This is part 1 of a mini-series that I’m going to do on the things that can protect your organization from ransomware. This is not an exhaustive list, however if done properly, they can seriously reduce the risk of ransomware taking your organization down. At the very least, following these suggestions will reduce the amount of impact that a ransomware infection will have on your organization.
Part 1 – Train Your Users
If there’s one thing I’ve learned working here at KnowBe4, it’s what a difference training your users can make. I talk to folks all the time and hear story after story about how trained users made the difference. In my younger years, I probably wouldn’t have believed it however having experienced it first-hand, let me tell you, it really does work.
This is not a sales pitch for my company. I want to try to help you understand how to make the time you spend training your users provide the best ROI. If you already have to do annual training for compliance, just putting a little more effort into things and taking it seriously can pay off big for you.
Messaging – Start Right From the Beginning
Messaging plays a huge role in how well your training is accepted and is a step that is often neglected completely, or barely considered. Start by understanding that people in general don’t just like to be told to do something “because we say so”. I don’t know if that’s any more prevalent outside of the IT/Security Professional and user interaction, but it frequently raises its head here. When it comes to training your users you want to avoid an “Us” versus “Them” mentality. We have to change it in to a “Us” helping “Them” feeling. While it is easy to get frustrated when the users click on things that you know they shouldn’t, you need to have patience. Try to remember that most users don’t live in the tech world we do. They aren’t aware of the threats the way we are and it’s our job to help them understand this. Users aren’t usually dumb, they often just have skills in domains that we may not, and vice versa.
Consider how a user feels about the training in the 2 following messaging scenarios:
“Folks, it’s that time of year again when we do the mandatory security awareness training. This is required to be done annually by some of our regulations and contracts. We will meet in the break room at 10am for 1 hour. Anyone not able to make will need to schedule a follow up appointment. We will start testing everyone by sending simulated phishing emails at least once a month after that. Again, this is mandatory. Thanks, It Staff”
“Folks, did you know that 91% of successful data breaches start with a spear-phishing attack? Did you know ransomware and phishing can also hit you at home and potentially cost you all of your important photos and documents? The bad guys don’t care, but we do, so we have some great training that will help protect not only the organization, but you and your family at home as well. This training is online and on-demand and should take about an hour, so you can watch it at your leisure when you have some spare time. Training does need to be completed in the next 30-days, after that we will be sending some simulated phishing emails at least once a month to help you exercise what the training teaches you. Let us know if you have any questions and happy learning! Thanks, IT Staff”
Do you see how the messaging in one scenario is positive and helpful while the other sounds like it’s just something you have to do to get through until next year? Also, the phishing sounds like a test in the first scenario (lots of people are scared of tests) where the second scenario leans toward an opportunity to exercise these skills (much less intimidating). Consider this when doing your messaging, even when it comes to initially getting approval from management and HR.
Leadership Buy-In – Facts Without FUD
From the beginning, when you are going to run a training program like this, you need to have some people on board. Your Executives need to understand the value of what you’re doing, the HR department needs to be on board with it, and any other executives need to understand the importance.
FUD stands for Fear, Uncertainty and Doubt. While it can force people to make decisions, it can backfire in big ways, tarnishing your reputation and making future proposals more difficult. It is better is to present the facts and risk without wrapping things in emotional phrases or positioning designed to scare. Let your leadership know that they are targets for things like CEO fraud, W2 fraud, and ransomware. Show real examples of these things impacted an organization, but don’t embellish. Sometimes you have to start by simply educating them with articles of recent breaches or other examples that may resonate with them. This may take a little while, but changing this culture from the top will reap huge rewards further down the line.
As I said above, when you communicate with the HR department your focus needs to always be on how you are teaching the people to be safe. This isn’t about “getting” people or being tricky, it’s about preparing them for the attacks that are happening in the real world and protecting the organization. Invite them to screen the phishing emails and make them feel like they are part of the program, not just standing by. Sometimes they will want to stay involved, sometimes they will bow out when they feel comfortable with what is going on. Either way, it will put them at ease.
Training Needs To Be Relevant – Ditch the Tech-ese
When you train people, it needs to be engaging. The users need to be made to feel that they understand the topic and need key points to help retain the information. Sadly, we as technical people tend to get overly technical in our explanations. Remember, the marketing staff doesn’t care about C2 communication channels or specifics of malware delivery. If you want their eyes to glaze over, that’s a quick way to do it.
My first suggestion is to subscribe to a 3rd-party service to supply the training. Frankly, it is difficult to get the same kind of return on the training investment doing it yourself. 3rd parties collect feedback about the training and improve, as well as staying on top of the current threats. In addition, the final product looks professional and saves a lot of your time preparing and tracking the training. After working here at KnowBe4 and seeing the results and the low price, I can’t imagine ever doing it myself again. Seriously.
If you like pain, you can do it yourself. 😀 If you are going to go this route, I strongly urge you to involve HR and Marketing in the design of the course. They can help keep you on track if you are getting too techie. You will want to have a way to track who completed the training as well and be ready to send follow-up emails as needed. I also can’t stress this enough… if you can do it online and on-demand, you will get much better results. You do need to make sure it is interactive so they can’t just let it run in the background while they go to lunch.
Comments are welcome below
Next up: Part 2 – Have Weapons-Grade Backups
This will cover things you can do to help ensure that you can recover from a ransomware attack and common pitfalls to avoid. Subscribe at the top-right corner of the page to get alerts when new posts are made.
Erich Kron is the Security Awareness Advocate at KnowBe4, and has over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the US Army 2nd Regional Cyber Center-Western Hemisphere.