Convincing your employees to adopt the right cybervigilance reflexes requires more than awareness campaigns.
Ransomware is the most serious current IT threat to companies and institutions, as stated in the recent report of the French National Agency for the Security of Information Systems (ANSSI).
Indeed, nearly 3 out of 4 companies infected with ransom software spend two or more days without access to their files.
30% of them spend five days or more, despite having invested in sophisticated security tools designed to detect and prevent cyber attacks.
There are many reasons for this: misconfigured devices, overly complicated security systems, stacked solutions that can actually reduce visibility.
More than 90% of all successful compromises, such as ransom attacks, begin with a simple email. A user opens a malicious file or clicks on a link sent by someone they don’t know.
Studies have shown that up to 94% of employees – and 96% of managers – cannot tell the difference between real and phishing emails.
This is particularly difficult when it comes to targeted attacks (Spear Phishing, President Fraud). In this case, emails are specifically designed to deceive specific targets within an organization.
Be aware of the problem
The obvious answer to these problems is to raise awareness and train employees in cybersecurity.
However, one of the paradoxes today is that most of your employees are already aware of cybersecurity issues and best practices.
For example, the vast majority of them know that passwords need to be complex and changed often, that they should not click on email attachments, especially from people they don’t know.
Your employees also know that important data must be protected and even encrypted.
The problem is that they simply don’t do any of these things.
This reason is rooted in the practice of security and the user’s mindset.
On the one hand, we have pushed users to adopt certain practices.
For example, rather than developing a simplified system to manage secure access to all their online accounts, users are forced to keep track of these passwords themselves.
Thus, they use the name of their pet, their personal data as well as their password (date of birth, first name of their child …).
On the other hand, employees do not take ownership of the security principles implemented by the organization.
In a recent survey, nearly half of employees indicated that they believe that, although important, cyber security is someone else’s responsibility. The person in charge is therefore “the other”!
Start with the basics
First, it starts with a top-down commitment.
The leadership team must also ensure its full commitment to promoting and enforcing good safety behaviour.
It must also conduct a review with all managers of the safety issues facing the company.
You must also surround yourself with good internal skills and have previously identified the external skills that can assist you.
Despite the efforts of the security team, phishing emails and malware can get through. They can help you protect yourself or respond effectively.
Second, you also need to rethink some very basic behaviours.
It is human nature not to say anything, even when something harmful is going on.
That’s why less than 5% of employees will talk or report suspicious behaviour, such as strangers calling or emailing to gather information.
One way to address this problem is to set up a recognition system for employees who do the right thing.
Many organizations conduct internal phishing campaigns to identify people who click on potentially malicious links.
But rather than simply directing people who fail these tests to some sort of remedial training, a system needs to be put in place that recognizes people who report a suspicious email to a manager.
This is the approach we have chosen for Digital Crisis Response.
Change your risk profile
By properly involving your employees in your security efforts, you can significantly reduce your exposure to ransom and phishing attacks.
To do this, you need to stop going for the simplest of things, which is to put in place yet another application to detect and analyze threats.
You need to be more proactive by implementing an application that motivates users to voluntarily change their behaviour.
Make an appointment to test Digital Crisis Response? Need more information? Contact us.
If you liked this article, please feel free to share it and send us your comments.
State of the ransom threat against companies and institutions – ANSSI, February 2020
Large Majority of Enterprise Employees Understand What Effective Security Practices – Dtex Systems, February 2019
Annual security report, Verizon 2017
Harpooning executives – intermedia, 2015
Ransomware, The new threat to business uptime – Intermedia, 2020
Managing the Human Security Factor in the Age of Ransomware – threatpost, November 2019
Human Factor report 2019 – proofpoint, 2019