Ransomware

Ransomware: Don’t be “That Employee” 

Share with your network!

What makes ransomware so pernicious is that instead of network weak points, it often targets human weak points. Recognizing this, The Washington Post recently spoke with Proofpoint’s EVP of Cybersecurity Strategy, Ryan Kalember, about the critical role employees can play in avoiding ransomware attacks at work. Kalember offered his insights about how a ransomware attack succeeds, whom it targets, why it’s so devastating, and what can be done about it.  

How it Works 

Ransomware usually starts as a customized email sent to a specific target at a company. Often, the email references certain interests or beliefs that an employee may hold as identified by social media research prior to the attack. Because people like to read about themselves or hear from like-minded folks, this invariably increases an email’s “open rate” and potential damage. But the emails don’t target people at random.  

From The Washington Post: “Depending on their roles, some employees find their inboxes flooded with hundreds of phishing emails designed to steal the recipient’s credentials,” says Kalember. Proofpoint has historically linked ransomware attempts aimed at employees with titles like Accounts Payable, CFO, and even Compliance Officer. If someone has access to privileged information, they will be targeted—sooner or later. 

I Messed Up, What Now?  

Let’s say you’re an employee sitting in a cube or your home office, cursing yourself because you just gave credentials to someone impersonating your CEO. Or maybe you got tricked into clicking a very sketchy link that may or may not unleash future harm upon the organization. Should you just pretend it didn’t happen and hope they don’t find you are the one to blame? The quick answer is no. 

“That is often the first reaction, and it is not ideal,” Kalember says. “When you fall for something, the attacker still has some window of time where they have to figure out what they’ve just got and whether it’s even worth taking advantage of.” 

This gap between your mistake and bad guys determining how to capitalize on it is what the industry calls “dwell time,” which can make or break an attack. Kalember says the most important thing you can do during this interlude is to inform IT what just happened. This can not only help the company mitigate the damage but can also protect you as well. A prompt report of your encounter with a phishing email can also help put distance between the actual incident and future malicious activity emanating from your accounts. 

How Not to be “That Employee” 

Many workers understandably ask: “How is this my problem?” Ideally it shouldn’t be. Kalember maintains that it should be the company’s responsibility to filter out malicious emails, but that would be in an ideal world. Until that goal is achieved, employees must share in the defense of their organization. The Washington Post suggests how organizations can reduce the likelihood of someone becoming “that employee” responsible for outside intrusion.

  1. Train employees to spot phishing attempts. This doesn’t mean lecturing them or walking thru a PowerPoint deck. It means hands-on, interactive training with regular drills. The longer employees go without training / retraining, the worse they perform with spotting phishing attacks. Methods are always evolving, and so should the training curriculum. It should also be mandatory for every employee who touches the internet. 
  2. Authenticate your corporate email domain. This blocks fraudsters from delivering messages from fake or lookalike domains. Check with your email service provider, like Microsoft Outlook or Google Mail, on how to begin. 
  3. Clarify what employees should do if they click a suspicious link or attachment. If employees aren’t sure how to report something, they won’t. Kalember recommends automated reporting, which lets employees report malicious email with the click of a button.  
  4. Leave room for human error. Mistakes happen, so consider anti-phishing technology like remote browsers, in which URLs open in a special environment in the cloud. No matter what the URL contains, it can’t compromise the employee or their employer. 
  5. Conduct ongoing security testing. Software vulnerabilities are another way intruders gain entry. Your company’s IT team—or a third party—should be actively looking for threats on your network. 

 

For more on Proofpoint’s Advanced Threat Protection, visit: 

https://www.proofpoint.com/us/products/advanced-threat-protection  

For more on Proofpoint’s Targeted Attack Protection, visit: 

https://www.proofpoint.com/us/products/advanced-threat-protection/targeted-attack-protection  

To learn more about Proofpoint’s ransomware research, visit: 

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware