Cybercriminals are continuing to carry out ransomware attacks on organizations at a greater frequency, according to two new reports highlighted by Cnet’s Laura Hautala this week:
According to Verizon’s annual Data Breach Investigations Report, released Tuesday, ransomware attacks doubled in the last year. That’s especially alarming considering that they doubled the year before, too. … Ransomware accounted for 39 percent of all new malware infections tallied up in the Verizon report, which looks at more than 53,000 security incidents drawn from Verizon cybersecurity customers as well as reports from the US Secret Service and an international consortium of private sector companies.
The numbers match up with findings released Monday by cybersecurity company Malwarebytes, which found that while hackers are targeting consumers with ransomware less frequently, they’re hitting businesses with more of the attacks.
The threat of ransomware was thrown into stark relief last year, when the WannaCry attack, the largest such cyberattack in history, struck over 300,000 machines in 150 countries, exploiting a vulnerability in outdated versions of Microsoft Windows to lock victims out of their computers and demand ransoms of hundreds of dollars to restore access to their documents and data. Most ransomware attacks are much less sophisticated than WannaCry, which the US government ultimately blamed on North Korea, and rely on phishing scams that trick users into handing passwords or other personal data over to hackers, who can use this information to gain control of their devices.
Phishing and ransomware are of concern for HR departments in particular, first because this part of the organization is often a soft target for cybercriminals and second because employee behavior is the main weak point in most organizations’ cybersecurity strategies.
Ransomware attacks often arrive through HR as it handles a relatively high volume of external communications with unknown correspondents, such as job candidates: For example, GoldenEye, a variant of the Petya family of ransomware that circulated last year, disguised its malicious program as an innocuous job application. The Federal Bureau of Investigation and the Internal Revenue Service also warned last year of phishing scams involving employees’ W-2 tax forms, which targeted over 200 organizations during last year’s tax season.
HR may be a prominent target of cyberattacks, but it is also an organization’s first line of defense against them, because a cybercriminal’s most useful tool is the misplaced trust or bad judgment of an employee. HR therefore has a large role to play in bolstering an organization’s cybersecurity by educating employees about cyberthreats, building systems and processes that instill good cybersecurity habits, and embedding cybersecurity awareness into the organizational culture. The growing threat of cybercrime is an opportunity for HR to cast itself not as a victim, but rather as a leader in protecting the organization’s data and systems.