of a risk to put businesses on high alert, but shadow IT exacerbates this threat. Research from Cisco reveals that CIOs estimate that their organisation has 51 public cloud applications in use, but the actual number is more like 730. What happens if employees upload restricted data to an unauthorised cloud application – such as Google Drive, Dropbox and Evernote –  and that application experiences a breach or the proper encryption is not used?

If your employees are uploading files to an unauthorised cloud or using software as a service (SaaS), that not only increases your security risk; it also increases your risk of data loss, as that data isn’t being backed up.

SaaS, in fact, is one of the most prevalent threats to data loss in the cloud. A recent study found that almost 80% of respondents had lost data in their organisations’ SaaS deployments. The top causes were accidental deletion (41%), migration errors (31%) and accidental overwrites (26%).

Lack of internal awareness of security best practices

One of the major culprits of human error is sheer carelessness or ignorance of how data should be handled. In the ICO data mentioned above, the majority of incidents attributable to human error included security gaffes such as posting, emailing or faxing data to the wrong recipient. Additionally, a disturbing number of employees are falling victim to phishing attempts. According to research from Verizon, people opened 30% of phishing messages – that’s 7% greater than last year – and of those, 13% also opened the attachment, introducing the malware to the network.

Many instances of cloud data loss and ransomware infections can be classified into one of the above human error-related categories. But simply being aware of these threats isn’t enough.

This is one of a two part series: the second piece next week will examine mitigating cloud vendor risks, shadow IT and lack of cybersecurity awareness.