Ransomware And Phishing: The Key Role Of Training
The Role Of Users In The Fight Against Ransomware
Ransomware and phishing pose a high risk potential for every company. And the two are closely related: human error gives cybercriminals the opportunity to log into the network using stolen user credentials and steal or manipulate data. In almost all cases of successful attacks, cybercriminals don’t need to hack anything at all, they just log in. In ransomware attacks, users first click on links in emails or open documents containing malware. The result is well known: the ransomware can spread in the network with almost no problems.
In addition, thanks to the credentials obtained via phishing, hackers can easily log into the network. Often also over the Internet or via VPN, and act with the rights of the user in the network. The attacks often remain undetected until greater damage occurs or the attacker assumes additional identities in the internal network. In theory, many companies think they are prepared for attacks by hackers and for malware and ransomware attacks. However, practical procedures and a view of the network from the attacker’s point of view are often missing.
And there is very often a lack of suitable training for users so that they can better recognize malware, understand the attackers’ procedures and protect themselves and their data better.
Without proper training, users are often vulnerable to attacks
When protecting an organization from cyber threats, end users are the first line of defence. After all, they are ultimately responsible for deciding whether confidential data is sent or an external file is downloaded. Only, human error is more than likely: 95% of all privacy and data security breaches are due to an internal error. These small and large mistakes include accidentally sending emails to the wrong addressee, clicking on a phishing link, or downloading malicious attachments – with the well-known consequences.
Without education and training that is geared to the needs and current work environment of the user, users quickly fall for e-mails in which, for example, the official logo of well-known companies is emblazoned. Phishing emails now look deceptively real, but contain links or malware-infected file attachments. Educating users that emails aren’t inherently trustworthy just because they look official is a first step in preventing attacks.
Cyber criminals use techniques such as spear phishing to spy on users and collect data about them. If there is sufficient information, the attacker sends a phishing e-mail that is tailored precisely to this user and makes it easier for them to give up user data, for example. In contrast to conventional phishing attacks, in which the victims are selected at random, spear phishing attacks are targeted, well prepared and, thanks to good planning, particularly insidious attacks. These are then usually successful.
In general, users should be trained in the basics of IT security, the signs that may indicate an attack, and the usual procedures used by cybercriminals. If users have this basic knowledge and are also trained in phishing, training on ransomware is interesting. Because here you already need some technical knowledge. There are also training courses on mobile security, i.e. attacks via smartphones, notebooks, VPN and public WLANs.
Consistently conducted training keeps the user up-to-date and, more importantly, empowers them to prevent attacks themselves.
Simulate Attacks, Train Users
Phishing attacks use almost every available digital channel to obtain user information. In addition to attack vector number 1, i.e. e-mails, these are often SMS, text and video messages or calls. The senders or callers pretend to be representatives of companies that most users trust. And in most cases, cybercriminals also succeed in capturing access data in this way.
There are various solutions available to companies that they can use to carry out phishing simulations themselves. For example, users receive an email asking them to reveal secret data or user information. These emails are structured like real phishing or spear phishing attacks. If a user clicks on such a link, the information page of the phishing simulation opens and informs him that he has just fallen for an attack. Thanks to realistic simulations, users can see how quickly one can fall for such an attack. At the same time, the simulation saves which user is vulnerable to which type of attack – which in turn helps with individual training.
If companies specifically train their employees in how to deal with malware/ransomware and phishing, attacks by cybercriminals can be warded off much more easily. Additional tools help users make the right decisions. Regular training courses that create the necessary awareness are a central building block within the basic cyber security strategy of every company. Or better yet, they should be.