The U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA) has launched a campaign to address ransomware by improving security readiness and raise awareness. Its “Reduce the Risk of Ransomware Campaign” has been designed to encourage public and private sector organizations to implement best practices, tools, and resources to mitigate the risk of falling victim to ransomware.
Director of CISA Brandon Wales noted that ransomware causes data loss, privacy concerns, and costs billions each year. As these incidents severely impact business processes and leave organizations without data, they can prevent the delivery of critical services. And the bad guys are upping the ante by pressuring victims for payment, threatening to release stolen data, and naming and shaming victims.
Ransomeware can hit anywhere.
“Anyone can be the victim of ransomware, and so everyone should take steps to protect their systems,” said Wales.
The campaign stresses best practices and is built around social media content to educate people about the various attack vectors and how to avoid falling prey to them. It also includes resources for those in the midst of ransomware attacks.
The agency will issue alerts and updates to IT to help stakeholders guard against ever-evolving ransomware threats. In addition, tips and best practices are being issued for home users, organizations, and technical staff to guard against ransomware. The campaign is being supplemented by fact sheets and infographics to help people understand the threats from and the consequences of a ransomware attack.
Training is the key to prevention.
The final element of the campaign is training and webinars for technical and non-technical audiences. It has been found time and again that education of users to form a human firewall is a critical defense against ransomware.
“The vast majority of ransomware attacks begin when an attacker gains a foothold via a phishing attack or an exposed RDP port,” said Stu Sjouwerman, CEO of security awareness training firm KnowBe4. “Russian organized cybercrime with support from the Kremlin is attacking civilian targets, causing downtime and massive financial damage.”
He urges organizations to elevate user security training from the lunch-and-learn level for it to really make a difference. He advocates a multi-faceted response to the threat posed by phishing and ransomware. It begins with baseline testing to assess the phish-proneness of current users. This is done via a simulated phishing attack on the organization to determine the percentage of users vulnerable to social engineering.
This is followed up by through training of users on phishing, email scams, and other avenues of attack via interactive modules as well as videos, games, posters, and newsletters. Such training must engage the student and show them how the bad guys operate and how they lure gullible people to click on malicious links and open malicious attachments.
Read More: The State of Ransomware 2021
Training is not a one-and-done proposition.
Ransomware tactics are constantly shifting. Bad actors seize on topical items or current events as they evolve device ploys to entice users to find out more. During and after training, continue random simulated phishing attacks to gauge the effectiveness of the campaign. These simulations must vary the time and day of attack and must be carefully crafted to avoid the office grapevine picking up news of an ongoing simulation.
Done correctly, the percentage of those falling prey to phishing will drop dramatically. As a result, ransomware has less chance of gaining a foothold.