September 16, 2022
By Darren Hulem, CISA, CEH, Security+, Supervisor and Tom Brown, CAPM, Security +, Senior Risk Analyst
TLDR: End user cybersecurity training is essential for preventing malicious actors from gaining unauthorized access to your organization’s network. Creating a risk-averse organization involves making your staff aware of best-practices for identifying common attacks, like phishing scams. At the end of this article, you will find a cyber hygiene template and risk checklists for privacy, third-parties, and IT.
Cyber-attacks such as ransomware and phishing are some of the top risks facing organizations. According to a recent article, “Staggering Phishing Statistics in 2020” by Security Boulevard, 85% of all organizations have been hit by a phishing attack at least once. Every organization is a potential target for cyber-attacks and should be setting up their networks and training their end users to identify and reduce the risk from these attacks.
What is ransomware?
Ransomware is software designed to prevent access to computer systems or files until the owner meets the perpetrator’s payment demands. Essentially, your entire computer network is being held for ransom — and neither your employees nor your customers can access the data.
It doesn’t take much to be infected. Typically, the ransomware takes root when a malicious email is sent to an employee of a company, often utilizing phishing or spear phishing techniques. The ransomware may be embedded in attached Word files or PDFs, or the email might contain a link to a website that will install the ransomware on the user’s computer and from there, infiltrate the network.
Ransomware has become big business for hackers. The newest trend, much like the rest of the tech industry, is offering it as Software As A Service (SAAS). Ransomware developers have started Ransomware As A Service (RAAS). Some of the notable RAAS groups are DarkSide and REvil which were responsible for large attacks against Colonial Pipeline and JBS.
What can you do?
With the increase in ransomware and phishing attacks, creating a risk-averse organization is essential to reducing the opportunities for attacks to be successful. The main way to reduce this risk is to train your end users on what to look for from phishing attempts.
Tips you can share with your users within your organization to get started on creating a risk-aware culture include:
- When sent an unsolicited email, review the email to check for these common signs of a phishing attempt.
- The email originated outside the organization
- Different “reply to” email address
- Creating a sense of urgency, familiarity, or scarcity. For example, “Your email password has been compromised, you must click here to recover the account, or all information will be lost.”
- Always preview links that are sent to you before clicking on them. In an email, you can hover over the link to see where the link is sending you. If it is different than expected, it is most likely a phishing attempt.
- Never download software from an untrusted site. This could introduce malware, ransomware, or viruses onto your computer.
- When joining a public Wi-Fi, do not enter sensitive company information. If you need to work on this network, connect to a VPN (Virtual Private Network) to encrypt the data that is exchanged.
- Ensure that your organization’s email security is up to date. Some key items to review include your SPF, DKIM, and DMARC records. These are email authentication records that help to reduce malicious actors from spoofing or using your email address. For more information on information security, refer to this article, “Email Security: Don’t let attackers in through the front door.”
Training end users on these habits and items to look for is a key way to reduce the risk of ransomware getting into your network. Additionally, your organization should consider implementing a formal cyber training program where best practices, top threats, and organizational policies are discussed and taught. Training programs can include a multitude of content but basic items to consider implementing within yours are:
- Customized presentation including organization-specific policies and procedures
- Ongoing phishing tests
- Annual and onboarding module-based training that includes a quiz to exhibit knowledge
- Training awareness policy to be reviewed, acknowledged, and signed by users.
To help get you started on security awareness, we have developed a cybersecurity hygiene template that can be downloaded from here. This can be reviewed and shared with end users to help create organizational resilience against malicious actors. Also, these risk checklists can be useful when evaluating your current cyber posture.
How GRF can help
At GRF, we have partnered with an industry-leading security awareness training platform to offer programs that will help reduce the overall cyber risk to your organization. We can set up and deliver phishing tests and module-based training to be delivered on an annual basis. For more information, download our PDF brochure, contact us for a cybersecurity consultation, or feel free to reach out to us at the contact info below.
Darren Hulem, CISA, CEH, Security+
Supervisor, IT and Risk & Advisory Services
Tom Brown, CAPM, Security +
Senior Risk Analyst, Risk & Advisory Services