The Primary Cause for Ransomware Attacks? Your Untrained Employees

The threat of ransomware is one that too many businesses still underestimate. The security standard many businesses operate under is five to ten years outdated—antivirus software and firewalls will not protect you from a ransomware attack that gets access to your system via a phishing email or social engineering scam. The majority of ransomware attacks are caused by an employee clicking on a fake phishing email, give up their login information, and give the hacker access to your entire system. Put simply, the untrained employee is the single biggest walking risk to your organization.

The obvious solution to this problem is to train your employees on cyber security. If they know what to look for, they won’t get tricked, right? Unfortunately, it’s not that simple. Modern hackers are incredible good at making their fake emails look convincing. What we frequently see are fake credit card notices from banks like Wells Fargo, American Express, or Bank of America. These emails are sent out en-masse, hoping that potential targets have a card at that bank. The email itself will talk about the account being overdrawn, or will involve some sort of password reset request. If the recipient isn’t paying attention to specific things, they won’t know the difference; the email will look exactly the same as the real thing, even down to the signature in many cases. These can be very hard to spot if you don’t know what to look for—and if you get caught, the antivirus won’t be able to protect your system, and the firewall won’t even recognize it as a threat.

An untrained employee is even more likely to fall prey to a specific phishing attack, also known as spear phishing. This is the case where the hacker researches the specific target, and craft their attack specifically for them. One example of this is someone receiving an email from what appears to be their HR department asking them to verify their account information. Another example could be an internal phishing email coming from a fake CFO or CEO—copied signature and registered domain as well. If an employee isn’t trained to recognize these, or even trained to question these kinds of occurrences, there’s a very high probability of their business’ network being breached.​

So how is this problem solved? There are some basic steps companies can take to fix this issue: train their staff, use Multi-Factor Authentication for logins to any remote-accessible systems, and set up monitoring systems to detect and block unauthorized login attempts. For example, if you don’t do any business, or have any employees, in Eastern Europe or Asia, then you should be blocking login attempts from those locations. In regards to staff training, working with a 3rd party IT security resource to teach employees how to identify phishing attacks is key. Policies regarding wire transfer orders should be strict and require verbal follow-up, and employees should be trained to check email domains and sources for suspicious activity.

When it comes to 3rd party involvement, another way to strengthen your cybersecurity presence is to have your security resource stage fake hacking attempts, also known as penetration tests, on your company. This is a good way to stress-test both your system and your employees. It also helps your staff become accustomed to detecting and responding to these kinds of security threats. All of your company stakeholders should be involved in the policymaking process for your security. Too many executives passively assume they know what their IT resource is doing for them, and that in itself is a risk. All stakeholders should know what’s at risk, what the standard response procedure is, and who is responsible for different facets of security.

Doing these things will turn your employees from a massive security risk into another layer of robust security for your company. Security is not something businesses can afford to slack on—talk to your IT team and perform a risk assessment to determine what your weaknesses are. Once your assessment is completed, work with your HR and other departments to make sure everyone is trained and ready. Stay safe out there!