Crypto-ransomware – malware that extorts money from victims by encrypting their files and systems until they pay a ransom – has been much in the news since WannaCry hobbled IT systems around the world last month.
While much was made of the fact that WannaCry spread through networks by exploiting SMBv1 vulnerabilities in unsupported Windows systems such as Windows XP, Windows 8 and Windows Server 2003 (a claim recently refuted by Kryptos Research, whose analysis found that Windows XP is actually so antiquated that it simply crashes when the payload attempts to execute), it is actually unusual for ransomware to self-replicate in the way WannaCry did.
More often than not, ransomware – in common with most other forms of malware – is spread by drive-by downloads or phishing campaigns, both of which exploit human error.
So, even if you use robust antivirus and anti-malware solutions, conduct regular penetration tests, and ensure you keep your systems up to date and install the latest patches, your system could still be compromised thanks to a careless employee.
The phishing and ransomware threat
Research published by Beaming in March 2017 found that 2.9 million British companies were hit by some sort of cyber crime in 2016, at a total cost of £29.1 billion. Phishing was the most prevalent type of attack, affecting nearly 1.3 million businesses at a cumulative cost of almost £6 billion. Other forms of social engineering accounted for a further £5.3 billion of losses.
According to a 2016 report by SentinelOne, 39% of organisations in the UK were hit by ransomware in the previous year. 72% of those infections were attributable to phishing, and 38% to drive-by downloads from compromised websites. (There is obviously an overlap between the two.)
‘Patching the human’
People are frequently acknowledged as the weakest link in any security system, but with better levels of staff knowledge companies are more secure – you can, in effect, ‘patch’ your employees. This is why a best-practice approach to information security – such as an ISO 27001-compliant ISMS (information security management system) – follows a holistic approach that addresses people as well as processes and technology.
Phishing and ransomware human patch e-learning course
To help organisations better protect themselves, IT Governance has developed a ten-minute course that teaches the basics of avoiding falling victim to phishing attacks and ransomware.
By equipping your staff with an understanding of phishing and ransomware attacks and how to prevent them, you can significantly reduce the risk of your organisation falling victim.
Having completed the course, staff will be able to:
- Explain what phishing is.
- Outline the consequences of a phishing attack.
- Describe ransomware and crypto-ransomware.
- Identify how to avoid falling victim to phishing attacks and ransomware.
- List the steps to take if they think they’ve been compromised.