At the recent SOURCE Boston conference, a ransomware panel composed of those that work to understand, prevent or recover from this growing cybersecurity crime discussed how communication breakdown at all levels — starting with victims — is what makes it so profitable to cyber attackers.
The panel included Boston Police Detective Frank McLaughlin, Ryan Naraine, head of the Global Research & Analysis Team at Kaspersky Lab, Sumit Sehgal, chief technical officer of healthcare at McAfee and moderator Paul Roberts, founder and editor in chief of The Security Ledger.
The panelists discussed why businesses tend not to report crimes and why people pay ransom, as well as media coverage of cybersecurity and modes of awareness education, according to Taylor Armerding of CSO Online covering the event.
Responsibility for Cybersecurity Crime Prevention
When Naraine noted that average users bear some responsibility for falling victim to phishing or other social-engineered scams, or failed to use two-factor authentication, at least one member of the audience didn’t agree.
The average user, which could be her grandmother, is not savvy to the tactics that can lead to ransomware and shouldn’t be expected to be, she said, likening the perspective to ‘victim shaming.’
The panelists then discussed how initiatives to improve awareness have grown. “It’s better than it was five years ago,” Sehgal said. “You get reminders from Facebook to change your password, or a notice that you signed in from China.”
Sehgal noted there is education about bullying and cyber hygiene in public schools and security companies evangelize resources that can be leveraged.
Cybersecurity Crime Prevention Tasks
McLaughlin suggested that communities that focus on physical safety in their public service announcements could also add messages regarding online security.
Dan Geer, chief information security officer at In-Q-Tel, said in the SOURCE conference’s closing keynote, “cybersecurity and the future of humanity are conjoined now.”
If he is right, it may not be long before most municipal leaders find that cybersecurity crime prevention by local law enforcement and public safety agencies is a regular part of those jobs.
Awareness Education as Outgrowth of Law Enforcement Cybersecurity Practice
Encouraging citizens to take responsibility for their cybersecurtiy safety, as Naraine suggested, could be an outgrowth of how police agencies may already be working to protect their data.
After experiencing a ransomware attack in 2014, the Tewksbury, Mass., police department holds staff meetings where examples of phishing emails and other potential sources of infection are shown. The department also sends out staff-wide alerts any time something suspicious is discovered.
If police departments already have staff that ensures the agency’s network is operating effectively, efficiently and safely, they could probably keep the department’s public information officers updated.
With information and communication, law enforcement agencies can partner with municipal staff managing public communications, sending out alerts, offering training opportunities and engaging the public in cybersecurity crime prevention.