Despite automation, machine learning, and all the rest of the state-of-the-art detection technology at our fingertips, attackers still slip through the cracks. You can utilize tools such as website application firewalls and endpoint discovery and response solutions, but one of the most important ways to reduce your risk of being the victim of a ransomware attack is simply educating your employees about security.
Phishing is frequently a trending topic on RH-ISAC sharing platforms. It has remained a persistent threat because it still works. Threat actors continue to evolve their tactics, relying on social engineering to manipulate well-meaning employees into providing sensitive information or clicking a malicious link. But phishing isn’t the only way employees can unwittingly hand over the keys to the kingdom. Weak passwords can just as easily be an open door that ransomware groups can take advantage of.
Here are some ways to educate your employees on their role in protecting your organization.
In a recent report, RiskRecon evaluated ransomware victims on key cybersecurity hygiene components such as software patching, application security, web encryption, and email security and compared their scores with those of the general population. 68% of the ransomware victims they evaluated had “security issues in active email servers and domains that increased susceptibility to phishing and data theft” compared to 28% in the general population.
There are a number of steps that companies can put in place to prevent phishing emails from even landing in their employees’ inboxes to begin with, including implementing a spam filtering system and email gateway. But even if these measures are in place, it is crucial that employees are able to effectively identify and report phishing attempts because not all attempts will be blocked before landing in an inbox.
For a lot of companies, security awareness training is just another box to check. It may be a yearly training that employees are required to complete. They watch a short video, answer a few questions and move on, forgetting everything they learned by the following week. The content of the training may not even be up to date because who has time to create and curate this material? This is all too common, but organizations that want to improve their security need to truly integrate it into the culture of the company, identifying security-minded individuals from across departments that will act as a champion for security’s importance across all business initiatives.
Here are a few tips for improving your approach to phishing prevention:
- Make it as easy as possible for employees to report phishing attempts that come in by adding a button to their email client.
- Implement a robust regular training program for security awareness with a heavy emphasis on phishing signs and procedures.
- Be mindful of what information about your organization is publicly available. If your staff emails and org chart are available on your website, you may be vulnerable to targeted phishing attempts to admin posing as higher-ups with requests.
- Have a discussion between supervisors and staff about what is a legitimate request and what would be suspicious.
Another way that attackers can infiltrate your network and deploy ransomware is by brute-forcing credentials or purchasing compromised credentials from initial access brokers. Putting in place an effective password policy will reduce the risk that your organization’s credentials are compromised.
Staff pushback to password policies generally revolves around their inability to remember a different password for every site, which is understandable given just how many sites we access nowadays. The solution to this is often the use of a password manager, such as Dashlane, 1Password, LastPass, or Keeper. For passwords that employees will need to remember, such as the password to their password manager, make sure they are using 12-15 character passwords. Passphrases — passwords that contain a string of words — can be easy to remember but difficult to brute force, making them a great compromise with your staff.
You also need to make sure that multi-factor authentication is in place wherever possible. Chances are your employees are already encountering MFA in their personal lives for accessing their bank account and other sensitive information. It may be an annoyance at first, but it’s an easy step they can incorporate into their routines to protect your company. Learn more in RH-ISAC’s blog post, Strengthening Your Organization’s Password Policy.
Make Security Engaging
Security may not be the most interesting subject for many of your staff, but they will be more likely to participate if they understand just how important their actions are, and they can have a little fun at the same time. RH-ISAC offers opportunities for non-technical staff to get engaged with security through Security Awareness Month activities. The 2021 Symposium featured a CyberEscape team training exercise where participants completed interactive scenarios and puzzles designed to help them think like a threat actor.
RH-ISAC offers members additional security awareness resources, including a Security Awareness Working Group which collaborates on ways to improve their security awareness programs, and recorded webinars, from events such as the Security Awareness Symposium. Learn more about RH-ISAC membership.