If You Only Do ONE thing to Protect your Business Against Ransomware, You Should Do This
15 July 2017
In the wake of the cyber attack which resulted in NHS staff being locked out of systems and data, cyber security awareness training for employees is a topic that should be revisited.
“WannaCrypt”, the new ransomware that exploits a flaw in unpatched Microsoft systems and encrypts data, gets onto your systems because an unwary employee clicks on an attachment or link in a phishing email. It only takes one employee to click, in order to spread the worm through your network. Unless you have reliable backups, you’ll face a choice between paying cyber criminals in bitcoin to get your data back, or carrying on without your data.
Our clients have had Microsoft’s emergency patch rolled out to their systems, which repairs the vulnerability that Wannacrypt exploits. However, there ARE other types of ransomware and the threat is rife, so caution is advised when dealing with suspicious emails.
Employee security awareness and training should now be a fundamental part of your Cyber Security defense strategy. If you’re not building your employees’ ability to spot and rebuff attacks, you will be at a much greater risk of falling victim to a cyber-attack which could result in data theft, data leakage or financial losses.
Many threats can be stopped with firewalls, anti-virus, DNS monitoring, spam filters, etc. However, there are a huge number of cyber threats designed to bypass these defenses and instead get through your “human firewall”, your employees.
You’re only as strong as your weakest employee
Can you be sure that every person in your organisation would spot a phishing email, and wouldn’t click on a link or attachment in it? This can result in encryption of all files on your network drive, meaning you’re locked out and the only way to access your files is to pay a ransom to cyber criminals or restore from backup.
Alternatively, are you sure that no-one in your business would fall for a spoofed email from you, the Managing Director, telling them to expect a call about a sensitive business transaction and to comply with the instructions to transfer a large sum of money? This type of crime is known as CEO fraud or CEO phishing and it has cost businesses millions.
Millions of businesses have already fallen victim to these tactics, and cyber criminals are constantly getting better at them. They research their targets, write personalised emails and work out the perfect time to strike (e.g. when the boss is out of the office, which they know because they’re watching you on social media, or a successful phishing attack gained them access to your mailbox).
Six Tips to Train your Employees to Recognise Cyber Security Threats
1. Do it Frequently
How often should you carry out cyber security training? Once a year? Once a quarter? Once a month? In fact, we recommend that some form of training is carried out every DAY. This doesn’t have to be arduous. As we’ll explain, cyber security training could be carried out daily without taking up more than 20 seconds of your employees’ time per day.
2. Test Your Employees
The best way to do this is through simulated phishing emails which will test your employees’ ability to recognise and ignore them. One or two emails a day, sent at varying times using varying approaches, will build your staff’s ability to spot them and keep the threat at the front of their minds. Those who fall for any test emails can be identified and given more intensive education!
Why test? Because no-one wants to fail and look bad! Communicating that these phishing tests will be happening will force employees to learn how to spot phishing emails.
3. Make Training Ongoing
The landscape of Cyber Security threats is constantly evolving. There’s always a new technique to threaten your business and cyber criminals are constantly getting more adept at social engineering and manipulating people.
Training must therefore not have a “complete date” and cannot be a course that comes to an end. Training must never stop, and it must be updated regularly to encompass new threats.
4. Vary Cyber Security Training
Phishing attacks are not the only threat facing your business, so make sure employee training covers everything employees must be aware of. One company was compromised because they plugged a USB drive into one of their computers that was handed to staff by someone in reception asking if they would print off their CV for them. Adequate training could have prevented this.
Over £32 million has been lost to criminals carrying out CEO fraud. This is where the criminal uses a combination of phishing and social engineering to convince an employee that their boss is instructing them to transfer funds out of the business bank account. Cyber Security training could prevent this too.
5. Make EVERYONE Complete Training
Management aren’t too clever to fall for cyber security techniques, and neither are IT people. Many cyber criminals will use social engineering methods to trick you, even going as far as to research their targets on Social Media. This allows them to write highly tailored phishing emails containing personal information designed to pique the target’s curiosity. Everyone is potentially a target, especially management and IT people, as they usually have access to more systems and data.
6. Regularly Talk About Cyber Security
Talk about cyber security in company and team meetings. Explain the potential impacts of a cyber-attack occurring, and how individual employees can directly impact whether attacks are successful or rebuffed