The human patch against ransomware
In the wake of May’s WannaCry crypto-ransomware attack which brought the UK’s National Health Service and many other large organisations to a standstill, a major provider of cyber security expertise and solutions has rushed out a 10-minute eLearning course it is calling ‘The Human Patch’. It is designed to raise awareness of ransomware and phishing attacks among the rank-and-file staff who use potentially vulnerable networked computers in their organisations.
In less than a tea break, staff are taught how to avoid falling victim to phishing attacks and ransomware and given steps to take if they think their computer has been compromised. Aimed at training large numbers of people, it sells at £3.99 per user per year for 101+ users.
The ‘human patch’ concept focuses on educating people on specific threats in a responsive manner, in a similar way to how software patches are created and deployed. Bite-sized learning targets emergent threats in the hope that it will avert disaster if that one employee who would otherwise be the conduit for nastiness to enter the network chooses not to make that keystroke or open that attachment because of their training.
Ransomware relies on human fallibility. Contrary to popular belief, it does not spread from computer to computer under its own steam. Ransomware is spread by drive-by downloads and phishing campaigns, both of which exploit human error. It makes sense, therefore, to patch the weakest link in the chain: the distracted, careless or ignorant employee.
The WannaCry attack targeted vulnerabilities in Microsoft’s Windows XP, and much has been made of the fact that the vulnerability existed. But it needed somebody to do something naïve for it to infect their system. It encouraged them to. And without the right human firewall in place by way of training, fingers clicked and tapped where they shouldn’t have, and the horse bolted.
Shutting the stable door now is not futile. It raises awareness and increases vigilance. There will always be cyber criminals out there looking to bop us on the head with their digital cudgels. But a little self-defence training – just ten minutes of it in this case – could make more folks ready for the next time bad things go down. And that won’t be long.
The WannaCry cleanup took many days and cost an awful lot of money. The search is ongoing to find ‘patient zero’ – the first PC infected in this outbreak – which may give clues as to the developers’ identity. Human patch micro-courses are aimed at preventing patient zeros in the first place.