How training employees about ransomware can mitigate cyber risk
Ransomware has been on the rise, making headlines and entering boardroom discussions, with more than one-third of businesses globally reporting being hit with ransomware in 2021. Yet, despite today’s threatscape and cybersecurity risk being a top concern for executives, recent research revealed that only 36% of surveyed business leaders said their enterprises offer ransomware-focused security training.
With ransomware as a key driver of cybersecurity risk, this slow adoption of training has highlighted that businesses are leaving one of their best lines of defense — their employees — unprepared to detect and report threats. A poorly trained workforce can leave even the most sophisticated networks vulnerable to a ransomware attack if they click on a suspicious link or mistakenly open an infected attachment.
For business owners and security leaders, the silver lining of the 2021 ransomware epidemic is that now is the perfect time to secure and educate their workforce in a relevant and timely way.
What is ransomware?
Ransomware is a type of malicious software or malware designed to take over a computer. It works by encrypting files on a computer, making them inaccessible until the victim pays the ransomware operator a sum of money, usually in cryptocurrency (favored for its anonymity and ease of online transaction). The ransom payment is demanded within a specific time window, usually hours or days after infection occurs, with a threat to publish or delete the encrypted data if the victim refuses to, or cannot, pay.
As with most malware distribution, ransomware is most commonly deployed via email — often through phishing attacks — or exploit kits (from malicious ads).
Ransomware attacks can cause extensive damage to organizations of all sizes and types but are especially damaging to an organization whose backups are not adequate or up to date. The costs of a ransomware attack to an organization go beyond just the ransom to regain access to their systems and data, as the reputation and legal jeopardy can be significant enough to threaten the future of many businesses.
Employee training helps decrease the risks of a ransomware incident
Your company will likely not be targeted for ransomware on a massive scale. Instead, most attacks are conducted against individuals or small teams within an organization to access the wider organization’s network.
With employees as the first line of defense against cyber risk, one of the easiest ways to begin is by teaching employees how to recognize and avoid common social engineering attacks used to trick them into revealing sensitive information about themselves or their company.
Training employees on how to spot and report suspicious emails can go a long way in helping your business mitigate cyber risk. When trained properly, businesses can detect and mitigate potential phishing and ransomware attacks before they happen. The result? The organization saves both time and money from ransomware payments, downtime and remediation.
What to include in a ransomware training program
Ransomware prevention training should cover several basics: what ransomware is, what it does and the various ways hackers deploy ransomware.
Since phishing is the most common and effective method to spread ransomware, an effective ransomware training program should include ways to mitigate phishing attacks and how phishing can specifically lead to ransomware attacks.
Ransomware can also spread through social engineering tactics, removable media (such as thumb drives) and malicious websites, so a comprehensive training program should also address these topics.
A practical ransomware training should include the following key topics:
- Ransomware basics. Employees are reading about ransomware in the news daily. The first step to turning them into security advocates is to teach them how their actions play into protecting the organization against ransomware specifically.
- How to recognize a phishing email, text message or social media message. Teach employees to check for red flags — poor spelling and grammar, use of generic salutations such as “Dear Customer” rather than actual names, unusual sender email addresses (e.g., @gmail), requests for personal information from unknown senders and links that direct recipients to a website other than what the link initially appeared as.
- How to recognize a phishing website or app. Show employees how to check to see if a link will take you somewhere safe by hovering over it and reviewing the URL before clicking. Teach them how to compare that to where the email says it’s taking them and see if they match up. For shortened URLs, use common unshortening sites such as Unshorten.It or URL X-ray to unmask the link’s destination before clicking it.
- How to use removable media (USB). Seemingly innocent devices such as USB thumb drives are commonly used to infect employees’ devices and deploy malware or ransomware. With employees working remotely, it’s essential to keep them aware of the risks of plugging unknown devices into their computers.
- How to report and respond to threats. Beyond detecting a threat, one of the essential ransomware education elements is teaching employees how to report them when they occur. For example, if they receive an email that is suspected of containing ransomware — but isn’t labeled explicitly — they should be trained to avoid opening it and instead forward it directly to their IT department to take appropriate action before any damage occurs.
To be truly effective, training cannot be an annual event but must be an ongoing process. If employee training starts to feel repetitive, shift focus to new techniques and tactics as they emerge — a salient example such as attacks that leverage today’s hybrid and work-from-home environments. These are becoming more common because they can be difficult to detect remotely.
Tailoring your training to your employees
No matter the topic, it’s essential to tailor cybersecurity education training to the different roles in your organization and how they access data. Training your C-suite, security and accounting teams should all be different because the threats they will encounter will be different. It’s important to have a plan based on their access and the impact an attack targeting that individual/role would have on the organization.
An excellent example of this is executive teams or business owners. As they often have access to sensitive information and more of the network than other employees, these individuals are often the target of “whale phishing” attacks, designed to “spear” high-level executives who are often busy, moving quickly and have high-level access and permissions in the business.
For IT and technical teams, there’s an entirely different set of topics and training they should receive to help protect the organization. As with the rest of the organization, IT and technical teams benefit from ransomware-specific training, from basics such as prevention and detection to in-depth topics such as incident response and forensics investigation.
Training your employees to detect ransomware can save your business money and time
The best way to protect against ransomware is to prevent it with a comprehensive security awareness training program. Training your employees can mitigate the risk of a ransomware attack within your organization while also providing them with the knowledge to spot suspicious behavior.
If your organization doesn’t have an in-house IT department or information security team, there are several resources available online that can help you create and deploy a security awareness training program that’s right for you.
As the saying goes, “An ounce of prevention is worth a pound of cure.” Investing a small amount of time and effort to train your employees about ransomware can pay dividends by reducing the risk of a costly cyber incident.