In this Help Net Security interview, Dr. Darren Williams, CEO of BlackFog, talks about how employee training plays a key role in preventing ransomware attacks. He notes that human error is often the biggest security risk and explains how AI tools, gamification and real-time alerts can help employees identify advanced phishing threats.
What role does employee awareness training play in preventing ransomware attacks? What innovative approaches can make such training more effective?
Awareness training should not be underestimated when it comes to mitigating the impact of ransomware within your organization. In our experience, the weakest link is always the human, and the sophistication of phishing attacks is reaching new heights with the use of AI to create impactful and targeted attacks. Ensuring that users have sufficient training to identify these types of techniques is important as a first line of defense and to reduce human error. Many regulatory frameworks, such as SOC 2 and ISO 27000, require employees to undergo regular training to foster a strong security culture in their organizations.
Innovative ways to make this more interesting include forms of gamification such as puzzles and other tests to see if they can trick the user, and these are often highly has been proven to be effective. Many systems also employ training with real-time alerts to alert you to the latest scams and techniques, as well as when emails are flagged for suspicious activity. Combining these techniques generally makes training more appealing and more likely to be accepted as part of the company culture.
How important is the triple extortion tactic? What strategies can organizations use to counter this evolution in ransomware attacks?
Triple extortion represents a strategic escalation of traditional ransomware techniques. Initially, ransomware attackers focused on encrypting data and demanding payment. They then moved on to double extortion and threatened to leak sensitive data if their ransom demands were not met. Now, with triple extortion, attackers are targeting not only their initial victims, but also customers, partners, regulators, and even shareholders. Additionally, they often use additional techniques such as DDoS attacks to cripple an organization’s business capabilities.
To combat these attacks, you need to develop a comprehensive strategy with training, backups, and the right cybersecurity tools. Securing entry points typically requires firewalls and EDR-type products. To protect your exit points and stop data leaks, you need a data leak prevention product that prevents data leaks from occurring in the first place.
What emerging technologies, such as AI and machine learning, are proving effective in preventing ransomware?
The only way to truly combat modern ransomware attacks is with AI-based technology. Ransomware has evolved rapidly over the past two years and is more effective than ever. This year has been an unparalleled success, with the highest number of offensive successes in the past five years. Existing technology was completely ineffective.
New solutions based on AI and zero-day based attacks have proven highly effective against these new variants in combination with other variants. By leveraging AI, vendors can target vulnerabilities that have not yet been identified in real time. The challenge for these emerging vendors is to cut through the noise of a crowded cybersecurity market and capture the attention of organizations. Powerful solutions exist and are getting better.
What are the first important steps an organization should take if a ransomware attack is detected?
First, containment and identification are key to stopping ransomware from spreading. Data leakage prevention ensures that no lateral movement or data extraction can occur from your device. Following this, verify any existing backups and ensure your organization has a data recovery plan for all affected systems. Next, it is important to understand who is being affected and what type of data is involved. This will determine the next important step: communication with authorities, internally and with customers.
We would like to emphasize here that communication and reporting are important to assist relevant authorities and mitigate you and others from further attacks. This also ensures that fines are kept to a minimum, especially for listed companies. Hiding an attack is not an effective approach and will never yield good results for the victim in the long run. Finally, if you do not have sufficient in-house resources to mitigate the attack, contact experts for assessment and recovery. This process isn’t cheap, but it can potentially keep your business running with minimal downtime.
Managed service providers (MSPs) are frequently attacked due to downstream access. What recommendations would you offer to strengthen MSP defenses?
We recommend that the MSP you work with, including the products they employ, obtain some formal certification. This includes SOC 2 or ISO certification. These certifications are very onerous and require an independent audit of security policies and procedures to ensure the system is based on best practices. If an MSP cannot demonstrate appropriate checks and balances, it is likely above board and should not be entrusted as a custodian of an organization’s endpoints and data.
