No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Why Training is Critical in the Fight Against Ransomware

New NIST Guidance Provides a Solid Base, But Employee Training is a “Must Add”

by Stephen Boyce
March 20, 2020
in Cybersecurity, Featured
@ symbol on fish hook on dark background

Ransomware is a devastating, costly and persistent tactic. NIST’s new reference architectures go a long way to guiding organizations toward a stronger ransomware defense, but user training is required as well. Crypsis Group’s Stephen Boyce discusses the role of end-user training in ransomware defense.

Ransomware threat actors have become increasingly sophisticated in their approaches for effectively deploying ransomware. In our experience with these incidents, a significant vulnerability remains the victim organization’s employees: All too often, employees are falling victim to phishing attacks that result in ransomware infections.

Recently, The National Institute of Standards and Technology (NIST) released a pair of reference architectures, currently open for public comment, designed to provide an overview of available technologies, best practices and methods to improve the detection and mitigation of ransomware attacks.

This guidance is helpful in delivering an end-to-end approach for increasing the cybersecurity posture of the organization, leveraging much of the solid framework put forth in NIST CSF 1.1 and drawing from both the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce and the NIST Privacy frameworks. While the NIST CSF directly discusses the importance of user education in mitigating cyber risk, the new NIST ransomware guidance does not, and I think it is worth focusing on what else organizations need to be doing to help mitigate the risk of ransomware.

Organizations have suffered tremendously from ransomware. Symantec noted in their 2019 Internet Security Report that ransomware attacks have significantly increased. From our data involving hundreds of ransomware incidents, not only are organizations more commonly targeted, but ransom demands have also risen approximately 200 percent between 2018 and 2019, with the average payment totaling nearly $115,000 per incident in 2019.

Ransomware actors will continue to quickly shift their tactics, tools and procedures, and organizations will continue to scramble to shift their defenses — a costly match of cyber jiu-jitsu. Many organizations have adopted either sector-specific cybersecurity frameworks (such as ANSI and HITRUST) or general frameworks such as the NIST CSF. While NIST’s forward-leaning approach in their ransomware guidelines has gone a long way in addressing remaining cyber gaps with respect to this devastating tactic, let’s turn our attention to employee training, a “must” in the arsenal against ransomware.

Effective Employee Training: What Does It Look Like?

The key to successful employee training is understanding that threat actors have highly variable tactics — they evolve, are customized by organization and/or user and can be escalated as needed. With this understanding, you should customize your employee training to not only take into account threat actor methodologies, but also the unique traits of your organization and individuals within that organization. Below are some guidelines for customizing your security training:

Tailor the Training

While most training will be web-based, you can still create modules customized to individual groups pertinent to their roles and how they specifically may be targeted. IT will need to know how to respond and inform; finance will receive different tactics than marketing and HR; executives may be more highly targeted for spear-phishing and should be provided specific guidance on what to look for and how to communicate to employees on the importance of security. As one example, marketing employees may receive emails about meeting up at a trade show or offers from third parties they work with regularly, all of which will look quite legitimate. By training teams in their own language about tactics they may see in their realms, they can better spot and avoid tactics that may be used against them.

Make Training Incrementally Harder

Phish-testing will be more effective if you train users incrementally, starting with the easiest tactics and progressing to techniques that are harder and harder to spot. By tracking your organization’s strengths and weaknesses in these tests, you can custom build phish-testing that focuses on areas of weakness, creating a stronger human shield against ransomware and other attacks.

Keep it Comprehensive

The tactics threat actors use go beyond phishing and spear-phishing. They could attempt physical access using a number of social engineering tactics, meet up with employees at a trade show and give them a USB drive or other nefarious techniques. Employee training should address all social engineering and physical security concerns.

Additionally, the following ideas can increase the effectiveness of your training:

Try Gamification

Security training can be made fun by “gamifying” the testing and results. Gamification involves setting goals, rules for reaching the goals, rewards or incentives, feedback mechanisms and, often, leader boards (organizations can compete against each other). By making it more fun, employees are more engaged and learn more. Security training is by its nature dry, and if it sounds frightening and potentially punitive, it will be less effective. If you can turn the game into “outsmarting the hacker,” they will learn something and have fun along the way.

Make Training More Frequent

Conducting training once annually is helpful, and it’s better than nothing; but it is easy to forget about security in the intervening months. We suggest holding across-the-board security training annually, as well as a mid-year “refresh” that builds on specific areas of emphasis, such as advanced techniques. This will keep security awareness front and center and allow employees to build on what they learn.

Make it Cultural

Creating a “security awareness culture” is essential. If security is something employees only focus on when doing a 30-minute, web-based training once a year, they aren’t going to have it on their minds when they receive an email with a questionable attachment. Company leaders must buy into the importance of cybersecurity, support and promote richer cyber training programs and emphasize security in company communications. Some organizations display posters in public areas reminding employees to be security aware, send out regular security tips emails, have proactive alerts that inform about malicious emails seen by individuals, etc.

By adding these effective employee education techniques to the NIST ransomware reference architecture, organizations should be in a stronger overall position to defend against ransomware attacks. There is no silver bullet against threats, and employees are likely to remain our biggest vulnerability, but we should do our best to keep employees as aware as possible of the techniques that may be leveraged against them and the organization.


Tags: Cyber RiskRansomwareTraining
Previous Post

Risk Management During the Coronavirus

Next Post

What Employers Need to Know About COVID-19 and the Families First Coronavirus Response ACT

Stephen Boyce

Stephen Boyce

Stephen Boyce, Principal Consultant at The Crypsis Group, is responsible for leading and investigating complex cyber investigations for clients across a range of industries. He is an experienced cybersecurity professional with a background in federal law enforcement and testifying as an expert witness in criminal cases. He joined the Crypsis team in 2019 after several years with the Federal Bureau of Investigation, where he led national security technical exploitation. In that capacity, he worked on criminal investigations, analyzing and exploiting digital media and training the Bureau’s agents and analysts on how to interpret raw data. Stephen also maintained working relationships with the Bureau’s domestic and international partner agencies through his service on working groups, committees and joint projects. Previously, Stephen was a forensic examiner at the FBI and was a Cyber Intern for the National Cyber Investigative Joint Task Force (NCIJTF), the U.S. State Department and the FBI. Stephen is also an adjunct professor at the University of Maryland Global Campus and a cybersecurity adjunct professor at Marymount University. He holds a bachelor’s degree in Information Technology, a master’s degree in Cybersecurity and is currently pursuing a doctorate in Cybersecurity at Marymount University.

Related Posts

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

2023 EEOC and Employers: Investigating Harassment and Discrimination

2023 EEOC and Employers: Investigating Harassment and Discrimination

by Aarti Maharaj
March 14, 2023

With employment discrimination on the rise, EEOC encourages employers to provide anti-harassment training to their employees and managers and to...

Onboarding Best Practices for Millennial and All Employees

Onboarding Best Practices for Millennial and All Employees

by Aarti Maharaj
March 14, 2023

Reducing turnover and fast-tracking new employees to productivity is a key business imperative. The reality is that about 30 percent...

Risk Analysis in the Medical Device Design Process

Risk Analysis in the Medical Device Design Process

by Aarti Maharaj
February 24, 2023

Medical Devices by their very nature must be safe for human use and must meet the requirements for which they...

Next Post
Doctor placing tag in pocket referencing FFCRA

What Employers Need to Know About COVID-19 and the Families First Coronavirus Response ACT

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT