AI in the SOC: Why Complete Autonomy Is the Wrong Goal

Dan Petrillo, VP of Product at BlueVoyant 

 

As artificial intelligence (AI) becomes more deeply embedded in security operations, a divide has emerged in how its role is defined. Some argue the security operations centre (SOC) should be fully autonomous, with AI replacing human analysts. Others believe that augmentation is the right path, using AI to support and extend existing teams. 

 

Augmentation probably reflects how SOCs operate in practice. It helps analysts triage alerts, investigate incidents faster, and it brings better context into their work, while still ensuring humans are accountable for decisions.  

 

Complete autonomy assumes a level of reliable, end-to-end decision-making that can operate without continuous human oversight. That’s a high bar. In real SOC environments, the technology, data quality, and operational constraints rarely support that assumption. Detection pipelines are noisy, context is fragmented across tools, and threat signals often require human judgment to interpret correctly. Even the most advanced automation struggles with edge cases, ambiguous alerts, and the dynamic nature of attacker behaviour. 

 

Why an Autonomous SOC Falls Short 

Delving deeper and examining why AI cannot fully replace SOC analysts; in short, it comes down to the oversimplification of the complexities inherent in what security operations involve. Investigation is only one part of a functioning SOC. Organisations also depend on experienced practitioners to interpret ambiguous signals, manage escalation, and communicate risk to senior leadership. When incidents become business issues, that same expertise is required to apply judgement, coordinate stakeholders, and produce reporting that stands up to scrutiny. 

 

When something goes wrong, such as a logging failure, a broken parser following a third-party firewall update, or months of missing telemetry, automated systems cannot resolve the issue alone. Human expertise is needed to understand context, reconstruct events, and guide remediation. 

 

Governance is another constraint. The cost of false negatives remains unacceptably high, and security leaders are unlikely to deploy solutions that act without clear oversight. Even where AI can execute parts of a workflow, organisations still require process controls, quality checks, and human validation for complex or unfamiliar scenarios. A fully autonomous model cannot reliably make the right judgement call in every situation, particularly when decisions carry real business impact. 

 

Accuracy risks also remain. AI systems can make mistakes, draw incorrect conclusions, or miss important signals if left unchecked. Human oversight therefore remains essential to spot errors early and prevent them from turning into operational problems. 

 

Ultimately, fully autonomous SOC models ask organisations to trade human judgement and accountability for AI that is still maturing. That trade-off is impractical in an environment where consequences are measured in real-world disruption. 

 

Why AI in the SOC Is Still Essential 

However, none of the above suggests that AI does not have a place in the SOC. When implemented with purpose it delivers measurable improvements in the areas where teams are under the most pressure. 

 

AI can take on repetitive, high-volume tasks such as alert triage and enrichment, allowing analysts to focus on more complex investigations, decision-making, and response. Deployed effectively, AI in the SOC is essential to reclaiming human time from low value activity, enabling teams to apply expertise where it has the greatest operational payoff. 

 

Some of the most significant benefits of integrating AI agents into human-led SOC teams include: 

• Workload reduction: AI can handle repetitive, high-volume tasks such as alert triage, dynamic enrichment, and report generation, reducing analyst fatigue and operational backlog. 
• Process consistency: AI helps standardise workflows across varying skill levels, smoothing differences in tool syntax and operating procedures so teams perform more consistently. 
•  Improved alert quality: By incorporating external threat intelligence, control telemetry, and asset context, AI can reduce false positives and support more accurate prioritisation. 
• Faster decision-making: Attack timelines, path mapping, and context-rich summaries enable analysts to assess scope, impact, and containment options more quickly. 
• Knowledge retention: AI working alongside human analysts captures operational insights over time, mitigating the impact of staff churn and preserving institutional knowledge. It can also identify patterns that may be missed by individuals and recommend rules or remediations accordingly. 
• Always on: AI doesn’t need breaks, get tired, fall ill, take holidays, or turn up late. It becomes a consistently reliable coworker for stretched teams working under pressure. 

 

Where Augmentation Delivers the Most Value 

AI delivers the greatest value when applied to SOC activities that are slow, manual, or prone to inconsistency, while keeping humans accountable for decisions and execution. 

 

Augmentation should be introduced first in areas where AI can speed up analysis, surface insight, and support judgement, without removing human oversight. Below are a few areas where you might consider using AI to augment your team:

• Alert triage: False-positive reduction, dynamic enrichment, and contextual prioritisation using threat intelligence, asset criticality, and exposure data. 
• Augmented investigations: Natural language querying, attack path and timeline visualisation, and suggested queries that speed root-cause analysis. 
• Incident and case summarisation: Automated executive- and GRC-ready reporting that consolidates findings with clear, decision-ready context. 
• Hypothesis generation: Continuous pattern and behaviour analysis to surface new detections, investigative approaches, and remediation opportunities for human approval. 
• Operational oversight: AI that learns expected procedures and flags process deviations, bottlenecks, or underperformance for leadership attention. 
• Response recommendations: Context-aware guidance and playbook generation, with optional integration-driven execution remaining under human control. 

 

What This Means for Security Teams 

Security teams manage millions of investigations every year, even after automating many routine cases. While automation can streamline these routine tasks, full autonomy remains unrealistic. The most critical stages of an investigation still rely on human judgement, context and accountability.  

 

AI will continue to enhance the speed, scale and consistency of security operations, but the SOC of the future will remain human led, with AI augmenting, not replacing, analysts. Organisations that adopt AI in targeted, outcome driven ways will scale more effectively, reduce risk and preserve institutional knowledge. As threats evolve, AI augmented SOC teams will not only keep pace but stay ahead of adversaries.

It’s 2026. Why are the basics still being missed?

Written by Katie Barnett, Director of Cyber Security, and Gavin Wilson, Director of Physical Security and Risk, at Toro Solutions

After spending years working with organisations on security, one thing becomes hard to ignore. When something serious happens, the root causes are sadly rarely surprising and there is often a sense of inevitability to them. Access that was never quite tidied up, controls that were written down but not really enforced, multi factor authentication that was recommended but not mandatory or decisions that made sense in the moment and were never revisited.

Last year’s headlines about the Louvre brought this into focus. The Louvre Museum, the world’s most visited cultural landmark, faced heavy criticism after investigators revealed that its internal video surveillance system was protected by the password “Louvre.” This came after a daylight heist in which thieves stole French Crown Jewels valued at over $100 million. The striking thing was not how bold the theft was, but how familiar the weakness behind it felt.

It would be comforting to see that as a one-off mistake, but it rarely is. The Louvre was simply visible. Similar assumptions exist inside many organisations, often sitting quietly in the background while attention is pulled towards more immediate concerns. In most cases, people are not unaware of the issues they are just not the ones that shout the loudest.

As you will know there is no shortage of discussion about how the threat landscape is changing, it’s changing every day. AI, geopolitical tension, supply chain exposure and the blending of physical and cyber risks are all moving fast and often featuring heavily in conversations with leadership. However, at the same time, whilst the big conversations are happening it is not unusual to walk into environments where access is loosely understood, vulnerabilities have been accepted by default, and physical security relies on a shared sense of trust rather than consistent control.

Access and identity management is a good example of how this plays out. Access is granted to keep work moving, which is usually the right decision at the time, but we find that what happens less reliably is the follow-up. Projects end, people change roles, suppliers move on, and amid increasingly demanding workloads, access is forgotten or missed and remains because removing it is never a priority. Over time, confidence creeps in where certainty should exist, and that only becomes obvious when something goes wrong.

This is also where passwords and multi-factor authentication continue to cause problems, despite years of attention. It’s been drilled into everyone that passwords alone are weak, reused and easily compromised. Multi-factor authentication (MFA) is now heavily recommended across organisations, yet it is still common to find critical systems without MFA enabled, with MFA applied inconsistently, or disabled because it caused friction. Exceptions become normal and service accounts are excluded because they always have been. None of these decisions feel dramatic on their own, but together they leave credential compromise as one of the easiest ways in.

The Louvre example resonates precisely because it reduces this to something uncomfortably simple. A globally recognised institution, with significant resources, still relying on a password that offered little real protection for a critical system. This is not a technology problem; it's just what happens when basic controls are never quite treated as urgent enough to demand sustained attention.

Vulnerability management tends to follow a similar path. Patching is rarely ignored outright instead it is delayed, deferred and worked around, often for understandable reasons. Each decision feels small, but the cumulative effect is not. When an incident eventually occurs, it is often described as sophisticated or unavoidable, even when the weakness involved had been known about for some time and often one that could be easily resolved. 

Physical security is another area where every day behaviour quietly undermines formal controls. We have all seen people wearing work badges in public places or holding secure doors open because it feels impolite not to. These moments are easy to dismiss, but they say a lot about how security is experienced day to day. In environments where physical access can be the door opener for cyber compromise, those behaviours carry more weight than many organisations realise.

Third-party risk is similar. Businesses rely on suppliers to function, and that reliance grows each year. Initial checks are usually done with good intent, but ongoing scrutiny is harder to sustain. Access persists, assumptions build, and visibility fades. When incidents occur through these routes, the surprise often comes from how little the organisation really knew about its own exposure.

Response and recovery are where many of these gaps finally surface. Plans exist, backups are in place, and there is confidence that people will respond sensibly under pressure. In reality, uncertainty plays a bigger role than expected. Decisions take longer and responsibilities are less clear. Recovery takes more effort than anticipated and the damage often comes as much from this uncertainty which causes delay as from the original incident.

The reason the basics continue to be missed is not a lack of knowledge or capability. It is that foundational security work rarely feels urgent, and it competes constantly with an ever-changing risk landscape and slick tools and initiatives that promise growth, efficiency or innovation. The basics do not generate visible wins when they work, and they rarely fail in isolation and as a result, risk accumulates quietly as it is normalised by the absence of immediate consequence.

The organisations that make genuine progress take a different approach. They accept that security fundamentals require ongoing attention, not periodic clean-up. Access is treated as something that changes continuously, physical security is reinforced through everyday behaviour, not just policy and response and recovery are practised because disruption is assumed, not because it is feared.

As 2026 progresses, the question is no longer whether threats will continue to evolve. They will. The more challenging question is whether organisations are prepared to be disciplined about the things they already know matter. Until the basics are given the same weight as innovation and growth, we will continue to see familiar failures surface in very public ways, followed by the same uncomfortable question of how something so simple was missed again.

UK Cybersecurity Weekly News Roundup - 31 March 2025

UK Cybersecurity Weekly News Roundup - 31 March 2025

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

UK Warned of Inadequate Readiness Against State-Backed Cyberattacks

Cybersecurity experts have sounded the alarm over the UK's growing vulnerability to state-sponsored cyber threats. A recent report by the National Cyber Security Centre (NCSC) shows a 16% increase in severe cyber incidents affecting national infrastructure in 2024. A worrying 64% of public sector IT leaders said they are unsure about best practices, with legacy systems worsening the risk. As digital transformation accelerates, public infrastructure like energy and healthcare face increasing exposure to ransomware and espionage. Read more

NCSC Publishes Roadmap for Post-Quantum Cryptography Migration

The NCSC has published official guidance on migrating to post-quantum cryptography (PQC) to protect against future quantum computing threats. The document urges critical infrastructure operators to begin preparations now, with system discovery and risk assessments expected by 2028. Full migration should be completed by 2035. The roadmap highlights the need for cryptographic agility and risk-based planning in anticipation of quantum threats. Read more

UK Government to Update Software Vendor Security Code of Practice

Following a public consultation, the UK government will publish a revised voluntary code of practice for software vendors later this year. The updated framework will include clearer technical requirements and a new attestation mechanism for vendors to demonstrate compliance. The initiative aims to raise the standard of cybersecurity in commercial software used by UK businesses and public services. Read more

Google Patches Actively Exploited Chrome Zero-Day (CVE-2025-2783)

Google has released an emergency update for Chrome to patch CVE-2025-2783, a high-severity zero-day vulnerability that was being actively exploited in the wild. The flaw allowed attackers to bypass sandbox protections. All users are urged to update their browsers immediately. This marks the second major Chrome zero-day reported in 2025. Read more

UK Considers Ransomware Payment Ban for Public Sector

A proposal to ban ransomware payments by UK public sector and critical infrastructure organizations is under review. While the policy aims to discourage threat actors, experts warn that it may increase the pressure on under-prepared organizations and push attacks toward entities with no ability to recover quickly

UK Cybersecurity Weekly News Roundup - 23 March 2025

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

NHS Scotland Confirms Cyberattack Disruption

On 20 March 2025, NHS Scotland reported a major cyber incident that caused network outages across multiple health boards. The cyberattack disrupted clinical systems and led to delayed patient care, with staff reverting to paper-based processes. The incident has been linked to a suspected ransomware group, although official attribution is still pending. Investigations are ongoing with support from the National Cyber Security Centre (NCSC).

Further coverage from The Register confirmed that some systems were taken offline to prevent further spread, while emergency care remained operational. The affected regions included NHS Dumfries and Galloway, which issued a statement urging patients to only attend if absolutely necessary. (Read more on The Register)

NCSC Weekly Threat Report – 22 March 2025

The NCSC's latest threat report highlights ongoing exploitation of known vulnerabilities in Progress Telerik UI by state-aligned threat actors. The report urges UK organisations to patch vulnerable systems immediately, as attackers continue to target unpatched web servers.

Additionally, the NCSC notes an increase in malicious QR code campaigns—so-called "quishing"—where attackers embed phishing URLs into QR codes used in emails, posters, or even receipts. Organisations are advised to educate staff and implement QR code scanning policies.

Cyber Threats on the Rise as UK Eyes General Election

As the UK gears up for a general election later this year, the NCSC has raised concerns over potential interference campaigns and disinformation efforts by hostile states. Security services are reportedly on high alert, coordinating with political parties to bolster cyber resilience. While no major incidents have been reported yet, the threat landscape is being closely monitored.

Quick Bytes

• New phishing campaign mimics HMRC emails demanding urgent tax repayment. Be vigilant and double-check all official correspondence.
• UK universities warned of increased targeting by espionage-motivated groups, particularly in the fields of AI and quantum computing.
• ICO fines a London-based telemarketing firm £130,000 for unlawful data use and non-compliance with GDPR.

That’s all for this week! Stay tuned for more updates, and follow best practices to keep your systems secure.

➡️ Previous Post: UK Cybersecurity Weekly News Roundup - 17 March 2025

UK Cybersecurity Weekly News Roundup - 16 March 2025

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

UK Government's Stance on Encryption Raises Global Concerns

The UK government has ordered Apple to provide backdoor access to iCloud users' encrypted backups under the Investigatory Powers Act of 2016. This secret order applies not just to UK users but potentially to Apple users worldwide. In response, Apple has removed its Advanced Data Protection feature in the UK, expressing disappointment. This move has significant implications, raising concerns about global user privacy and security. Experts argue that creating backdoors compromises overall security, potentially allowing malicious entities to gain access. Apple's compliance or resistance will set a precedent for other governments seeking similar access. Read more

Sellafield Nuclear Site Improves Physical Security Amid Cybersecurity Concerns

Sellafield, the world's largest plutonium store, has been taken out of special measures for physical security by the UK's nuclear industry regulator, the Office for Nuclear Regulation (ONR). This decision follows significant improvements in guarding arrangements, allowing routine inspections instead of enhanced regulatory oversight. However, concerns regarding its cybersecurity remain. Last year, Sellafield was fined almost £400,000 for cybersecurity failings, allegedly involving hacking groups linked to Russia and China. While there was no conclusive evidence of a successful cyber-attack, cybersecurity remains a critical concern. Read more

UK Businesses Face Significant Financial Impact from Cyberattacks

In the past five years, cyberattacks have cost British businesses approximately £44 billion ($55.08 billion) in lost revenue, with 52% of private sector companies experiencing at least one attack during that period, according to insurance broker Howden. On average, these attacks cost companies 1.9% of their annual revenue. Larger companies, with over £100 million in annual revenue, are more likely to be targeted. Despite the significant risk, only 61% of businesses employ anti-virus software, and only 55% use network firewalls, due to cost and lack of internal IT resources. Read more

Global Sanctions Target Russian Cybercrime Network

The United States, United Kingdom, and Australia have jointly sanctioned Zservers, a Russian bulletproof web-hosting service provider, and two Russian operators linked to it for supporting the LockBit ransomware syndicate. The U.S. Treasury Department's Office of Foreign Assets Control, along with its U.K. and Australian counterparts, targeted Zservers for facilitating LockBit attacks by providing specialized servers resistant to law enforcement actions. Lock

UK Cybersecurity Weekly News Roundup – 9 March 2025

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

Microsoft Engineer's Transition to Cybersecurity

Ankit Masrani, a 36-year-old software engineer, successfully transitioned into a cybersecurity role at Microsoft. With a background in IT and a Master's degree in computer science, Masrani secured an internship and later a full-time position at AWS, focusing on data and network security. He now serves as a principal software engineer on Microsoft's Security Platform team, emphasizing the importance of skills in big data technologies, machine learning, cloud services, and comprehensive security knowledge for such career pivots. Read more

StubHub Breach: Taylor Swift Tickets Stolen

Cybercriminals exploited a backdoor in StubHub's system, stealing nearly 1,000 tickets, primarily for Taylor Swift's Eras Tour, resulting in over $600,000 in profits. The breach highlights vulnerabilities in ticketing platforms and the need for robust cybersecurity measures to protect consumer interests. Learn more

UK's Cyber Security and Resilience Bill Introduced

The UK government has introduced the Cyber Security and Resilience Bill, aiming to update existing regulations and strengthen the nation's cyber defenses. The legislation seeks to expand regulatory oversight, enforce stringent cybersecurity measures across various sectors, and introduce mandatory compliance with established standards to protect critical infrastructure and the digital economy. Details here

British Library Cyberattack: A Wake-Up Call

In October 2023, the British Library suffered a significant ransomware attack by the Rhysida group, leading to the theft of approximately 600GB of data. The attack disrupted services, delayed payments to authors, and highlighted vulnerabilities in cultural institutions. Recovery efforts are ongoing, emphasizing the need for robust cybersecurity measures in public sector organizations. More information

Global Impact: US Charges Chinese Hackers

The US Department of Justice has charged 12 Chinese nationals, including hackers and government officials, for their roles in extensive cybercrime campaigns targeting dissidents, news organizations, U.S. agencies, and universities. This action underscores the growing concerns over state-sponsored cyber espionage and the need for international cooperation in cybersecurity. Read the full story

Protecting Your Devices: Recent TV Box Malware Attack

TV owners are urged to perform essential security checks following a cyber attack affecting 1.6 million Android TV devices. Hackers infiltrated home networks through TVs, stealing data and using devices to mine cryptocurrencies, leading to increased energy bills. Users should update devices, uninstall unused apps, install anti-malware software, and avoid third-party vendors to safeguard against such threats. Learn how to protect your devices

Stay informed and vigilant to protect your digital assets in this evolving cybersecurity landscape.

UK Cybersecurity Weekly News Roundup – 2 March 2025

UK Government's Encryption Demands Lead to Apple's Data Protection Withdrawal

The UK government has mandated that Apple provide access to encrypted iCloud backups under the Investigatory Powers Act of 2016. In response, Apple has withdrawn its "Advanced Data Protection" feature for UK users, citing concerns over user privacy and security. This move has sparked a global debate on the balance between national security and individual privacy rights. Read more

International Sanctions Target Russian Cybercrime Network

The United States, United Kingdom, and Australia have jointly imposed sanctions on Russian web-hosting provider Zservers and two Russian nationals for supporting the ransomware group LockBit. This group has been linked to numerous high-profile cyberattacks, including those on Boeing and the UK's National Health Service, extorting over $120 million since 2019. Learn more

Sellafield Nuclear Site Improves Physical Security Amid Cybersecurity Concerns

The UK's Office for Nuclear Regulation has acknowledged significant improvements in physical security at the Sellafield nuclear site, leading to its removal from special measures. However, ongoing cybersecurity challenges persist, highlighting the need for continued vigilance in protecting critical infrastructure. Details here

Google Expands AI Initiatives in Poland to Enhance Energy and Cybersecurity

Google has signed a memorandum with Poland to develop artificial intelligence applications in the energy and cybersecurity sectors. This initiative aims to bolster Poland's technological infrastructure and reduce reliance on external energy sources, amidst increasing cyber threats. More information

US Department of Homeland Security Overhauls Cybersecurity Personnel

The Department of Homeland Security is set to terminate 12 employees from the Cybersecurity and Infrastructure Security Agency involved in monitoring misinformation. Additionally, all election security activities are temporarily paused to assess implications on free speech, reflecting ongoing debates about the role of federal agencies in regulating information. Read the full story

AI Safety Policies Shift Focus Towards Security

Recent policy changes in the US and UK are reframing AI safety as a security-focused issue, potentially sidelining ethical considerations such as bias and content accuracy. This shift has raised concerns among experts about the comprehensive governance of AI technologies. Explore the implications

Polish Space Agency Suffers Cyberattack

The Polish Space Agency (POLSA) detected unauthorized access to its IT infrastructure, prompting immediate security measures. Investigations are underway to identify the perpetrators, amid ongoing concerns about cyber threats targeting national agencies. Find out more

Australian IVF Clinic Hacked, Exposing Sensitive Patient Data

Genea, an Australian IVF clinic, suffered a ransomware attack by the group Termite, compromising nearly a terabyte of sensitive patient data. The breach has raised significant concerns about data security in healthcare institutions. Read more

US Treasury Department Breached by Chinese Hackers

The US Treasury Department disclosed a significant cybersecurity breach attributed to Chinese state-sponsored actors. The attackers accessed unclassified documents, highlighting vulnerabilities in federal cybersecurity defenses. Learn more

UK's War on Encryption Affects Global User Privacy

The UK's demand for access to encrypted iCloud data under the Investigatory Powers Act has led to Apple's withdrawal of its Advanced Data Protection feature for UK users. This move has significant implications for global user privacy and sets a concerning precedent for government overreach into personal data. Read the a

UK Cybersecurity Weekly News Roundup – 24 February 2025

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

Home Office Contractor's Data Collection Sparks Privacy Concerns

The Home Office faces scrutiny after revelations that its contractor, Equifax, collected data on British citizens while conducting financial checks on migrants applying for fee waivers. A report mistakenly sent to the Refugee and Migrant Forum of Essex and London (Ramfel) contained information on 260 individuals dating back to 1986, raising significant privacy issues. The Home Office has ceased using Equifax for visa fee waiver processing pending an investigation into the potential data breach. Read more

Apple Withdraws Advanced Data Protection in the UK Amid Government Dispute

Apple has removed its Advanced Data Protection (ADP) feature for UK users following a dispute with the British government. The government demanded access to encrypted material on Apple's iCloud under new evidence-collection powers. Apple, opposing the creation of a "back door" to its encryption service, opted to discontinue ADP in the UK. This decision highlights ongoing tensions between tech companies and governments over privacy and security regulations. Learn more

Sellafield Nuclear Site Improves Physical Security but Cyber Concerns Persist

The UK's Office for Nuclear Regulation (ONR) has removed Sellafield nuclear site from special measures concerning physical security, citing significant improvements. However, concerns over cybersecurity remain. Sellafield has been under scrutiny due to previous safety issues and cybersecurity deficiencies. Collaborative efforts are ongoing to address these challenges as the site continues to manage the nation's nuclear waste. Full story

UK Government Introduces AI Cybersecurity Standards

The UK government has unveiled a new Code of Practice aimed at protecting AI systems from cyber-attacks. This initiative seeks to provide businesses and public services with guidelines to secure AI technologies, thereby safeguarding the digital economy. The voluntary code is expected to form the basis of a global standard for AI security, reinforcing the UK's position as a leader in safe technological innovation. Details here

Cyberattacks Cost UK Businesses Over £40 Billion in Five Years

Recent findings reveal that cyberattacks have cost British businesses approximately £40 billion in lost revenue over the past five years. More than half of private sector companies have experienced at least one attack, with compromised emails and data theft being the most common threats. Despite the increasing risks, many businesses lack adequate cybersecurity measures, often due to high costs and limited IT resources. Read the report

Stay tuned for more updates and insights in our next weekly roundup.

Prevention is Better Than Cure: The Ransomware Evolution

Ransomware tactics have continued to evolve over the years, and remain a prominent threat to both SMBs and larger organisations. Particularly during the peak of COVID-19, research by IBM found that ransomware incidents ‘exploded’ in June 2020, which saw twice as many ransomware attacks as the month prior, taking advantage of remote workers being away from the help of IT teams. The same research found that demands by cyber attackers are also increasing to as much as £31 million, which for businesses of any size, is detrimental for survival.

In recent months, ransomware attacks have not left mainstream media headlines. And with the number and frequency of ransomware attacks increasing, not to mention the innovation in distribution methods, this should be a wake-up call for organisations to strengthen their defences. Jack Garnsey, Product Manager Security Awareness Training and SafeSend, VIPRE explains that by taking a preventative approach, businesses can take the necessary steps to strengthen their cybersecurity posture. This includes a combination of education, processes, hardware and software to detect, combat and recover from such attacks if they were to arise.

Ransomware in the 21st Century
Ransomware is not a new phenomenon, but its use has grown exponentially and has led to the development of the term ‘Ransomware as a Service' (RaaS), which is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute attacks.

As ransomware incidents become more sophisticated and frequent, such as the increase in fileless attacks which exploit tools and features that are already available in the victim’s environment, the level of potential damage to a business is heightened. These types of attacks can be used in combination with social engineering targeting, such as phishing emails, without having to rely on file-based payloads. And unfortunately, ransomware is extremely difficult to prevent – all it takes is one employee clicking on the wrong link in an email or downloading a malicious attachment.

No matter the size of an organisation, the effects of ransomware can be devastating financially, as well as inflicting longer-term damage to business reputation. The Irish Department of Health and Health Service Executive (HSE) was recently attacked by The Conti ransomware group, who reportedly asked the Health Service for $20 million (£14 million) to restore access. This attack caused substantial cancellations to outpatient services, part of a system already stretched to the max due to COVID-19. Some ransomware gangs operate by a flimsy code of "ethics", stating they don't intend to endanger lives, but even if a minority of ransomware organisations are developing a sense of conscience, businesses are not exempt from the damage that can be done from such attacks.

Additionally, in the US, Colonial Pipeline paid the cyber-criminal group DarkSide nearly $5m (£3.6m) in ransom, following a cyber-attack that took its service down for five days, causing supplies to tighten across the US. Unfortunately when under attack, a majority of businesses, such as the major pipeline, often pay the ransom. Luckily for Colonial Pipeline, some of the money was later recovered by the American Department Of Justice's Ransomware and Digital Extortion Task Force. But if they pay once – they will pay multiple times. A successful ransomware attack can be used various times against many organisations, turning an attack into a cash cow for criminal organisations offering Ransomware as a Service. So much so, that there is now an ongoing debate around whether it should be illegal for businesses or an individual to pay a ransom in order to try and deter the attackers, or at the minimum, to at least report it to the necessary regulators.

Contain and Report It
If a ransomware attack were to take place, it is important that the organisation works with local authorities to try to rectify the issue and follow the guidance. Often, many ransomware attacks go unreported – and this is where a lot of criminal power lies.

Prevention is always better than cure, and damage limitation and containment are important right from the outset. As the United States President, Joe Biden, highlighted in his recent letter to business leaders around ransomware: “The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations, rather than a simple risk of data theft will react and recover more effectively.”

Most organisations should have a detailed disaster recovery plan in place and if they don’t, they should rectify this immediately. The key to every disaster recovery plan is backups. Once the breach has been contained, businesses can get back up and running quickly and relatively easily, allowing for maximum business continuity.

As soon as the main threat has passed, it is recommended that all organisations conduct a full retrospective audit, ideally without blame or scapegoats, and share their findings and steps taken with the world. Full disclosure is helpful – not only for the customer, client or patient reassurances but also for other organisations to understand how they can prevent an attack of this type from being successful again.

The Support of Digital Tools
When it comes to ransomware, the importance of getting security foundations right must be emphasised. These attacks are not likely to stop or slow any time soon, but their success can be prevented with the right security armoury.

Particularly to mitigate the threat of ransomware, it is crucial to have secure endpoint protection in place which protects the files, application and network layer across a number of devices, and respond to security alerts in real-time. This has never been more important than during the ongoing pandemic, where employees are dispersed and working from home in order to ensure all devices are protected and comply with the same standards.

Additionally, solutions such as email attachment and URL sandboxing are also vital, as these digital tools provide vital protection against malicious emails. They can help prevent dangerous links, attachments or forms of malware from entering the user's inbox by examining and quarantining them. By filtering out this traffic and automatically restricting dangerous content, businesses can maintain greater control over email and the access points to the network.

The Human Layer
The users themselves are a key part of any security strategy. Those who are educated about the types of threats they could be vulnerable to, how to spot them and the steps to take in the event of a suspected breach, are a valuable and critical asset to any organisation.

Employees need to be trained to be vigilant, cautious, suspicious and assume their role as the last line of defence when all else fails. The final decision to click send on an email or a link lies with the human, but this one click could mean the entire organisation falls prey to a ransomware attack. The key is to change the mindset from full reliance on IT, to one where everyone is responsible. In order to strengthen a business’ human layer protection, security awareness training and education must be implemented across the board.

These programmes are designed to support users in understanding the role they play in helping to combat attacks and malware. Using phishing simulations, for example, as part of the wider security strategy, will help to give employees insight into real life situations they may face at any point. The importance of testing your human firewall was also outlined in Joe Biden’s ransomware letter: “Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.”

Conclusion
Cyber security is a multi-faceted, complicated area, and one which must receive investment in each layer, from the technology to the people, to the tools we give to the users. Nevertheless, businesses of all sizes can safeguard their data and themselves from these types of ransomware attacks by investing in their cybersecurity and ensuring their workforces are conscious and informed of the threats they face.

Both detection and prevention play a key role in stopping ransomware, but it shouldn’t be one or the other. The essence of a solid cybersecurity strategy is a layered defence that includes endpoint detection and response, email security, advanced threat protection, web security and a business-grade firewall for the security of your network – at its most basic. But even with the most sophisticated software in place, hackers make it their mission to stay one step ahead of IT defences. That is why regular training, in addition to complementary security tools which reinforce security best practices, can provide a fortified strategy for users to mitigate the threat of a cyberattack.