How training employees about ransomware can mitigate cyber risk
Ransomware has been on the rise, making headlines and entering boardroom discussions, with more than one-third of businesses globally reporting being hit with ransomware in 2021. Yet, despite today’s threatscape and cybersecurity risk being a top concern for executives, recent research revealed that only 36% of surveyed business leaders said their enterprises offer ransomware-focused security training.
With ransomware as a key driver of cybersecurity risk, this slow adoption of training has highlighted that businesses are leaving one of their best lines of defense — their employees — unprepared to detect and report threats. A poorly trained workforce can leave even the most sophisticated networks vulnerable to a ransomware attack if they click on a suspicious link or mistakenly open an infected attachment.
For business owners and security leaders, the silver lining of the 2021 ransomware epidemic is that now is the perfect time to secure and educate their workforce in a relevant and timely way.
Phishing simulations & training
What is ransomware?
Ransomware is a type of malicious software or malware designed to take over a computer. It works by encrypting files on a computer, making them inaccessible until the victim pays the ransomware operator a sum of money, usually in cryptocurrency (favored for its anonymity and ease of online transaction). The ransom payment is demanded within a specific time window, usually hours or days after infection occurs, with a threat to publish or delete the encrypted data if the victim refuses to, or cannot, pay.
As with most malware distribution, ransomware is most commonly deployed via email — often through phishing attacks — or exploit kits (from malicious ads).
Ransomware attacks can cause extensive damage to organizations of all sizes and types but are especially damaging to an organization whose backups are not adequate or up to date. The costs of a ransomware attack to an organization go beyond just the ransom to regain access to their systems and data, as the reputation and legal jeopardy can be significant enough to threaten the future of many businesses.
Employee training helps decrease the risks of a ransomware incident
Your company will likely not be targeted for ransomware on a massive scale. Instead, most attacks are conducted against individuals or small teams within an organization to access the wider organization’s network.
With employees as the first line of defense against cyber risk, one of the easiest ways to begin is by teaching employees how to recognize and avoid common social engineering attacks used to trick them into revealing sensitive information about themselves or their company.
Training employees on how to spot and report suspicious emails can go a long way in helping your business mitigate cyber risk. When trained properly, businesses can detect and mitigate potential phishing and ransomware attacks before they happen. The result? The organization saves both time and money from ransomware payments, downtime and remediation.
What to include in a ransomware training program
Ransomware prevention training should cover several basics: what ransomware is, what it does and the various ways hackers deploy ransomware.
Since phishing is the most common and effective method to spread ransomware, an effective ransomware training program should include ways to mitigate phishing attacks and how phishing can specifically lead to ransomware attacks.
Ransomware can also spread through social engineering tactics, removable media (such as thumb drives) and malicious websites, so a comprehensive training program should also address these topics.
ChatGPT training built for everyone
A practical ransomware training should include the following key topics:
- Ransomware basics. Employees are reading about ransomware in the news daily. The first step to turning them into security advocates is to teach them how their actions play into protecting the organization against ransomware specifically.
- How to recognize a phishing email, text message or social media message. Teach employees to check for red flags — poor spelling and grammar, use of generic salutations such as “Dear Customer” rather than actual names, unusual sender email addresses (e.g., @gmail), requests for personal information from unknown senders and links that direct recipients to a website other than what the link initially appeared as.
- How to recognize a phishing website or app. Show employees how to check to see if a link will take you somewhere safe by hovering over it and reviewing the URL before clicking. Teach them how to compare that to where the email says it’s taking them and see if they match up. For shortened URLs, use common unshortening sites such as Unshorten.It or URL X-ray to unmask the link’s destination before clicking it.
- How to use removable media (USB). Seemingly innocent devices such as USB thumb drives are commonly used to infect employees’ devices and deploy malware or ransomware. With employees working remotely, it’s essential to keep them aware of the risks of plugging unknown devices into their computers.
- How to report and respond to threats. Beyond detecting a threat, one of the essential ransomware education elements is teaching employees how to report them when they occur. For example, if they receive an email that is suspected of containing ransomware — but isn’t labeled explicitly — they should be trained to avoid opening it and instead forward it directly to their IT department to take appropriate action before any damage occurs.
To be truly effective, training cannot be an annual event but must be an ongoing process. If employee training starts to feel repetitive, shift focus to new techniques and tactics as they emerge — a salient example such as attacks that leverage today’s hybrid and work-from-home environments. These are becoming more common because they can be difficult to detect remotely.
Tailoring your training to your employees
No matter the topic, it’s essential to tailor cybersecurity education training to the different roles in your organization and how they access data. Training your C-suite, security and accounting teams should all be different because the threats they will encounter will be different. It’s important to have a plan based on their access and the impact an attack targeting that individual/role would have on the organization.
An excellent example of this is executive teams or business owners. As they often have access to sensitive information and more of the network than other employees, these individuals are often the target of “whale phishing” attacks, designed to “spear” high-level executives who are often busy, moving quickly and have high-level access and permissions in the business.
For IT and technical teams, there’s an entirely different set of topics and training they should receive to help protect the organization. As with the rest of the organization, IT and technical teams benefit from ransomware-specific training, from basics such as prevention and detection to in-depth topics such as incident response and forensics investigation.
Training your employees to detect ransomware can save your business money and time
The best way to protect against ransomware is to prevent it with a comprehensive security awareness training program. Training your employees can mitigate the risk of a ransomware attack within your organization while also providing them with the knowledge to spot suspicious behavior.
If your organization doesn’t have an in-house IT department or information security team, there are several resources available online that can help you create and deploy a security awareness training program that’s right for you.
As the saying goes, “An ounce of prevention is worth a pound of cure.” Investing a small amount of time and effort to train your employees about ransomware can pay dividends by reducing the risk of a costly cyber incident.
Phishing simulations & training
Sources
- Securing the new hybrid workplace, Entrust
- The State of Ransomware 2021, Sophos
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- How training employees about ransomware can mitigate cyber risk
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization