Tech columnist MJ Shoer says companies need to assure their employees are trained to avoid being tricked into setting ransomware upon their networks and that users of the computers themselves are the last line of defense.
The following was originally published on March 6, 2016 on Seacoastonline.com.
Over the past two weeks, yet another new form of ransomware has been circulating the Internet and multiple companies have fallen victim to the scheme.
Ransomware is essentially an e-mail socially engineered to appear very real, tricking you into opening an attachment or clicking a link to bring malware onto your computer. From there, the malware encrypts your data, making it inaccessible. The only solution is to restore from a backup or pay a ransom to the criminals who create these threats to obtain a decryption key to regain access to your data.
The real issue around these threats is not how well your IT infrastructure is architected to prevent threats. Company networks with the best firewalls, anti-virus software and threat prevention systems have still fallen victim to these threats. This is because they are not only socially engineered to get a user to do the wrong thing and infect their network, they are also technically engineered to make their way past the network defenses by tricking the user to make them appear like legitimate traffic into the network. This is where the concept of the human firewall comes into play.
I continue to say that you, the user of your computer, are the last line of defense. You are the human firewall. Like a hardware firewall, you need to be setup properly to defend yourself and this is where proper user education about threats and how to defeat them are critical. In today’s world, it is imperative that your company have a defined, regularly scheduled and monitored employee training program when it comes to IT security.
When designing and implementing an effective training program, consider this simple example. There are four major forms of e-mail attacks that target users. Phishing, spear-phishing, executive whaling and CEO fraud. In this example, what each mean is not what’s important. If you asked members of your staff if they know what each of these are and how they differ from one another, would they know? Most likely not and this is just one type of attack vector. There are many others. The key question then becomes, how do you educate your employees so they know their risks, retain this information and take proper action when they are attacked. It’s not an if, it is a when.
When it comes to training your teams about IT security, try to avoid some of the common mistakes. Don’t stick your head in the sand and hope all will be well, it won’t. You also don’t want to throw training sessions, videos or tests at your staff during impromptu breaks or lunch meetings. This type of training needs to be treated with the same importance as the most important report you have to deliver to your most important customer.
Develop a comprehensive training program that incorporates multiple aspects of effective training methods. Combine your program with traditional methods, effective technology and simulations to demonstrate the types of risks your employees are likely to encounter. Start with a baseline that you expect all employees to understand and grow from there. Be sure your program includes random tests to validate your staff is retaining this critical knowledge throughout the year. Be sure to get the buy-in of your executive team as their support is crucial to the success of this program. Also keep in mind, executives are a specific target and may need more specialized training based on threats known to be targeting senior executives.
The key message is not to rely on technology alone to protect your critical information. Develop a solid and managed training program that will equip your employees to be the human firewalls that will allow your company to avoid falling victim to a breach, hack or theft.