Don’t Click That! Tactics for Shoring up Security Culture Against Ransomware Attacks
We’re just going to say it. When it comes to ransomware risk, you have a people problem. More than 90% of data breaches happen because of phishing, and according to the FBI, phishing attacks have increased 400% year over year. Yes, you can filter for suspicious emails, but your ultimate line of defense is your people. You need to make sure they’re taking the appropriate actions to prevent ransomware attacks—and it’s a taller order than it might seem.
Change is hard, and culture is hard to change. Plus, in any digital experience, we know that users tend to choose the path of least resistance: the opposite, for example, of an MFA approach. Let’s review some key steps you can take to make sure security awareness sticks—and actually prevents incidents.
Let’s start with CISA
A good starting point is the Cybersecurity & Infrastructure Security Agency (CISA), which provides extensive guidelines and recommendations for organizations to ward off ransomware. In addition to the various technical safeguards included in their directions, they recommend the following for people-focused prevention:
Implement a cybersecurity user awareness and training program that includes guidance on identifying and reporting suspicious activity (e.g., phishing) or incidents.
We’ve helped clients design and execute security training programs and other initiatives to spread awareness year-round on the dangers of suspicious emails. Here’s how we would enhance the CISA recommendation to make sure your organization is ransomware-ready.
#1 Go beyond October
Security Awareness Month campaigns are great, but they don’t deliver the kind of ongoing reminder most employees need. Think about it: employees are consumed by their day-to-day responsibilities. Ransomware threats, however dire, do not stay top of mind as they do for security professionals. Security awareness training should be ongoing, so make sure your program includes year-round touchpoints and employee engagement opportunities.
#2 Tie participation to job performance
Strong safety cultures cannot thrive unless every employee considers security a part of their job responsibilities. Why not track participation and make it a part of job performance? A part of performance reviews?
Note: there’s also a technical component to consider here. Do you have the necessary integrations to funnel training completion data to employee databases housed by HR?
#3 Gamify it
CISA also recommends you put your employees to the test by conducting “organization-wide phishing tests to gauge user awareness and reinforce the importance of identifying potentially malicious emails.” Do these tests every quarter to make sure people stay on their toes and keep the message top of mind.
Also, keep in mind that everybody loves a good competition. Encourage the “game” aspect of these tests by recognizing those that successfully avoid clicking the link. Security becomes a part of company culture as employees develop positive associations with applying scrutiny to their email messages.
Note: Check out your email provider to see what they offer. For example, Microsoft 365 Defender and Proofpoint have features for you to conduct attack simulations, followed by training to help your end-users.
#4 Keep it light & bright
Let’s face it: security awareness, for all its good intent, can tend to be a fairly gloom and doom subject. And no matter how justified the tone, somber isn’t a setting most want to spend their time in.
When planning training workshops and other cultural initiatives to raise awareness around ransomware threats, don’t be afraid to go positive, get creative-–and even have fun. For example, consider punchy themes or offering incentives for participation in training sessions and other awareness initiatives (prizes, company swag, drawings, company-wide recognition, etc.)
Partnering to win mindshare
Ready to get started? Email us at info@collectiveinsights.com
Are you interested in learning more? Check out our other related blogs: Four Ways You Can Prevent Ransomware Attacks Right Now and Why Ransomware Should be on Your Radar – And in Your Security Budget.