Ransomware training: Some call it “the human firewall.” And, they’re right. We know effective end user training can reduce ransomware infections by up to 97 percent.
And, when we consider that, today, most sophisticated cyber criminals leverage email as a ransomware attack vector more than 90 percent of the time, the need for regular training and assessment becomes crystal clear.
What’s more, when we look at the rates of malware infection we’re seeing despite the widespread installation of antivirus protection, it’s apparent AV just isn’t effective as a stand-alone solution to the ransomware problem.
Unfortunately, we also see that ransomware training is an area where most companies woefully underspend, leaving them vulnerable to a range of ransomware attackers’ tricks, like seductive spear phishing attacks.
Remember: these cyber criminals do their homework. Lawrence Pingree, a research director at Gartner, says most data breaches are based on “exploiting common user knowledge gaps to social engineer them to install malware or give away their credentials.”
That’s the bad news.
The good news is that with proper ransomware education, you can fill those gaps. And, when your people know how to recognize and avoid potential cyber attacks, you’ve immediately reinforced the best protection your organization has.
Ensure your data security trainings go beyond the basics
Yes, your end users need to understand how to create strong passwords and refrain from opening files from people they don’t know. But, your ransomware training needs to go far beyond these most obvious best practices.
Your ransomware training should also reinforce:
- The scope and scale of the impact a ransomware infection could have on the organization, staff work lives, and even their personal lives
- How critical it is to regularly install software updates and security patches
- How to recognize ransomware attack vectors
- How to identify phishing attacks in all their convoluted shapes and sizes
- Why they should never open files from people they don’t know, even if the filename appears relevant or “safe”
- The importance of regularly updating passwords
- How password managers can help them create and maintain secure passwords
- How to secure mobile devices, including the importance of never leaving them in a compromising position—like on the seat of a car or on top of an open bag
- Why they should never use a thumb drive when they aren’t sure of its origin, including those—especially those—found in a parking lot
- How to use public WiFi safely
- The impact of ransomware on regulations specific to their industry, say HIPPA or PCI
Implement ransomware training best practices
Traditionally, these kinds of end user education sessions involve herding everyone into a big room and plunking them in front of a huge screen once—or even once a year. Yes, these sessions have value when it comes to protecting your data, but they shouldn’t be the only ransomware training you provide.
These are busy people who often have little day-to-day exposure to the threats that keep you up at night. So, hoping they’ll recall this information six months or nine months down the road is being more than a little optimistic.
So, consider incorporating these best practices:
- Deliver your training across your entire organization—from your leadership on down—to reinforce the critical importance of this information
- Make your ransomware training interactive to engage your end users
- Tailor your training so it’s relevant to your end users’ jobs, helping them immediately see the value—buy-in is critical, here
- Provide additional online training end users can leverage on their downtime
Your ransomware training sessions and communications shouldn’t be adversarial; rather communicate that you’re partnering with them to protect their data at work, as well as at home. After all, who wants to have their family pictures encrypted and held for ransom?
Frequently reinforce ransomware prevention messages
Regular participation is absolutely imperative to effective ransomware training. So, make these training sessions mandatory for all employees, including your top level executives.
Furthermore, your trainings shouldn’t be considered a “one and done” effort. Not only will ransomware attacks evolve over time, but employees will slip back into old habits if the information isn’t continually reinforced.
Consider implementing mini-ransomware trainings as part of other regularly scheduled meetings, like quarterly sales meetings or monthly project status meetings. This way, you can keep the topic fresh in their minds and continually update them with current information about ransomware variants and current best practices.
Also, consider providing videos to your employees on a voluntary basis that highlight ransomware protection tips. When your employees feel they’re not only actively engaged in protecting the company, but their own personal information, they’ll be more likely to feel personally vested. And, this is likely to increase participation rates and knowledge retention.
Assess the effectiveness of end user education sessions
We can’t state this powerfully enough: Measure what matters.
Want to know if your ransomware education programs are relaying messages effectively to your employees? Assess them.
These assessments come in two general forms:
- Post-training session quizzes
- Phishing tests
Most online ransomware training solutions will offer post-lesson quizzes. These simple assessment tools allow you to identify who was engaged with the content—and who was simply along for the ride. Then, you can target follow-up sessions appropriately.
More importantly, you can leverage phishing testing to determine if your end users are truly able to put what they’ve learned into practice. This type of assessment can have a tremendous impact on your staff, especially when you target employees with access to more sensitive data for more frequent testing and against more rigorous performance standards.
End user ransomware training needs to be considered a cost of doing business in today’s hyperconnected world. Invest in it the same way you do other vital aspects of your company and you’ll reap the benefits of empowered employees who serve as your best defense against a damaging, costly ransomware attack.
The art of the scam is nothing new. While ransomware attacks now fuel a continuous stream of breaking news, we only have to think back to the many distraught Nigerian princes—all who suffered the loss of their uncles and were desperate to find safe places to stash their unexpected inheritances—to remember how long these “spray…
If the ransomware threat wasn’t already keeping you up at night, surely the attack on Atlanta has left you questioning the strength of your cyber defenses and disaster recovery. Now, it should be abundantly clear to all who work in local government that you are under attack. And, it’s up to you to ensure critical…
Once again, cyber attackers are proving no one is safe from a ransomware attack. This time, it’s the City of Atlanta that has fallen victim. So, what do we know? Experts suggest Atlanta may have been infected by a variant of SamSam ransomware; the same family deployed against governments and hospitals since 2015. In this…
Like a terrible foot fungus, and not nearly as pleasant, SamSam ransomware just won’t go away. This customized ransomware strain first entered the scene in 2016 and, today, it’s powering the types of targeted cyber attacks that should give all of us pause—especially those in the healthcare industry. Just consider this: In the past three…