Aug 19, 2016 Combatting Ransomware as a Service (RaaS): Education Is Your Best Friend
Earlier this week I wrote about steps that infosec managers can take to protect enterprise organizations against ransomware. Today, I’d like to focus on the third of those steps: Employee education.
A reminder: Ransomware isn’t a trivial problem. A study by Kaspersky Labs found that 42% of smal to midsized businesses were hit in 2016 (and the year’s far from over yet). And the 2016 midyear Cybersecurity Report from Cisco warns that larger firms will soon be seeing a spate of network-based attacks. Why? Because it works. The simplest and easiest escape is to pay up, and as a result, ransomware is reportedly the most profitable of all malware schemes.
Two key reasons for this: the economic model and technology. As with many cyberthreats, ransomware development and delivery has moved to a specialized service model. Thanks to cloud-based ransomware “platform as a service” models from organizations like Cerber, developers can easily craft new ransomware attacks, and earn a huge cut (estimated at around 30%) of their financial takes. That can translate into over a million dollars a year for a successful attack–not bad for a hacker with fewer ethics than skills.
To protect againt this ransomware as a service (RaaS)-based attack, enterprise infosec organizations need to redouble their education efforts. Although as one of our CISOs points out, “you can’t fix stupid”, you CAN fix ignorant. Start by letting folks know what ransomware is, and how to detect it. Make sure your employees internalize the need to avoid personalized phishing emails, using consumer applications (such as Pokemon go) from corporate devices, and the like. If you don’t have a training program in pace, get one. And if it doesn’t include a module on ransomware–add one!