Monday, March 8, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Why Training is Critical in the Fight Against Ransomware

New NIST Guidance Provides a Solid Base, But Employee Training is a “Must Add”

by Stephen Boyce
March 20, 2020
in Cybersecurity, Featured
@ symbol on fish hook on dark background

Ransomware is a devastating, costly and persistent tactic. NIST’s new reference architectures go a long way to guiding organizations toward a stronger ransomware defense, but user training is required as well. Crypsis Group’s Stephen Boyce discusses the role of end-user training in ransomware defense.

Ransomware threat actors have become increasingly sophisticated in their approaches for effectively deploying ransomware. In our experience with these incidents, a significant vulnerability remains the victim organization’s employees: All too often, employees are falling victim to phishing attacks that result in ransomware infections.

Recently, The National Institute of Standards and Technology (NIST) released a pair of reference architectures, currently open for public comment, designed to provide an overview of available technologies, best practices and methods to improve the detection and mitigation of ransomware attacks.

This guidance is helpful in delivering an end-to-end approach for increasing the cybersecurity posture of the organization, leveraging much of the solid framework put forth in NIST CSF 1.1 and drawing from both the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce and the NIST Privacy frameworks. While the NIST CSF directly discusses the importance of user education in mitigating cyber risk, the new NIST ransomware guidance does not, and I think it is worth focusing on what else organizations need to be doing to help mitigate the risk of ransomware.

Organizations have suffered tremendously from ransomware. Symantec noted in their 2019 Internet Security Report that ransomware attacks have significantly increased. From our data involving hundreds of ransomware incidents, not only are organizations more commonly targeted, but ransom demands have also risen approximately 200 percent between 2018 and 2019, with the average payment totaling nearly $115,000 per incident in 2019.

Ransomware actors will continue to quickly shift their tactics, tools and procedures, and organizations will continue to scramble to shift their defenses — a costly match of cyber jiu-jitsu. Many organizations have adopted either sector-specific cybersecurity frameworks (such as ANSI and HITRUST) or general frameworks such as the NIST CSF. While NIST’s forward-leaning approach in their ransomware guidelines has gone a long way in addressing remaining cyber gaps with respect to this devastating tactic, let’s turn our attention to employee training, a “must” in the arsenal against ransomware.

Effective Employee Training: What Does It Look Like?

The key to successful employee training is understanding that threat actors have highly variable tactics — they evolve, are customized by organization and/or user and can be escalated as needed. With this understanding, you should customize your employee training to not only take into account threat actor methodologies, but also the unique traits of your organization and individuals within that organization. Below are some guidelines for customizing your security training:

Tailor the Training

While most training will be web-based, you can still create modules customized to individual groups pertinent to their roles and how they specifically may be targeted. IT will need to know how to respond and inform; finance will receive different tactics than marketing and HR; executives may be more highly targeted for spear-phishing and should be provided specific guidance on what to look for and how to communicate to employees on the importance of security. As one example, marketing employees may receive emails about meeting up at a trade show or offers from third parties they work with regularly, all of which will look quite legitimate. By training teams in their own language about tactics they may see in their realms, they can better spot and avoid tactics that may be used against them.

Make Training Incrementally Harder

Phish-testing will be more effective if you train users incrementally, starting with the easiest tactics and progressing to techniques that are harder and harder to spot. By tracking your organization’s strengths and weaknesses in these tests, you can custom build phish-testing that focuses on areas of weakness, creating a stronger human shield against ransomware and other attacks.

Keep it Comprehensive

The tactics threat actors use go beyond phishing and spear-phishing. They could attempt physical access using a number of social engineering tactics, meet up with employees at a trade show and give them a USB drive or other nefarious techniques. Employee training should address all social engineering and physical security concerns.

Additionally, the following ideas can increase the effectiveness of your training:

Try Gamification

Security training can be made fun by “gamifying” the testing and results. Gamification involves setting goals, rules for reaching the goals, rewards or incentives, feedback mechanisms and, often, leader boards (organizations can compete against each other). By making it more fun, employees are more engaged and learn more. Security training is by its nature dry, and if it sounds frightening and potentially punitive, it will be less effective. If you can turn the game into “outsmarting the hacker,” they will learn something and have fun along the way.

Make Training More Frequent

Conducting training once annually is helpful, and it’s better than nothing; but it is easy to forget about security in the intervening months. We suggest holding across-the-board security training annually, as well as a mid-year “refresh” that builds on specific areas of emphasis, such as advanced techniques. This will keep security awareness front and center and allow employees to build on what they learn.

Make it Cultural

Creating a “security awareness culture” is essential. If security is something employees only focus on when doing a 30-minute, web-based training once a year, they aren’t going to have it on their minds when they receive an email with a questionable attachment. Company leaders must buy into the importance of cybersecurity, support and promote richer cyber training programs and emphasize security in company communications. Some organizations display posters in public areas reminding employees to be security aware, send out regular security tips emails, have proactive alerts that inform about malicious emails seen by individuals, etc.

By adding these effective employee education techniques to the NIST ransomware reference architecture, organizations should be in a stronger overall position to defend against ransomware attacks. There is no silver bullet against threats, and employees are likely to remain our biggest vulnerability, but we should do our best to keep employees as aware as possible of the techniques that may be leveraged against them and the organization.


Tags: cyber riskransomwaretraining
Previous Post

Risk Management During the Coronavirus

Next Post

What Employers Need to Know About COVID-19 and the Families First Coronavirus Response ACT

Stephen Boyce

Stephen Boyce, Principal Consultant at The Crypsis Group, is responsible for leading and investigating complex cyber investigations for clients across a range of industries. He is an experienced cybersecurity professional with a background in federal law enforcement and testifying as an expert witness in criminal cases. He joined the Crypsis team in 2019 after several years with the Federal Bureau of Investigation, where he led national security technical exploitation. In that capacity, he worked on criminal investigations, analyzing and exploiting digital media and training the Bureau’s agents and analysts on how to interpret raw data. Stephen also maintained working relationships with the Bureau’s domestic and international partner agencies through his service on working groups, committees and joint projects. Previously, Stephen was a forensic examiner at the FBI and was a Cyber Intern for the National Cyber Investigative Joint Task Force (NCIJTF), the U.S. State Department and the FBI. Stephen is also an adjunct professor at the University of Maryland Global Campus and a cybersecurity adjunct professor at Marymount University. He holds a bachelor’s degree in Information Technology, a master’s degree in Cybersecurity and is currently pursuing a doctorate in Cybersecurity at Marymount University.

Related Posts

Webianr grpahic for behavox and CCI roundtable

The Power of AI in Financial Services Compliance

March 8, 2021
green and red location markers on map

FinCEN’s Registry Will Be a Game-Changer. It Will Also Place an Added Burden on Corporations.

March 5, 2021
illustration of man under giant gavel

BitPay’s $507K OFAC Sanctions Violations Settlement

March 4, 2021
The facade of the SEC in Washington, D.C.

Prepare Now to Comply with SEC’s Updated MD&A and Related Financial Disclosure Requirements

March 3, 2021
Next Post
Doctor placing tag in pocket referencing FFCRA

What Employers Need to Know About COVID-19 and the Families First Coronavirus Response ACT

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights