Wow. These past few weeks have been, um, interesting to put it mildly. Back in May, WannaCry infected organizations in more than 150 countries, and just this week Petya hit and essentially brought the Ukraine to its knees. It’s been a wild ride, and one worth looking at in a bit more detail.
What are WannaCry and Petya?
The short answer is they are a form of “ransomware”, a type of malware that takes control of your computer, encrypts all the data so you don’t have access, and then demands a payment in Bitcoin to get a key to unlock it.
Lack of employee knowledge results in a high cost to the business
Ransomware is often profitable for the creators, since they don’t ask for a very large sum of money, typically $100 to $500 USD per infected machine. It is very common for organizations to simply pay to get their files back. But this can mean a hefty cost to the business. Some estimates are that in 2016 alone, ransomware cost organizations in excess of $1 billion USD worldwide. Most of these ransomware attacks are unreported or receive very little media attention due to their frequent appearance, so there is a good chance this is a conservative estimate.
The solution starts with employee awareness
Most commonly, ransomware and other malware arrives through the weakest link in an organization—employees. In fact, research indicates that 61% of organizations are exposed to ransomware because of employee ignorance. Social engineering techniques like phishing campaigns are favored by blackhat hackers, and with good reason! They know employees are conditioned to open email and have an innate curiosity about the contents. That’s why a gap in knowledge about how to identify potential threats could be detrimental. If employees take the wrong actions, such as clicking on a link or opening an attachment, this could result in a company-wide infection that could paralyze the organization for days.
Even if your organization has the most hardened network from the outside, there is a very good chance that your internal network is fairly open in order to ensure your employees are not impacted in their day-to-day operations. This is what makes social engineering such an appealing target to blackhat hackers, and why employee awareness training is so vital.
Traditional training techniques don’t keep security top of mind
According to a survey by endpoint security software firm, Avecto, more than a quarter of respondents (28%) said that security education is rare in their organization or is only provided after something has gone wrong—when it is often too late. While training employees once or twice on the actions to take to mitigate a cybersecurity threat might be the norm, it isn’t best practice when it comes to protecting your organization. All it takes one employee to perform the wrong action for your entire network to go down. And most employees won’t even remember what you told them if the information isn’t reinforced on an ongoing basis. To help employees learn what they need to look out for in the event of a cyberattack, you need to change the way you approach your education process.
An agile learning approach arms your employees with the right security knowledge
The only way your employees will remember how to spot a threat and respond correctly is by reinforcing this information continually. Using a learning platform to ask employees regularly about what they should do when they receive an email from someone they don’t recognize, for example, will go a long way when it comes to embedding this information in their memory. When employees are exposed to this information repeatedly, they’ll learn how to become more vigilant. Adopting the right behaviors will become instinctive and this will help mitigate risk not only when threats are imminent, but when they’re least expected.
If an attack does happen, it’s also critical to provide refresher training immediately. By leveraging a learning platform that is accessible to all employees—whether they are working in the office, on the store floor, or in a warehouse or distribution center—you can push out communication in the exact moment of need and know exactly who has read this information and completed the required training. This kind of proactive approach will allow you to perform the proper due diligence and ensure everyone on your team knows exactly how to respond in the event of an attack.
Focus on delivering need to know rather than nice to know training content
From taking the right physical security precautions to learning how to spot a phishing email, security awareness training is crucial for protecting the organization. But employees don’t need to know absolutely everything about these threats. To ensure you don’t bombard them with unnecessary details, zero in on training content that will help teach employees the actions they need to take to achieve your specific security goal, whether it’s to prevent a virus or other network vulnerability.
When thinking about building security training content, ask yourself the following questions:
- Do you have a sign-in policy for visitors?
- Do all your employees know about it?
- Do you have an acceptable use policy regarding computer usage, and are employees aware that they can’t just download that internet radio application on their laptop?
- What about requests for large money transfers? Are there guidelines to ensure that transfers only happen with verbal confirmation over a certain amount?
Ensuring that all employees are aware of this information, understand what it means, and know how to behave accordingly will be your strongest defense.
Security doesn’t have to be hard, nor does it have to be boring. A bit of education can go a long way to ensuring that both your employees and your organization remain safe.