No organization is safe from ransomware attacks, and the results of those attacks can be devastating. Multiple recent reports have highlighted the fact that ransomware is causing hundreds of millions of dollars in damages, with no end in sight. Nearly 50% of victims have paid up hefty sums to recover access to their data.
The adage is true that security systems have to win every time, but the attacker only has to win once.
Organized crime, in particular, has become active in planning and propagating these attacks. Consider their risk-reward analysis. A ransomware attack can be sent from anywhere in the world, and it can easily be routed through servers world-wide to prevent the attack from being tracked back to its source. Such attacks have a high likelihood of success, and the possibility of being apprehended is extremely low.
So besides building a strong cybersecurity protocol, is there any other way to protect an enterprise from such attacks? One of the most effective means of reducing the threat of ransomware is often overlooked—employee training and education.
To Disclose or Not to Disclose is the Question.
Before turning to the training issue for the employees, there is one preliminary point that bears discussion. Specifically, under current law, is an organization required to disclose it has been the subject of a ransomware attack to its employees?
Most current laws and regulations require companies to notify consumers about instances where there has been unauthorized use or disclosure of protected information. In cases where the hacker has access to the target’s data, notification is a company obligation. On the other hand, if the attack is of a kind where neither the target nor the attacker can access the data, that is something of a grey area.
In the healthcare context, a representative of the Department of Health and Human Services said:
Under HIPAA, an impermissible use or disclosure of protected health information is presumed to be a breach (and therefore, notiﬁcation is required) unless the entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.
Many countries also have murky legislature when it comes to the “responsibility” of notifying customers and employees of data breached. But we suggest that enterprises be open with their employees about such instances. This will help them realize what is at stake when it comes to training to evade ransomware.
Onward the Employees to the Frontlines. Oorah!
In many of the recent attacks, the initial entry point into the target organization has been attributed to employee error. Specifically, employees have clicked on attachments or hyperlinks in email or on web sites that provide the means of compromising their employer’s systems. Ransomware and other exploits are becoming more sophisticated than ever.
While most employees hopefully know by now not to click on an offer from a Nigerian prince to transfer $20,000,000 into their bank account, many do not know the attacks may appear to come from their known and trusted sources. Dummy mails drop in from employee banks, or to confirm airline reservations, and in more sophisticated attacks may even seem come from within the organization. In each case, the emails may appear very genuine, including all relevant company logos and references to their privacy policies.
In other cases, with a little effort by a hacker, an email can be further targeted using an employee’s recent social media postings. For example, the employee may have posted on Twitter that they recently dined at a local restaurant and the hacker could then spoof an email from that restaurant with an offer of a free meal.
Man, what a dystopian world to live in!
Training is Key!
There is no question that proper employee education and training could avoid many ransomware attacks. Most training conducted in this field amounts to little more than a handout provided to employees or, at best, a lunch-time presentation. The knowledge is barely absorbed and quickly lost.
Employee education and training can have a two-fold benefit. Firstly, it helps to secure the employer’s systems, and secondly, it can safeguard the employee’s personal computers and data better (incase your organization uses the BYOD approach). It is that twofold benefit that brings home to employees the importance of this training.
Encouraging Personal Responsibility of Employees
Employees are the frontline of a business’s information security defenses. While technological protections are essential (such as antivirus software, firewalls, spam filters, etc.), none are as useful as a vigilant end user. To that end, a checklist is provided below of measures of which every employee should be aware. By keeping these measures in mind, employees can dramatically increase not only the security of their employer’s systems and data but also their data.
Checklist for Employees
1. Web Sites, Social Media, and Public Email
A) Don’t get hooked on someone’s phishing line.
B) Remember that no public email or messaging service (e.g., services provided by online services such as Google, Yahoo!, Microsoft, Skype, and others) is secure and that all communications will be stored and, potentially, viewed by others.
C) Avoid sending highly sensitive information through unsecured email, texts, or other communications.
D) Do not forward internal emails, documents, or other information to a personal email address or download to personal devices for access outside of your employer’s systems. Your employer cannot protect the information once it’s been removed or shared outside of their systems.
E) When submitting personal or other sensitive information via a website, make sure you see the site’s address begins with https, as opposed to http. Think “s” stands for secure.
F) Think before you submit. Once submitted to a web site or transmitted through online communication service, the information is public.
G) Exercise caution using services and devices that record your communications (e.g., Google Voice, Siri, Cortana, Skype, VOIP applications, mobile app-based texting, etc.).
2. Only Authorized Software
A) Do not download or install unauthorized or unapproved software or applications from the internet.
B) In particular, never install encryption software, remote access, backup, or other similar software without the express approval of your information security personnel.
C) Always be certain of the source of downloaded software (i.e., you are actually getting the software from its true creator). It is common for hackers to create fake web sites and even “hijack” visitors from oﬃcial web sites where applications can be downloaded.
3. Be Constantly Vigilant
A) Be suspicious of calls from unrecognized numbers alleging to be security or other oﬃcials asking for conﬁdential information, especially account access credentials and passwords.
B) Never reveal personal or business account access credentials or passwords in emails or telephonically.
C) Monitor the physical security of laptops, smartphones, and other mobile devices.
D) Avoid using public internet Wi-Fi to access company systems without the use of a secure virtual private network.
E) If something is suspicious, report it.
You could spend a fortune purchasing technology and services, and your network infrastructure could remain vulnerable to old-fashioned manipulation. Employee training can go a long way, and this is just the tip of the ice-berg. To dive deeper into how to safeguard your enterprise from ransomware attacks, we highly suggest this comprehensive manual, appropriately titled the “Ransomware Hostage Rescue Manual.”
For more information, you can download our latest whitepapers on Security.