Constant dollars

How social engineering contributes to the success of ransomware attacks

Ransomware has long been a threat and has even led some to call it the digital scourge of our time. Over the past 18 months, this has certainly been the case, with ransomware attacks increasing by 93%. There has been a constant barrage of cyber attacks that has raised concerns, especially for organizations that need to understand and master the tactics used by threat actors who wish to gain access to networks.

Over the past year, we have witnessed ransomware attacks that have disrupted large companies in a variety of industries, including a US oil and pipeline supplier and a national healthcare provider in Europe. And that’s just the tip of the iceberg.

Cybercriminals have no remorse for their victims as long as they receive their ransoms. In 2020, it was found that $ 18 billion had been paid worldwide in ransom and the total costs were in the hundreds of billions of dollars. This figure is expected to reach $ 20 billion in 2021 and $ 256 billion in damage in 2031. It shows just how lucrative and effective ransomware can be.

But what makes these organizations fall victim to ransomware? Looking at the main causes of ransomware, KnowBe4 found that social engineering was the most effective way for hackers to fool victims. Social engineering involves cyber threats like email phishing, SMS smishing, phone vishing, or a combination of any of these tricks a hacker can use to trick employees into clicking a link. malicious. We’ve even seen examples of employees being offered bribes to install ransomware.

Now, there is no silver bullet in cybersecurity that will magically prevent all of these threats instantly. You can’t spend money just on technology to try and fix the problem. Organizational policies and procedures must incorporate security. The most important strategy to adopt is to develop and increase user awareness of ransomware threats, which can help create an additional layer of security for the organization.

Do not rush; security takes time

Small and medium-sized businesses can find it difficult to trust the security awareness process. This may seem like a hurdle that could be avoided by investing only in security technology. Yet decision makers need to realize that a positive safety culture is a catalyst for business operations. Without this element, you will remain vulnerable. This cannot be seen as a “nice to have” feature or an afterthought just to check a compliance box.

Devoting even a small amount of time per week to security awareness training can make a difference. It will be helpful for staff to learn from a variety of resources and tools about security policies, best practices, and telltale signs of ransomware and other threats.

People are just as important as technology

Give your employees the right knowledge to make a difference. Within the organization, they should be viewed as security enablers who can be an integral part of any security program. Eliminate the stigma that they are the loopholes in the security armor, as this only happens if they are not properly trained.

Security training can be inexpensive and doesn’t have to eat up the security budget, as there are many free or inexpensive resources available to help security teams get the message across. Best of all, these resources are available in a variety of formats, from videos and quizzes to checklists and articles. There are even security policy templates that can be downloaded for free. All it takes is a quick internet search. Yes, these can be basic or rudimentary and may lack glamorous features if you were to purchase a subscription from a vendor, but it can certainly help form a foundation of security awareness to build from. For SMBs, reducing risk is essential and limiting the number of malicious links employees click is certainly a step in the right direction.

As mentioned, organizations of all sizes should use the free security training tools available to better prepare the workforce against ransomware and other cyber threats. For example, try ransomware simulators to test the company’s readiness for how it would react in such a scenario. Look at the widely available free password checkers to see the effectiveness of the security of the passwords used in the organization. There is a plethora of free safety hygiene and best practice modules that cover all of these areas and more. You can even ask security vendors to provide free security consultations with free network and infrastructure scans to flag the most significant risks. Yes, a sales call may be necessary, but that conversation can save you both costs and resources while making you more secure.

Ransomware is a huge problem and there is no sign that it is slowing it down as long as it is effective, and since criminals see a return on their investment, it will be here to stay. Fortunately, there are options – some of which are free – to help organizations reduce the risk of being impacted. Make security a business priority and equip the workforce with the knowledge and ammunition to defend against these social engineering threats.

For organizations that need guidance, here are a few steps to help you along your security awareness journey.

Establish a security policy

Formulate and make easily accessible a written security policy. Each employee should read the document and sign it to confirm that they understand the policy and will apply it.

Implement security awareness training

Give all employees a security awareness course (mandatory), with a clearly stated deadline. It is strongly recommended that you explain to them in detail why this is necessary.

Add security awareness training to employee onboarding

Make it a mandatory part of the onboarding process for every new employee.

Ongoing employee safety testing

Keep all employees on their toes with safety in mind as you continue testing. Sending out a simulated phishing attack once a week is extremely effective in keeping them alert.

Take action on successful or unsuccessful phishing attempts

Never publicly identify an employee who fails a simulated attack. Let their supervisor or HR take care of this in private. Give a quarterly price to the three employees with the lowest “failure rate”.

Integrate playful education into security awareness training

If you use posters, stickers, and / or screen savers, change the pictures or messages every month. After a few weeks, people simply don’t “see” them anymore. It is more effective to send them regular “safety tips and tricks” by e-mail.

Javvad Malik, Senior Security Awareness Advocate, KnowBe4


Source link

Comment here

placeholder="Your Comment">