Employee Security Hygiene Failing as Ransomware Gets Worse

    I typed “ransomware news” into Google today, and found these three items:

     That’s the result of one Google search, all reports less than 48 hours old. Clearly, we are seeing a serious uptick in ransomware. According to ZDNet, between April 2015 and March 2016, more than 718,500 users were hit with encryption ransomware — an increase of 550 percent compared to the same period in 2014-2015. And the price of a ransom is rising right along with the number of attacks. The average cost in 2015 was around $700 and experts expect that to be double when the 2016 numbers come out.

    A study from Ponemon Institute and Varonis Systems, released earlier in August, looked, in part, at the ransomware problem. Only 46 percent of respondents said they were very concerned about the ransomware threat, and 72 percent they don’t believe their company has been hit with a ransomware attack.

    The ransomware explosion comes at a time when employee security hygiene is getting worse, according to a companion study from Ponemon Institute and Varonis Systems, Inc. It found that only 39 percent of employees believe they are following all of the proper security protocols to protect corporate data. This number is down from 56 percent two years ago. Company leaders aren’t helping matters, either; only 35 percent of respondents believe that the organization is strictly enforcing security policies.

    This could be because there isn’t much agreement about security’s priority status among leadership. When asked to agree or disagree that the protection of company data is a top priority for their CEO and other C-level executives, only 35 percent of end users agreed, while 53 percent of IT professionals believe it is a top priority for senior executives.

    Or, the problem could be a lack of communication regarding security incidents. According to the study, three-quarters of IT professionals said yes, their organization suffered a security incident within the past two years, but only 59 percent of end users said they were aware of the incident. Awareness is important, as Larry Ponemon, chairman and founder of Ponemon Institute, said in a formal statement:

     At a time when one would expect general improvement in end-user hygiene due to increased awareness of cyberattacks and security breaches, this survey instead found an alarming decline in both practices and attitudes. If an organization’s leadership does not make data protection a priority, it will continue to be an uphill battle to ensure end users’ compliance with information security policies and procedures. Major differences between the IT function and end users about appropriate data access and usage practices make it harder to reduce security risks related to mobile devices, the cloud and document collaboration.

    Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba.

    Sue Poremba
    Sue Poremba
    Sue Poremba is freelance writer based on Central PA. She's been writing about cybersecurity and technology trends since 2008.

    Latest Articles