New research from Barracuda Networks has revealed that 27% of UK councils have been affected by ransomware. Of the 430 authorities that were sent Freedom of Information (FOI) requests, only one council admitted to paying in order to regain access to their files. Councils are considered attractive targets by cyber criminals because of the extensive volume of sensitive data that they hold.
- 70% have followed best practice and enforced backup systems.
- 30% of authorities did not respond to the FOI requests. It is thought that this is because they outsource their IT systems. It is not clear whether these councils also have a backup system in place.
Barracuda Networks SVP, Chris Ross, told Infosecurity Magazine:
The most common ransomware entry point is via email, making employees the weakest link in your cybersecurity chain. As attackers increasingly exploit ‘human networks’ in targeted phishing and spear-phishing campaigns, education is a critical line of defence; it only takes one click by one unsuspecting employee for a ransomware attack to wreak havoc in your business.
The findings suggest that the councils adopt a reactive approach when it comes to cyber security, whereas a proactive approach would allow them to prepare for all eventualities and “decrease the likelihood of a successful and costly attack”.
Although having a backup system has undeniably helped many organisations to avoid paying the ransom, backup should not be their only means of defence. With the new European Union (EU) GDPR around the corner, the UK public sector needs to ensure it employs a cyber security strategy that protects all attack vectors and surfaces to keep citizen data safe and avoid the upcoming large fines for data breaches.
We always recommend refusing to pay ransoms, because there is no guarantee that the criminals will return your systems to normal, and even if you are able to recover your data, you will be a target for repeated attacks.
Ransomware attacks are increasing in both volume and sophistication, so it is essential to provide employees with sufficient training.
Educate your employees
To educate your staff on the dangers of phishing and ransomware, you should enrol them on our Phishing and Ransomware – Human patch e-learning course. This ten-minute course is designed to raise awareness of phishing and ransomware among employees, particularly those in critical service sectors such as healthcare, education and finance.
The course describes the link between phishing attacks and ransomware, outlines the consequences of a successful attack and helps staff identify how to avoid falling victim.