Cybersecurity Awareness & Training: The First Defense Against Ransomware

It was in early 1991 when I remember sitting at the kitchen table one morning after breakfast reading the comics section of the San Diego Union Tribune.  I diverted my attention from “Calvin & Hobbs” to the words “Michelangelo” and “Virus” plastered across the main headlines of a section that my father was reading as he sat across from me.  I inquired as to the meaning of the words to which he responded succinctly something along the lines of:  “Michelangelo is a newly discovered computer virus.”  I was immediately intrigued.  He continued, “And a computer virus is something that makes computers do things that they are not originally intended to.”   Unaware and untrained at the time, I did not fully understand what this meant but somehow felt quite worried that my family’s trusty Radio Shack Tandy 1000 could have been affected by this phenomenon.

Gabriel Diaz III
Gabriel Diaz III – Lead Information System Administrator

Allow me to fast forward to present day, late-October 2019, as we find ourselves nearing the conclusion of yet another Cybersecurity awareness month, where I’ve written this article to serve as a reminder as to why our nation has dedicated an entire month to this topic of cybersecurity awareness.  We, the human race, have come a long way since that archaic boot sector Disk Operating System (DOS) virus struck the news over 28 years ago, and live in an era where DOS is now the acronym for Denial of Service, where technology is at the reach of our fingertips, and an entire world of information lays in the palm of our hand.  This era also brings with it the prevalence of malicious software programs (viruses, trojan horses, worms, botnets, just to name a few) evolving and spreading at a rate of growth, sophistication, and complexity which, in my professional opinion, eclipses all other technological advancements known to mankind.

At the top of the list is the epidemic of Ransomware, a particularly vicious, popular, and quite lucrative type of malicious computing system sequestering program with payloads known to cripple infrastructures in seconds while having the added effect of baffling users, spawning countless insomniac system administrators and CISOs, and capable of disrupting business operations (public and private sector alike) all over the globe sometimes for weeks at a time.  Ransomware threats have reached a rate at which Cyber Security Ventures1 estimated earlier this year is in the ballpark of one organization being attacked every 14 seconds in 2019, a number that is also estimated to rise to 11 seconds in 2021.  While some of these vicious attacks are recoverable after having paid for the decryption keys or after restoring systems from a safe archived environment, some aspects are irrecoverable, such as: how can an organization recover its hard-earned reputation after falling victim to a ransomware attack (or any attack for that matter)?  With Ransomware, often times the cliché “if you give a mouse a cookie…” comes to mind, given that most organization’s in desperation simply cave-in to a threat actor’s cryptocurrency demands, who is likely simultaneously carrying other similar attacks elsewhere in anticipation (not hope) of additional payouts.  So how can we slow down or downright prevent this type of attack from occurring?  We can probably reach unanimous consensus that this blatant abuse of technology has got to stop.  But how?

The first defense to avert the looming Ransomware epidemic is simple: Cybersecurity Awareness & Training.  According to Datto.com2, phishing attacks and lack of training made up over 75% of the success that ransomware attacks had in 2017.  But how is this possible?  Again, simple:  Organizations and their personnel are either not made aware or they’re not properly trained.  This malevolent technology has evolved and moved so rapidly through our networks, that it has left many unsuspecting organizations behind to “byte” the dust.  But wait:  the whole month of October has been dedicated to raise cybersecurity awareness, so, isn’t that good enough?  Answer: NO, not even close!  The light at the end of this non-VPN tunnel consists of further raising awareness and maintain continuous roll out of training scenarios throughout the organization, in the interest of slowing down or even doing away with a lot of these malware-fueled nightmares haunting our already burdened SA’s and CISOs.  Why will this work?  Answer:  Because the end-user will know “not to click on that email link” or “not to browse to those insecure sites”!  Organizations need to adopt captivating awareness communication and conduct training periodically, as a complement to the technical security controls already in place throughout the infrastructure.  But, don’t just take my humble word for it.  In reference to Ransomware within their release of the Internet Crime Report of 20173, even the Federal Bureau of Investigation recommends training as a critical preventative measure.

In conclusion, I offer the following advice to executives and business owners everywhere:  If you’ve already implemented an awareness and training program, give yourself a pat on the back and continue to maintain high alert.  Otherwise, help yourselves and the future of your organization by investing in training programs geared towards the professionals using the very systems that have already made your business flourish with success.  Why?  Because, if system end-users are not aware of an attack attempt, then the organization is unnecessarily at risk of an increase in phishing attacks leading to Ransomware infiltration.  And because, if the system end-users are not trained in how to deal with an attack attempt, then the organization is unnecessarily at risk of an imminent breach.  Don’t shy away from adjusting your budgets and your business programs, and instead consider raising organizational cybersecurity awareness programs and conducting periodic employee training exercises.  Don’t simply place trust in the month of October, either.  Remember, while paying for a cybersecurity awareness and training program might seem unpalatable to the bean-counter, it is ultimately better than paying to clean up the mess after falling victim to a Ransomware attack.