By Raj Gupta, CTO Lumen21, inc.
With the explosion of Ransomware and the increase in some email messages per mailbox, my employees have become the first line of defense. So, enlightening them has become a critical factor to protecting my infrastructure and our organization. But how do I do it?
What to do to get your employees to stop clicking on any and all links
First, you need to understand how ransomware works and what they target, as stated on the Microsoft website (https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx).
What does ransomware do?
There are different types of ransomware, however, all of them will prevent you from using your PC normally, and all of them will ask you to do something before you can use your PC again.
They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.
- Prevent you from accessing Windows.
- Encrypt files so you can’t access or use them.
- Stop certain applications from running (like your web browser).
Ransomware will demand that you pay money (a “ransom”) to regain access to your PC or files. We have also seen them make you complete surveys.
There is no guarantee that paying the fine or doing what the ransomware tells you to do will get them to give you access to your PC or files again.
Case One: BOFH Theory
In the security space, it is called the forever unsolvable event. You cannot expect users to become security experts, they will not and cannot comprehend the vast security landscape while doing their day to day tasks. For example, you cannot expect a sales or human resources person to know whether an email with links is authentic and if they are malicious or not. Then you have other kind of users, those that react hysterically, claiming the sky is falling, as depicted in the Disney movie (http://movies.disney.com/chicken-little), and they are also right to react in that manner given their limited scope of knowledge. As you can see, the outcome is not favorable in either case for security.
The sane and gentler approach is education. My employees, whether it’s the front desk, support folks, human resources or others, they simply don’t know what phishing looks like, what it can do, and what they need to do with it. A better approach is to give your employees an easy to use tool, one which lets them just click a button without a worry as to whether they’re making a wrong or right decision and letting the experts determine if the email that was received is a malicious email or not.
Case Two: Blame the Company
Employees may say: It is my company’s fault, they don’t know how to manage and secure our emails and networks. They are stingy and will not spend money on security. They do not hire any capable IT folks within my organization.
Managers may say: It’s not the workforce’s fault because we get so many emails and we’re supposed to answer/respond to them in a timely manner.
Tools like PhishPro incentivize and trick employees, within a secure environment, with emails that look like phishing emails. This may sound a bit Phishy, tricking users to click on something and act, but it’s a great way to train and educate your employees on why they should be aware of phishing, especially with all the issues of 500% increase in ransomware, which continue to increase year after year. Give them pride by helping them understand how to stop this, how to protect themselves and your company. You may be surprised at how many employees will jump at the opportunity to help you, especially your security types. Take the finger pointing away by giving them the tool and overview to help them report potential incidents or events that they encounter, not only at work, but also in their personal day to day life.
Case Three: Driving a Nail with a Platypus
There is no software, patch, monitoring system like SIEM that can have any impact on human behavior. Users will continue to click their mouse, as you have seen in the emails that flood your Yahoo/Gmail accounts, such as, from Groupon, incentives to register for specials, etc. Try to create a bridge between your users and the security team, either via email or some form of communication, through regular channels like blog or internal newsletters. That will go a long way. Entice a culture to speak up versus being intimidated with phishing emails, report it. Let the forensic team do the work.
Again, this is a non-technical solution, for additional details visit PhishPro for more information on how it can help manage your exposure to Phishing and in helping your employees.