March 29, 2017
If a company is hit by ransomware, it is the fault of the IT department.
In the last week, I saw several articles stating that users are responsible for most ransomware infections. It is a very specious argument in that, yes, a user inevitably has to click on a link or download a file that then is activated and encrypts the hard drive. There are no common worm-like ransomware variants that infect systems without user interactions.
Given that, it is therefore easy to blame users for causing ransomware infections of their own systems. However, the reality is that for the user to infect their system, there are many technical failures, which are due to the IT staff’s actions or lack there of.
I previously wrote how safety principles identify how the work environment creates the safety problems. For example, fork lifts moving throughout warehouses and factories can hit workers not paying attention. You can blame a worker for walking into the path of a forklift, or the driver for driving unsafely. However, it was shown to be much more effective to draw lines on the floor of factories and warehouses to define walkways. Making people wear safety goggles eliminates almost all eye injuries. Defining “Two Person Lifts” alerts workers when an object is considered too heavy for one person.
When organizations begin to look for opportunities to eliminate environmentally created safety concerns, work-related accidents went down by 90 percent. That is a very significant decrease. Of course, this means that there still were injuries resulting from carelessness, failing to follow prescribed guidelines, etc., but it does show what happens when organizations take responsibility for preventing incidents in the first place.
So when I see articles declaring users responsible for most ransomware attacks, I think the people writing the articles and the security professionals who are the source of the articles as the real failures. This is especially true when we are talking about ransomware infections, which require that the system installs the malware.
When I gave a recent presentation on the human exploitation kill chain, I defined how ransomware and other malware has to first reach the user system, and then allow the user to install the malware. Of course, in most cases, the user has to take a purposeful action to install the malware, but consider how the “environment” has to facilitate that user action.
In order for ransomware to infect a system, it must first reach the system. Email and web filters should remove executables (software that will run on a computer), before reaching most users. Even if an executable reaches a user, most email clients and web browsers should prevent the executable from running. Even if the executable runs, a well configured PC should prevent the user from installing software on their system.
While the user may have clicked on an email attachment or link, in almost every case, technology failed on many levels to first allow the attachment or link to reach a user and then for the ransomware to execute and encrypt the system. User failures in the ransomware kill chain are the one type of failure that should be easiest to mitigate.
I want to be clear that I am not saying that user awareness is unnecessary. Every step of the kill chain presents an opportunity to stop or mitigate an attack. An aware user will not only not click on ransomware, after technology has failed and allowed the ransomware to reach the user, but will also alert the IT and security staff about the technology failing of the ransomware being allowed to reach them. Security awareness programs are typically allocated a comparatively small budget and have a better return on investment. So any money spent on awareness should reduce risk, but cannot be expected to be any more perfect than all of the technology that allowed ransomware to get to the user in the first place.
Again though, when ransomware loads on a system, it is a failure of your entire security program, not just the user action of clicking on the message. While it may be politically advantageous to blame the user for the act of the click, the reality is that the failure is much more in the ability for the message to reach the user, and then for the ransomware to be allowed to load on the system.