This month’s security awareness topic is ransomware
Introduction and scope
Ransomware is just one of the many forms of malware ... and just one of the ways to
compromise computer systems and data intentionally to profit from or simply harm the interests of an organization or individual adversary. As such, ransomware is a narrow but
important issue because the criminals and hackers behind it have found a way to make their fortunes from it. A substantial proportion of the people and corporations hit by ransomware
are evidently willing to pay the hundreds or thousands of dollars demanded to get their systems and data back. Even those with sensible controls in place to reduce the chances of
infection (most notably security awareness!), with sound incident management and recovery arrangements, with suitable recent backups and so forth, even they still pay up sometimes
because of the time needed and the costs of recovering under their own steam.
Hence, it’s a growth industry.
For ransomware-infected corporations dealing with an incident, it comes down to a tough
business decision by management: taking everything into account, what is the best (or least
bad!) option for the organization, the best way out of their predicament? That alone demonstrates the value of raising management’s awareness of this issue, now, before they are faced with those difficult decisions in the roaring heat and tension of an actual ongoing incident (with the business on hold,
the clock ticking and the odd headless chicken flapping about the place) but there’s still more to it.
Managers and assorted professional advisors also need to know about the information risks relating to ransomware and other malware, and how best to
treat them. There are things that can and should be done to reduce both the probability and impacts of ransomware. Those backups for example:
someone has to generate them, test and prove them, and store them safely offline in such a way that a ransomware or other incident doesn’t take them
out of commission at the same time. Trust me, you don’t want to discover that your most recent usable backup was “some time last year, we think” if you
are running a business that depends on IT - and who doesn’t these days? By the way, that goes for the entire supply chain, not just your part of it. Woe
betide you if you are part of the critical national infrastructure, or if your stakeholders get a whiff of problems in this area.
Last but not least are the workers - the actual employees plus all those contractors, consultants, temps, interns, advisors, maintenance people, implanted
support technicians and others (including the managers and professionals noted above) who collectively run the operation and keep the organization in
business. They too have a vital role in avoiding, preventing, reporting and dealing with ransomware. They need to know that it’s Not A Good Idea to open
unexpected email attachments promising lottery payouts or refunds or tax demands or a million other scams. They need to appreciate that plugging in a
USB stick “to find out whose it is”, or meddling with the antivirus software, or failing to patch their BYOD gizmos, can be career-limiting. And they need
to know that TODAY, now, before it’s too late.
The latest awareness module is intended to:
Introduce and explain ransomware in the context of malware in general;
Expand on the associated information risks including the threats, vulnerabilities and impacts, pointing out the increasing probability and severity of ransomware incidents;
Promote the security controls (both automated and manual) that can prevent, identify, respond to and recover from ransomware attacks;
Educate staff, managers and professionals about ransomware in terms that resonate with them;
Stimulate all workers to think - and most of all act - more securely, thus reducing the risks.
Think about your learning objectives in relation to ransomware. Is ransomware a hot topic for the organization, perhaps as a result of your systems being
hit? How about malware in general: would increasing vigilance and caution among your workforce reduce the risks? Or are you happy to just leave it
unsaid, hoping that workers somehow get the point through extra-sensory means?
Inside the new NoticeBored module
The March module delivers 50 Mb of stuff: creative guidance for the security awareness person or team; high-quality awareness poster graphics (JPGs)
plus diagrams in Visio; several seminar slide decks and awareness briefings for employees in general, managers and professionals; a case
study/discussion paper; a newsletter; an extensive hyperlinked glossary; an awareness quiz, puzzle, test and survey; an FAQ; a malware policy template
and generic job descripton for a malware analyst; and an Internal Controls Questionnaire (ICQ) to review your malware and ransomware-related information risks and security controls.
That’s just an outline of the literal content. Find out much more about the module including the findings of our research into the ransomware issue and
the thought processes behind the individual items through the NoticeBored blog.
Building a security culture through awareness
A security culture involves everyone in the organization, top to bottom, collectively valuing, protecting and (where appropriate!) exploiting information.
Subscribe to NoticeBored for fresh perspectives on information risk and security within the corporate context. NoticeBored picks up on the strategic,
governance, compliance and business aspects, particularly in the management stream of course but the principles underpin the general staff and
professional streams too. Information is a valuable and yet vulnerable asset that needs to be protected for sound business reasons.