By Scott M. McAuliffe, CPA, CISA, CFE, Partner, Risk Advisory Services
Educating employees on recognizing and counteracting cyber threats
We know that most ransomware incidents start with attacks aimed at end users, and best-in-class security tools cannot stop all attacks. Consequently, end users are a critical line of defense for attacks that penetrate perimeter defenses. As a result, it is important for companies to train their employees to identify cyber threats and respond appropriately.
However, as noted in Verizon’s 2022 Data Breach Investigation Report, a whopping 35% of ransom incidents are the result of phishing. This percentage is unchanged over the past five years, illustrating that companies are struggling to sufficiently educate their employees.
Employee cybersecurity training
In our experience, most companies today have information security policies and provide security awareness training to employees at the time of hire. However, that is often where companies stop with employee education. To promote a behavior of cyber diligence/skepticism, companies need to continually educate their employees on the importance of being vigilant when opening emails, clicking on links, and entering password information.
Companies should also not have a one-size fit all training for employees Instead, training should be tailored to the specific employee’s job responsibilities. Certain employees such as IT employees might need more in-depth and frequent training because of the access levels they are often provided with. Additionally, companies should perform periodic phishing campaigns to test employees’ ability to identify potential threats. Employees that fall for the phishing campaign should get additional security awareness training.
Since email is a primary vector for cyberattacks, including ransomware, companies can help their employees ward off threat actors by implementing certain email protection controls, to include:
Email systems can be configured to block or allow files based on file extension, preventing threat actors from sending email executable and other similar type of files directly to employees. We recommend enabling the common attachment type filter in the email system. The filter will automatically quarantine messages that contain the specified attachment types, thereby blocking delivery to the recipient’s inbox.
In addition to the common attachment type filter, we recommend:
- Blocking all file types that are not required for business purposes,
- Blocking macro-enabled office documents including .docm, xlsm, and pptm, as these can be used to execute arbitrary code and download ransomware from the internet, and
- Blocking all zip files. Password protected (encrypted) zip archives cannot be effectively scanned and are released to the recipient without warning. Encrypted zip files are often used to hide malware, including ransomware, from scanners.
Sandboxing is a type of security service that automatically and safely opens email attachments away from your company network and computers. The service observes the behavior of the attachment in a safe environment to determine if it opens normally or exhibits behavior indicative of malware. If it does not open normally, the sandboxing service blocks the attachment. These services are critical because ransomware frequently evades traditional malware scanning techniques but is more easily identified when opened and its behavior observed. We recommend utilizing a sandboxing service to protect against unknown malware and viruses and provide zero-day protection to safeguard your emails.
Link checking services rewrite all links of inbound emails so that, when a user clicks a link, the user briefly passes through a security service where the destination URL is checked against a list of known malicious websites and scanned for malware. These services can prevent an employee who clicks on a malicious link from continuing to the malicious website thereby potentially preventing a ransomware download or falling for a phishing scam that could lead to ransomware or other cyber-attacks.
Email-based geo-blocking prevents inbound emails originating from geographies the user organization elects to block. This can help further prevent malware from reaching a user’s inbox. We recommend utilizing the “Anti-Spam inbound policy” and setting up the “International Spam – regions” setting.
Email Signing and Authentication
Domain-based Message Authentication, Reporting & Conformance (DMARC) uses a Domain Name System (DNS) entry to provide additional assurances around the authenticity of a sender that go beyond the benefits of Sender Policy Framework (SPF). We recommend implementing DMARC in the email DNS records. It is free to implement and is typically a straightforward process.
When making changes to your email environment, companies should recognize that:
- Most effective security layers will impact the end user
- End users often advocate for technology choices which, if implemented, materially decrease the security of a network
- New security requirements met with complaints and confrontation are likely to disincentivize IT security staff to continuously improve security
- Despite extensive testing, there can be temporary ‘breakage’ when deploying new security tools and settings
To mitigate the above, we recommend extensive communication before, during, and after new security procedures, tools, and settings are deployed so users are aware of potential interruption and have a means to communicate issues they encounter.
Companies that combine robust employee education practices paired with strong email protection controls can go a long way to preventing an employee from clicking the wrong link or opening the wrong document that results in a ransom event and causes major headaches for all involved.
To assist companies with assessing their ransomware risk, Keiter Technologies has developed a Ransomware Risk Assessment program that provides insights into the key areas of corporate cyber security that directly relate to ransomware. Contact us to learn how we can help your business mitigate cybersecurity risks.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.