Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Ransomware attacks are certainly on the rise, and they are expected to continue to be a top threat for security teams. With phishing being a frequent attack vector leading to ransomware, it’s important
employees are trained to recognize and report phishing emails, but a more extensive program is needed to address the threat of ransomware. This piece explains how a program that includes policy, technology,
training, exercises and third-party validation can be an effective defense against both phishing and ransomware.
Informational training alone is not enough to prepare the workforce to properly handle phishing attempts, so ethical phishing exercises that simulate actual phishing attacks help supplement training in most organizations. However, even those exercises
are only a point-in-time indication of how an employee may respond to a particular type of phish. Cybersecurity and IT teams must fully understand the risks to the organization should any user fall victim to a phishing attack at any time.
READ: Understand the Differences Between Spear-Phishing and Phishing
A successful cybersecurity program, complete with good policy, technology, training, exercises, and third-party validation is required. Even issue-specific topics such as ransomware require all these elements.
1. Focus on Policy
Two key policy areas in particular can help shore up your phishing and ransomware defenses:
2. Add Technology
Organizations should not depend on training or the human element (user) to defend against all phishing attacks. Instead, they should combine such training with technology, such as a secure email gateway that monitors emails (both being sent and received).
This has many benefits, but when it comes to phishing, a secure email gateway can quickly identify and quarantine messages with malicious links or attachments, which helps stop the spread and significantly minimizes impact.
3. Ensure Training Is Comprehensive
Training is always going to be an important part of protecting an organization from phishing and ransomware attacks. The best training not only details how to identify a phish, but also provides explicit, detailed instructions on how to report a suspected
phish and what to do if someone believes they have fallen victim. Many people do not know what to do once an attack has been successful. The delay between clicking on a phishing link, wondering what to do about it and finally reporting it leads to
cybersecurity teams losing valuable time in being able to contain and remediate the attack.
4. Conduct Regular Exercises
Several types of exercises can help ensure an organization is prepared for a phishing or ransomware attack. These include:
5. Validate via a Third Party
In addition to internal phishing campaigns and penetration testing, organizations should have independent third-party partners run these same exercises externally. This is a great way to validate internal campaign results and identify gaps. External penetration
testing can also be extended to conduct privileged access tests, where the pen tester is given a set of valid credentials and works to identify what lateral movements can be made.
READ: How to Create an Effective Anti-Phishing Program
The details listed in each step above are by no means comprehensive, but they provide a starting point to show that phishing campaigns should be extended to more than running exercises and tracking click rates. To protect against and properly respond
to ransomware attacks, organizations must have the necessary training, policy and technology in place and then fully understand what an adversary can do after a successful phish occurs.
Other best practices for preventing and recovering from a ransomware attack include:
The number of phishing and ransomware attacks continues to rise, and companies cannot depend on ethical phishing campaigns alone to protect the organization. Phishing campaigns should be extended to include actions before, during and after the exercises.
To better prepare your organization:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.