When you live and breathe IT and information security, it is easy to forget that not everyone in your organization is on the same page.
What we forget is that not all employees within our organization are as aware of cyber-threats, or as risk adverse as we are. On the one hand they often do not know what the risks are, and on the other they do not fully appreciate the consequences of an attack.
One type of threat that is exposing this vulnerability is social engineering, including ransomware, phishing emails and CEO fraud. Scams such as pay rise/redundancy phishing emails work because they appear to come from a company director (using an address that is very similar to their genuine email address), and contain information that cannot help but interest their recipients.
Picture that member of staff who receives an email with the subject line ‘Company Redundancies 2017’; they will to struggle to contain their curiosity and concern, and unless they know otherwise, are highly likely to click on ransomware macros.
I should add that IT professionals are not immune to this kind of attack, so imagine how convincing they seem to someone in the finance department or other areas of the business.
What Security Managers and IT Professionals can do
Prevention is always better than the cure, and these three steps will go a long way to reducing your exposure to ransomware attacks.
Step 1: Raise awareness and educate all employees
If technologies for detecting, deleting or quarantining phishing emails fail, the last line of defence is the user. Awareness raising programmes will inform employees of the threats, what they may look like, how sophisticated they are, and what the consequences of enabling attacks such as ransomware can be.
Step 2: Have clear guidelines of what to do if employees suspect a cyber-threat
Employees also need to know what to do if they suspect an email is not genuine. Often phishing emails work because they have a sense of urgency about them – if an employee receives an email from a senior member of staff that says ‘urgent’, they jump to it. A culture of always questioning whether an email is genuine must be encouraged, as well as the reassurance that doing so – i.e. questioning a senior manager’s email - will not reflect badly on that employee. Furthermore, when an employee is unsure of an email they need a rapid response from the IT team, so that if authentic they can respond appropriately.
Step 3: Make sure you have a robust data backup and disaster recovery system
The final steps are to protect your organization should an attack take pace. To avoid paying a ransom a robust data backup and disaster recovery system is essential, ensuring that it is possible to restore data to the point before the infection occurred. Disaster recovery / business continuity plans must address specific risks to be effective. We recommend looking explore all potential threats and tailoring strategies and procedures for each scenario.
We may be aware of the threats of social engineering campaigns like ransomware, but never presume that everyone else within your organization is.