The Last Line of Defence Must be the First

NHS Ransomware Outbreak

As I write this, there’s a large-scale Ransomware outbreak blighting NHS hospitals across the UK, and business around the World.

Why is this happening?

At first glance the answer appears straightforward. Un-patched and unprotected systems are being attacked by malware that can quickly replicate and spread across networks. It then encrypts files and demands Bitcoin payments or data is lost forever.

As an answer, that seems correct and yet somehow unsatisfying. It provides politicians with point-scoring opportunities, and the marketplace with opportunities to tout products. All very unedifying. Meanwhile, patients go untreated and NHS IT department overtime bills continue to accrue.

Perhaps a better question to ask is “Why does this happen?”

The First Click is the Deepest

For this, the answer is more nuanced. I believe it’s because of this type of attack that Ransomware is still seen as an IT technology issue. The emphasis is on layering technology in front of the end user so that the bad guy never reaches his target. Firewalls, email filtering, anti-virus, proxies, data loss prevention and so on.

Then, right at the back of the picture, we have the user who is subconsciously so insulated from all of this that they no longer think too hard about what they’re seeing. Or indeed clicking.

Remember, a lot of bad stuff happens when a user is tricked into doing something the attacker wants them to do. Visiting a web site. Downloading a file. Entering a password.

And right there, is the problem. The most potent defensive weapon at our disposal, the human mind, is being given the least work to do.

What a waste of valuable insight and feedback.

Educate and Evaluate

So how do we put users at the top of the logical picture?

The answer to this is simple and intuitive. Educate them. Test them. Provide a mechanism for feedback.

I’m not saying that other defensive layers are not important. They are. Defence in depth is an important security principle.  The point here is that if users are unaware that they themselves can be targets, then it’s just a matter of time before your most powerful defensive weapon is turned against you.

Leave a Reply