This month’s security awareness topic is ransomware

03 NB awareness poster on ransomware 2 no logo 350RansomnoteIntroduction and scope New this month

Ransomware is just one of the many forms of malware ... and just one of the ways to compromise computer systems and data intentionally to profit from or simply harm the interests of an organization or individual adversary.  As such, ransomware is a narrow but important issue because the criminals and hackers behind it have found a way to make their fortunes from it.  A substantial proportion of the people and corporations hit by ransomware are evidently willing to pay the hundreds or thousands of dollars demanded to get their systems and data back.  Even those with sensible controls in place to reduce the chances of infection (most notably security awareness!), with sound incident management and recovery arrangements, with suitable recent backups and so forth, even they still pay up sometimes because of the time needed and the costs of recovering under their own steam.

Hence, it’s a growth industry.

For ransomware-infected corporations dealing with an incident, it comes down to a tough business decision by management: taking everything into account, what is the best (or least bad!) option for the organization, the best way out of their predicament?  That alone demonstrates the value of raising management’s awareness of this issue, now, before they are faced with those difficult decisions in the roaring heat and tension of an actual ongoing incident (with the business on hold, the clock ticking and the odd headless chicken flapping about the place) but there’s still more to it.

Managers and assorted professional advisors also need to know about the information risks relating to ransomware and other malware, and how best to treat them.  There are things that can and should be done to reduce both the probability and impacts of ransomware.  Those backups for example: someone has to generate them, test and prove them, and store them safely offline in such a way that a ransomware or other incident doesn’t take them out of commission at the same time.  Trust me, you don’t want to discover that your most recent usable backup was “some time last year, we think” if you are running a business that depends on IT - and who doesn’t these days?  By the way, that goes for the entire supply chain, not just your part of it.  Woe betide you if you are part of the critical national infrastructure, or if your stakeholders get a whiff of problems in this area.

Last but not least are the workers - the actual employees plus all those contractors, consultants, temps, interns, advisors, maintenance people, implanted support technicians and others (including the managers and professionals noted above) who collectively run the operation and keep the organization in business.  They too have a vital role in avoiding, preventing, reporting and dealing with ransomware.  They need to know that it’s Not A Good Idea to open unexpected email attachments promising lottery payouts or refunds or tax demands or a million other scams.  They need to appreciate that plugging in a USB stick “to find out whose it is”, or meddling with the antivirus software, or failing to patch their BYOD gizmos, can be career-limiting.  And they need to know that TODAY, now, before it’s too late.

Learning objectives

The latest awareness module is intended to:

  • Introduce and explain ransomware in the context of malware in general;
  • Expand on the associated information risks including the threats, vulnerabilities and impacts, pointing out the increasing probability and severity of ransomware incidents;
  • Promote the security controls (both automated and manual) that can prevent, identify, respond to and recover from ransomware attacks;
  • Educate staff, managers and professionals about ransomware in terms that resonate with them;
  • Stimulate all workers to think - and most of all act - more securely, thus reducing the risks.

Think about your learning objectives in relation to ransomware.  Is ransomware a hot topic for the organization, perhaps as a result of your systems being hit?  How about malware in general: would increasing vigilance and caution among your workforce reduce the risks?  Or are you happy to just leave it unsaid, hoping that workers somehow get the point through extra-sensory means?

Inside the new NoticeBored module

The March module delivers 50 Mb of stuff: creative guidance for the security awareness person or team; high-quality awareness poster graphics (JPGs) plus diagrams in Visio; several seminar slide decks  and awareness briefings for employees in general, managers and professionals; a case study/discussion paper; a newsletter; an extensive hyperlinked glossary; an awareness quiz, puzzle, test and survey; an FAQ; a malware policy template and generic job descripton for a malware analyst; and an Internal Controls Questionnaire (ICQ) to review your malware and ransomware-related information risks and security controls.

That’s just an outline of the literal content.   Find out much more about the module including the findings of our research into the ransomware issue and the thought processes behind the individual items through the NoticeBored blog.

Building a security culture through awareness

A security culture involves everyone in the organization, top to bottom, collectively valuing, protecting and (where appropriate!) exploiting information. 

Subscribe to NoticeBored for fresh perspectives on information risk and security within the corporate context.  NoticeBored picks up on the strategic, governance, compliance and business aspects, particularly in the management stream of course but the principles underpin the general staff and professional streams too.  Information is a valuable and yet vulnerable asset that needs to be protected for sound business reasons.

Home > NB this month >

Copyright © 2017 IsecT Ltd.