Ransomware has become so common that it’s easy to assume that your employer has established reliable methods for containing the damage from an infection. But ransomware has evolved to become extremely difficult to recover from, once an infection has occurred, for several reasons.
Without becoming too technical or too alarmist (face it… you wouldn’t need to care about being secure if there wasn’t some scary stuff out there), there are some important messages around the potentially serious outcomes of a ransomware infection that you need to understand.
Having a full appreciation of the impacts will help you grasp the critical need for avoiding these threats.
We tend to trust security software to effectively spot malware that tries to install or run on your computer. But there is a cat-and-mouse game that occurs daily, in which there are always weak points in the complex software we all use, and where attackers are always focusing their efforts.
So, while it is important to have good, up to date anti-virus software on your computer, this is often not enough to prevent an infection when the latest version of ransomware is triggered.
By now, ransomware has been around long enough that it’s tempting to assume the impacts are understood well enough that the costs of responding and recovering from an attack can be anticipated. You might also expect that your organization has cyber insurance that should cover any losses. But this is usually far from being the case in many businesses.
Photo by Markus Spiske on Unsplash
If you’re tired of security awareness training that doesn’t work and live phishing simulation campaigns that are more trouble than they are worth, we guarantee our gamified, immersive phishing awareness training will reduce your phishing vulnerability by at least 60%, or your money back…
The real impacts you can expect to see from ransomware
Here are the most important reasons why ransomware is still so expensive to businesses, and why you need to avoid it at all costs.
1 – Loss of access to critical data can be devastating for a business. Certainly, most people understand that the immediate impact from a ransomware infection is that computers, networks and data become locked up and inaccessible. And it makes sense that the best way to limit short term damage from ransomware is to have good backups (and a tested recovery process). It is reasonable to expect that your organization does have a well-designed and tested backup and recovery process. But recovering from ransomware through the backup recovery process, even in the best prepared businesses, takes time and will likely cause loss of computer and network operations for some time.
2 – Ransomware payments, and the low likelihood that all data and systems will be recovered, even if the ransom is paid. Attackers count on the fact that, you, the victim (or your management) have at least “some hope” of recovery if your organization pays the ransom. So, paying the ransom to recover the data may work as promised, or it may not. Your organization may pay the ransom, may still end up not having access to its data or systems, and may still need to go through a painful recovery process (since the decision to pay means it’s likely to be more expensive to recover operations from scratch).
3 – Data is stolen before systems are encrypted. Attackers figured out long ago that, while they have the access needed for them to encrypt data, they may as well keep a copy “just in case” your organization doesn’t pay up immediately. Sensitive, stolen data can then be used for extortion by threatening to release the data publicly, which will likely cause a privacy breach incident, as well as embarrassment and damage to your organization’s reputation. This technique is often used for extortion even if the ransom is paid. It’s what they call “double-extortion”. They have the data, so why wouldn’t they try to get value from it?
4 – Stolen data can also be used to extort THE ORGANIZATION’S CUSTOMERS. Even if your organization decides not to pay the ransom, the stolen data will often contain information that is sensitive to the your customers. In this case, the customer’s data can be used to threaten them, causing secondary privacy breaches. Notice how far-reaching the impacts become at this point.
5 – Denial of service attacks for non-payment of the ransom. As a further (and maybe final?) option, criminals have recently been observed launching “denial of service” (DOS) attacks on victim organizations until they pay up. They can pound your website for long periods of time so that nobody else can access it. Non-payment of ransom is apparently a good excuse to show your organization, in a vengeful way, who has the power, if it doesn’t pay.
6 – The misconception that “cyber insurance” policies will mitigate the risks from ransomware infections. Even if your organization does have a policy that covers “ransomware”, it often has “sub-limits” as low as $50,000. And most policies do not actually cover the payment of ransom. So, the value of cyber insurance is limited, and it’s very important to make sure the limits of a policy are understood by the organization’s management. If your organization does have cyber insurance, you’re in somewhat well-intended, but maybe not so helpful hands.
When you consider the extent of these potentially expensive and painful outcomes that can result from a successful ransomware infection, the only conclusion that needs to be drawn is that “ransomware infections must be avoided at virtually any cost”. It is critical that everyone in the organization is made aware of this fact.
What the organization must do to avoid ransomware infections
Security software does exist that looks for evidence of ransomware before or during the infection process, to limit damage. But as with any security technology, for the reasons discussed above, the detection rate in security software is never 100%, as attack methods continue to evolve. The available security software may not have even been put in place, for various reasons. So, having good security software is certainly important, but it is not guaranteed to be effective in any organization. This is why security is everyone’s responsibility in your organization.
It’s not really that important that you, as an employee, understand exactly how each variant of ransomware operates, what they are all called, or which of the above methods might be used by any particular ransomware. The most important thing that you can do to avoid triggering an infection is to not be tricked by a phishing message, or by a social engineering scam that causes you to enable unauthorized installation of malware (which can occur due to unauthorized downloads or sharing of passwords).
The most critical thing your organization’s security awareness training program can do to help you reduce the likelihood of a ransomware infection is to “double down” on reinforcing your ability to follow guidelines and best practices for spotting and avoiding phishing and social engineering attacks.
Arming everyone with the right skills
It can be challenging for IT Security managers to come up with the right mix of information and assessments to prepare you for these threats. However, the most effective approach is for your organization to focus on regularly exposing all employees to a variety of phishing and social engineering examples, for which you can apply consistent, fundamental methods to learn what works and what doesn’t. You don’t really have time to waste on general statements like “watch out for suspicious links”. Not that helpful, right?
Ideally, you should be able to practice analyzing potential phishing messages similar to the ones that you may face, on a frequent basis, and in a way that easily exercises your skills. It’s even better if the environment provides interactive simulations, positive feedback, and promotes an inclusive and pervasive culture of security. (Yes, it’s possible!)
Traditional methods of security awareness training and assessment
Many organizations still face the challenge of delivering security awareness training traditional learning management systems (LMS). But without a simulation element, using this approach alone makes it is extremely difficult to engage you, let alone to exercise and measure your skills for identifying and avoiding critical threats such as phishing and social engineering.
There has also been wide adoption of “live phishing simulation campaigns”, where “fake” phishing messages are sent to your work email accounts, to test your ability to spot and avoid suspicious messages. This approach has ultimately displayed numerous pitfalls, especially if not enough planning and due diligence has gone into the design and deployment of test messages. You may not be the only one questioning if this is the appropriate approach to use for assessing and reducing phishing risks.
These undesirable outcomes from “live phishing simulations” range from unreliable metrics, to employee backlash over being targeted (e.g., Godaddy, Chicago Tribune, West Midlands Railway, etc.), to legal liabilities and costs around “unauthorized impersonation” of entities (e.g. IRS, Facebook, Thrift Savings Plan, etc.), to the fact that employees can eventually start to “spot the test” rather than analyze the messages, without analyzing them fully. Is this method really worth all of the hassles?
The easiest and most cost-effective way to build and exercise your ability to spot phishing and social engineering threats is actually through a gamified platform designed to provide you with engagement (as close to fun as you may be allowed at work), psychological motivators, interactive feedback and simulation scenarios. Studies have shown that 80% of employees feel more engaged when a gamified approach is used to education versus 60% who feel bored or unmotivated using traditional training.
As an employee, would you rather spend valuable time trying to consume another boring, elearning course (while trying to sneak in other work on the side), and then being targeted with internal phishing email tests, or would you prefer to build your skills for phishing defense within a gamified platform designed for security awareness that presents you with immersive, engaging simulations?
Maybe it’s time to level up your security awareness program to help make sure your organization doesn’t get a ransomware infection.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.
Photo by Patrick Amoy on Unsplash