Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Ransomware attacks are certainly on the rise, and they are expected to continue to be a top threat for security teams. With phishing being a frequent attack vector leading to ransomware, it’s important
employees are trained to recognize and report phishing emails, but a more extensive program is needed to address the threat of ransomware. This piece explains how a program that includes policy, technology,
training, exercises and third-party validation can be an effective defense against both phishing and ransomware.
Informational training alone is not enough to prepare the workforce to properly handle phishing attempts, so ethical phishing exercises that simulate actual phishing attacks help supplement training in most organizations. However, even those exercises
are only a point-in-time indication of how an employee may respond to a particular type of phish. Cybersecurity and IT teams must fully understand the risks to the organization should any user fall victim to a phishing attack at any time.
READ: Understand the Differences Between Spear-Phishing and Phishing
A successful cybersecurity program, complete with good policy, technology, training, exercises, and third-party validation is required. Even issue-specific topics such as ransomware require all these elements.
1. Focus on Policy
Two key policy areas in particular can help shore up your phishing and ransomware defenses:
2. Add Technology
Organizations should not depend on training or the human element (user) to defend against all phishing attacks. Instead, they should combine such training with technology, such as a secure email gateway that monitors emails (both being sent and received).
This has many benefits, but when it comes to phishing, a secure email gateway can quickly identify and quarantine messages with malicious links or attachments, which helps stop the spread and significantly minimizes impact.
3. Ensure Training Is Comprehensive
Training is always going to be an important part of protecting an organization from phishing and ransomware attacks. The best training not only details how to identify a phish, but also provides explicit, detailed instructions on how to report a suspected
phish and what to do if someone believes they have fallen victim. Many people do not know what to do once an attack has been successful. The delay between clicking on a phishing link, wondering what to do about it and finally reporting it leads to
cybersecurity teams losing valuable time in being able to contain and remediate the attack.
4. Conduct Regular Exercises
Several types of exercises can help ensure an organization is prepared for a phishing or ransomware attack. These include:
5. Validate via a Third Party
In addition to internal phishing campaigns and penetration testing, organizations should have independent third-party partners run these same exercises externally. This is a great way to validate internal campaign results and identify gaps. External penetration
testing can also be extended to conduct privileged access tests, where the pen tester is given a set of valid credentials and works to identify what lateral movements can be made.
READ: How to Create an Effective Anti-Phishing Program
The details listed in each step above are by no means comprehensive, but they provide a starting point to show that phishing campaigns should be extended to more than running exercises and tracking click rates. To protect against and properly respond
to ransomware attacks, organizations must have the necessary training, policy and technology in place and then fully understand what an adversary can do after a successful phish occurs.
Other best practices for preventing and recovering from a ransomware attack include:
The number of phishing and ransomware attacks continues to rise, and companies cannot depend on ethical phishing campaigns alone to protect the organization. Phishing campaigns should be extended to include actions before, during and after the exercises.
To better prepare your organization:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 21, 2024
By IANS Research
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.
February 15, 2024
By Alex Sharpe, IANS Faculty
IANS Faculty member Alex Sharpe discusses the risks around AI adoption and provides governance guidance to make your AI launch safe and mitigate risk.
February 13, 2024
By IANS Faculty
Learn how to how to use NIST to modify secure baseline configurations to account for risk and improve security posture.