Ransomware and Cyber extortion are the top concerns of cybersecurity professionals worldwide. Ransomware and extortion are when an organised gang attack organisation, small or large, takes something valuable to your business until you pay their ransom fee. For example, they could encrypt your data or consume all your bandwidth. Due to the rise in sophistication and volume, we recommend that you increase your cyber defences. However, you cannot achieve this by deploying an anti-ransomware tool but rather build a ransomware education program to add to your layered cyber defences. 

Cybercriminals exploit organisations through social engineering/ phishing, unpatched software abuse of Microsoft remote desktop protocol (RDP) and authentication attacks. To protect these vulnerabilities, you need to build a good security culture to strengthen your human defence layer by making your employees aware of how to detect and prevent the vulnerabilities above. In this article, we will outline how to build a ransomware education program so that you eliminate human risk in your organisation.

Designing behaviour on security awareness

Traditional cyber security awareness believes that information leads to action. Although this is a crucial first step, “awareness” alone does not lead to better secure behaviour. Therefore, you should look to finding effective behavioural interventions to bridge the awareness, intention and behaviour gap. 

Changes in behaviour happen when there is motivation, ability and a prompt. 

Motivation

You can dictate motivation by creating sensation, anticipation and belonging. You could invoke sensations like pleasure and pain and anticipations of hope and fear. Furthermore, you can also foster a sense of belonging by invoking feelings of acceptance and rejection. For example,

• You can create something pleasurable by tapping into someone’s positive emotions. For example, you can use visually appealing content, engaging humour or story-based techniques. 
• Fear can also be a powerful motivator. However, you have to make the fear easy to overcome and give your employees the tools they need empowering them in hope, not fear. 
• Happy people make secure people – communicate that the phishing simulator is not there to trick people but as a training exercise. As a result, you will start to build trust with them. 
• Competition and rewards such as phishing tournaments, whereby a participant wins if they report a certain amount of phishing emails, can instil a sense of hope.
• Using the power of leadership or a celebrity to tell stories can invoke a sense of belonging.
• Or make the content personally relevant. For example, describe how you can protect a family member.
• Use recognition to drive participation. For example, a CEO shout out for reporting a significant potential threat. 

Ability

Training people is hard work. Most people are resistant to learning new things. However, giving someone a tool or a resource makes it easier to break down that barrier. For example, a password manager helps you keep your password secure and takes out the complexity of remembering multiple unique passwords. So what are the tools that make it easier for people to stay safe and educate themselves about ransomware?

• Repetitive games to train people to spot phishing attacks. As a result, this converts knowledge into intuitive situational awareness.
• Phish-alert buttons, password managers and home security
• Simple how-to guides and short explainer videos or training modules

Prompts

Prompts remind people to do a task, for example, a password strength meter prompting you to improve your password. When you build a ransomware education program, you need to think about what notification prompts you want. For example,

• When users join the company, you can educate them on extortion threats.
• Notifications about the latest phishing scams
• Phishing detection warnings in users’ email clients. for example, “are you sure you can trust this link?”

When you successfully combine motivation, ability and prompts, you are more likely to change behaviour rather than just spreading awareness content and hoping for results. 

Build your ransomware engagement program 

The best engagement program will combine elements of motivation, ability and prompts to help change behaviour. 

Firstly you want to raise general awareness in three groups the IT/ security management team, the board and executives and the rest of the staff.

The IT and security management teams need to be able to conduct risk assessments, scope problems and make predictions and take masterclasses on how to prevent ransomware. You can use a ransomware simulator to assess the scale of risks. 

The company board members and executives are only interested in the risk rating and a summary of predictions. You can get this from a ransomware simulator and phishing test results, so they have the data to make informed decisions. 

The staff need short educational awareness modules, posters and newsletters to educate them, followed by games and quizzes to monitor their progress. 

Awareness about the highest risks causing ransomware

The top ways a cybercriminal attacks your company is through

1. Social Engineering/ Phishing
2. Unpatched Software
3. Abuse of Microsoft Remote Desktop Protocol (RDP)
4. and Authentication Attacks

Social engineering is still the number one root cause of ransomware and other malware attacks. Therefore, you need to raise awareness about those issues amongst those typically responsible.

All staff are at risk of social engineering attacks. Therefore, you should give them phishing-based training, followed by quizzes and games to solidify their knowledge. Furthermore, a phishing simulator can mimick a typical ransomware attack so you can see who needs additional training. 

Unpatched software is a job for the IT team. If you do not have the capacity to implement patching yourself, Northstar can help.

Similarly, Northstar can help secure your Microsoft Remote Desktop Protocol (RDP).

Again, we can help prevent password attacks by helping you create a secure password policy and implementing multi-factor authentication. Furthermore, we can also recommend a password manager tool.

Conclusions

If you embark on a security awareness and culture campaign, remember these key points,

1. Do not manage what you cannot measure. Make sure to create a baseline of current awareness by running proficiency and security culture assessments so you can track your progress.
2. Involve your Executives. As well as providing sponsorship and budget approval, they lead the campaign, and people follow their lead.
3. Do not run the campaign alone. Involve your marketing, internal communications, HR and compliance teams to gain input and approval. 
4. Combine training with frequent phishing simulations. Everyone in the company should get a randomly assigned phish every week to every month. You can create targeted or customised phishing emails for your users. 
5. Remediation training for frequent clickers. Provide tailored phishing campaigns for people that fail the test. Frequent-clicker groups are assigned automatically by a pre-set number of clicks. Therefore, you target your training towards those who need it. 

To find out how to build a ransomware education program for your staff, click here. Or contact us today.