Why end user training is vital to reduce the risk of ransomware.
Major companies, government departments and tech providers keep falling foul of hacking and ransomware attacks. Barely a week goes by without another news story of another victim of either state sponsored cyber terrorism or nefarious individual actors.
In the last two weeks alone, we have seen KP Snacks halt all orders and deliveries whilst they recover from a ransomware attack – with disruption potentially to last until March. This will have a massive financial impact on the company, but the consequences could be much worse than just the immediate issue; the cost in poor PR; buyers and investors losing confidence in KP Snacks could cripple the company. Added to that, colleague details have been found on the dark web, with threats of more being published, which could lead to employee turnover as they employees faith that the company can provide data security for them.
The Foreign, Development and Commonwealth Office have also been recent victims of a “cyber security related incident” where hackers were able to enter the FDCO systems – it is unknown whether any information was breached.
Although the National Cyber Security Centre (NCSC) the cyber arm of GCHQ, advises companies not to pay the ransom, it is estimated that up to $45million was paid in ransom in 2021.
But paying the ransom might not be the end of the story. Once the hackers know you will pay to secure your data, there’s nothing to stop them demanding more and there has been a increase in these incidents occurring.
Putting technical measures in place is essential to protecting your business and all sizes of organisations from sole traders to large multi-national Plcs should follow the NCSC guidance (link at bottom of page) to protect their business.
Technical measures can only do so much though. Spending thousands or tens of thousands of pounds on the latest hardware and software means nothing if your end-users aren’t trained to spot phishing attempts.
Egress estimate that 90% of ransomware attacks are delivered via email and it only takes one employee one momentary lapse in concentration to cripple your network.
So, whilst Cyber Security is of “high priority” to 77% of UK Companies, only 12% have made HR changes, including training, to accommodate. This is a massive shortfall and leaves all of the technical measures put in place redundant.
End-user training needn’t be costly or complex – indeed keeping it simple will keep the end-user engaged with the training. The training, in a nutshell, should include:
Awareness of the issue and how widespread it is
Awareness of the consequences of falling victim
Awareness of the vital role they play in prevention
Awareness of the wider company measures and how they impact them (for example, having to register a mobile device for Multi-Factor Authentication)
Specifically how they are at risk of falling victim
Specifically what they can do to prevent a breach
Specifically how they report potential phishing attempts
Specifically what they do in the event of a breach
Test the end-users knowledge and understanding after the training
Test their adherence through spoof phishing emails being sent
Review and Redo
Just because you have trained once, it doesn’t mean the problem is resolved. End-users will forget training over time and if it is not kept in focus by the company, adherence will slip down the list of priorities.
Regular retraining, refocussing and retesting will help to keep the end-users focus.
Training is one of the quickest, easiest and most cost-effective methods of presenting phishing attacks and a vital piece of the jigsaw for demonstration reasonable compliance with GDPR/DPA in the event of a breach. Without training, companies will struggle to avoid ICO fines in the event of a personal data breach.
At Giotech, we have a wealth of cyber security training, tailored to your individual needs. Contact us at firstname.lastname@example.org for more information or to arrange a call and in the meantime, follow the below link to our Top 10 Tips for spotting a phishing email.