At the root of the majority of ransomware attacks is the tactic of social engineering, leveraged by hackers, which involves manipulation to access corporate systems and private information. Social engineering plays into human nature’s inclination to trust. For cyber criminals, it’s the easiest method for obtaining access to a private corporate system. After all, why would they spend time trying to guess someone’s password when they can simply ask for it instead?
Take for example WannaCry. You had to click or download to get infected, which requires an interaction by a user. Many who are tasked to protect organizations provide plenty of security where it’s required and help to protect the information within a network from the endpoint to egress and vice versa. But what happens when these phishing attacks become more complex, less detectible or a zero-day type? With all of this technology we use, why not go back to good old training and awareness? Wouldn’t it be nice to stop, or at least slow down, the potential of compromising your company? Well, you can with adding training and testing to all existing security.
Training is important, and simple. Have recorded sessions on security awareness and do a campaign with your employees to equip them with the proper knowledge as to how to operate in your organization safely. You may follow up with some testing. Try phish your users and see if they click on emails and/or download what is attached.
Deliver more frequent tests – especially to the users who have access to very sensitive data. Run the type of security awareness campaigns where you can know who clicked on an email and even capture information to expose any vulnerabilities the system may have or even the user, for that matter. If the user clicks on the link, it can redirect them to an internal Security Awareness page to retrain or provide a teach-able moment as a pop-up. Testing can be as simple as registering who clicks, to even trying to compromise the system with a download or attachment.
Being able to have this type of testing and ability to enhance your existing training with testing (since it sticks) will only benefit the organization, strengthen those doors and hopefully make your users smarter. With automation and scheduling available, you can easily setup some repeatable testing.
People are more tech-savvy these days, but they’re not necessarily cybersecurity-savvy. Cybersecurity should be at the forefront of your employees’ minds. Education is an important defense, however employees forget their training, and will still be tricked into clicking bad links.
Eventually, you wouldn’t want to find out the entry point of a breach was from the receptionist, or the resume that the HR received after all the investments your organsation made on training. Having users who can make much smarter decisions will provide a much needed level of peace to the Security team. Start training your staff, and start measuring the effectiveness of your training through Extant.