Ransomware attacks have quickly become the most talked-about subject in the technology industry. They come in many different forms and can wreak havoc on businesses of any size. Much like medical viruses that evolve to become immune to medicine, ransomware continuously develops, defeating some of the most stringent security measures out there.
So, what’s a business to do? Firewalls, antivirus software and backups should all be integral parts of your security strategy, but you should also be aware that your business’ biggest vulnerability is simultaneously its best defense against preventing ransomware: your own employees.
Why employees are a risk
All it takes for your entire network to become infected with ransomware is an employee opening an infected attachment. This type of mistake is easier to make than you may think, as obvious spam emails have given way to ransomware that can spoof legitimate email addresses and use relevant subject lines.
This isn’t the only way ransomware gets into a network, although it is the most common. At MyITpros, we’ve seen employees fall victim to phishing scams that involved receiving phone calls from “security officials” asking for confidential information. Hackers may also hijack visitors from legitimate websites where software or applications are available for download, or deploy viruses through mobile app downloads.
Most users are unaware of the scope of ways that hackers can infect devices. With this in mind, you can drastically reduce your risk by dedicating time and resources toward putting together effective staff training.
Turn your employees into your defense
At a lot of companies, employee education consists of little more than disseminating an internet safety handout or making a quick presentation. Users quickly lose this knowledge, which means your employees will ultimately remain unaware of the variety of dangers out there. Successful employee education is not a one-and-done endeavor, and repetition is the key to making sure your employees retain important security information.
To turn your workforce into a powerful defense against ransomware, hold regular employee training sessions on:
- How to spot phishing emails or other signs of ransomware infection
- The proper protocol for dealing with an infection
- Internet best practices (e.g. not sending sensitive information through unsecured texts and emails, being mindful of work programs or personal device-based communications outside the company’s network protection, not installing unauthorized or unapproved software and applications, and more)
Supplement trainings with hands-on activities, such as deploying a security testing tool that releases a fake phishing email to employees. Track who engages with the email and “infects” the network, and follow up by highlighting the best practices that could have prevented employees from falling for the “scam.” At MyITpros, we’ve done this within our own organization using KnowBe4. Companies like KnowBe4 also offer on-site training seminars, ransomware simulators and other tools for testing your staff.
What’s more, your company should have an established document detailing your IT policies and procedures that is readily available to employees. You can publicize the existence of this document and post awareness signs related to ransomware at workstations in the office to maximize visibility. Of course, standard protection measures such as regular backups, up-to-date patching and antivirus program implementation remain paramount, but educating your employees will increase the efficacy of these measures.
That said, not all businesses have the bandwidth to deploy the measures outlined above by themselves. If that sounds like you, speak to your local managed services provider about its security services offerings. Oftentimes, working with an MSP is the most cost-effective and reliable method of maintaining up-to-date security, as the MSP’s fixed monthly cost will be just a fraction of what an actual data breach would cost your business.