When you live and breath IT and information security, it is easy to forget that not everyone in your organisation is on the same page. Take ransomware for example. We – IT professionals – are actively monitoring the cyber threat landscape; we take a great interest in finding out about the latest threats. In fact sometimes we cannot help but admire how sophisticated cyber attacks have become, whilst taking great satisfaction in detecting and preventing attacks to our own networks.
What we forget is that not all employees within our organisation are as aware of cyber threats, or as risk adverse as we are. On the one hand they often do not know what the risks are, and on the other they do not fully appreciate the consequences of an attacks.
One type of threat that is exposing this vulnerability is social engineering, including ransomware, phishing emails and CEO fraud.
Social engineering taps into the human psyche, exploiting our curiosity, sympathy, fear, urgency, or our material desires. Because of this level of sophistication, attacks can be highly successful.
Scams such as pay rise/redundancy phishing emails work because they appear to come from a company director (using an address that is very similar to their genuine email address), and contain information that cannot help but interest their recipients. Picture that member of staff who receives an email with the subject line ‘Company Redundancies 2017’; they will to struggle to contain their curiosity and concern, and unless they know otherwise, are highly likely to click on ransomware macros.
Security managers and IT pros know what to look for and what the consequences of this kind of attack are; but do other employees?
Another scam that we have seen doing the rounds is the ‘competition scam’. This one typically starts with a phone call to the company’s receptionist with the promise of a ‘prize’ like a bottle of champagne in exchange for answering a few simple questions.
The questions are fairly innocuous, ‘who’s the prime minister?’ etc., but the killer question comes at the end: ‘what accounts software do you use?’ IT professionals! Be on guard if anyone within the company calls to verify what accounts software is in use.
Having revealed this information a further call is made to the company claiming to be from the accounting software company, Sage, Xero etc. This call might be to IT or Finance and the cyber criminal requests an email address so they can email some important documents. The victim is then primed to receive the email and when it comes through, they get click on attachments without further thought.
I should add that IT professionals are not immune to this kind of attack, so imagine how convincing they seem to someone in the finance department or other areas of the business.
What Security Managers And IT Professionals Can Do
Prevention is always better than the cure, and these three steps will go a long way to reducing your exposure to ransomware attacks.
Step 1: Raise awareness and educate all employees
If technologies for detecting, deleting or quarantining phishing emails fail, the last line of defence is the user. Awareness raising programmes will inform employees of the threats, what they may look like, how sophisticated they are, and what the consequences of enabling attacks such as ransomware can be.
Step 2: Have clear guidelines of what to do if employees suspect a cyber threat
Employees also need to know what to do if they suspect an email is not genuine. Often phishing emails work because they have a sense of urgency about them – if an employee receives an email from a senior member of staff that says ‘urgent’, they jump to it. A culture of always questioning whether an email is genuine must be encouraged, as well as the reassurance that doing so – i.e. questioning a senior manager’s email – will not reflect badly on that employee. Furthermore, when an employee is unsure of an email they need a rapid response from the IT team, so that if authentic they can respond appropriately.
Step 3: Make sure you have a robust data backup and disaster recovery system
The final steps are to protect your organisation should an attack take pace. To avoid paying a ransom a robust data backup and disaster recovery system is essential, ensuring that it is possible to restore data to the point before the infection occurred. Disaster recovery / business continuity plans must address specific risks to be effective. We recommend looking explore all potential threats and tailoring strategies and procedures for each scenario.
We may be aware of the threats of social engineering campaigns like ransomware, but never presume that everyone else within your organisation is.