Should companies subject employees to ransomware-specific security training?

A ransomware attack represents one the most serious cyberthreat scenarios an organization can face, with its own unique set of prevention and response challenges. And yet, a new survey suggests that ransomware-specific security awareness training programs remain relatively uncommon.

According to the just-released Part 3 of Entrust’s “Securing the New Hybrid Workplace” report, only 31% of 1,500 employees and 36% of 1,500 business leaders said that their enterprises offer ransomware-focused security training.

By comparison, other training topics were considerably more common, including best practices for securing company information (74% of both employees and leaders), digital security practices (63% of employees, 70% of leaders), security tools used by one’s organization (51% of employees, 59% of leaders), and anti-phishing (52% of both employees and leaders).

So why hasn’t ransomware been prioritized further as a security awareness and response training topic, especially in light of recent developments?

Mark Ruchie, CISO at Entrust, said in an interview with SC Media that for some companies, there is a prevailing sense that ransomware is first and foremost the IT and infosec department’s responsibility to prevent, despite the fact that human error and social engineering often leads to an infection.

“Most people understand that failing to spot a phishing email can result in a breach and a successful ransomware attack. However, the actual vulnerability exploited in a ransomware attack is very technical and associated with IT infrastructure, IT applications or security tool failures,” Ruchie explained. “While end users are the entry point for hackers, the discussion around prevention quickly moves to the technical side: unpatched systems, old operating systems, misconfigured systems, endpoint detection response, advanced persistent threat detection, etc. This means that most people view IT and security teams as primarily responsible for protection against cyber threats like ransomware, and therefore are responsible for any failures in preventing these attacks.”

Keatron Evans, principal security researcher at Infosec Institute, agreed that ransomware training is lagging behind other forms of security awareness. “This lag could be attributed to organizations not having an adaptable and scalable cybersecurity education program that can cover new topics as they arise, which we know often happens in cyber,” he said. “The good news is that many cybersecurity education providers can help organizations do this effectively and ensure they’re staying up to date with the times. “

Other companies may simply feel that implementing a strong anti-phishing training regimen is a more sensible option than ransomware-specific training because cutting down on phishing should reduce the risk of ransomware and a host of other consequences as well.

“Over three quarters of organizations in the world today experience phishing attacks regularly. By far the vast majority of ransomware campaigns begin with phishing. Wouldn’t a good ransomware training program focus on phishing?” said Matthew Toussain, founder of Open Security and a SANS Institute certified instructor.

By the time a ransomware attack happens, the attackers have moved beyond interacting with employee end users. “The attacker is so far beyond this phase of the compromise by the time they begin to load up their ransomware that the user is no longer relevant," he said. "What then is the purpose of training?”

Bottom line: “Ransomware is not a problem; ransomware is an effect," Toussain continued. "It’s the fatal symptom of our failure to properly safeguard the same systems that we have been tasked to maintain for decades. For an attacker it is their final objective after they have succeeded every step of the way in their conquest of our environment. If that is when we begin our training; then we’ve already lost.”

Recovering from a ransomware attack

However, there is a counterargument to be made. Ransomware still requires a response, and it is important for employees and executives to know what to do and what not to do so that the infection doesn’t spread further, the damage is limited rather than exacerbated, and the company practices responsible disclosure and doesn’t get into legal trouble. Moreover, it’s important that employees in an organization are made aware of the importance of maintaining regular data backups, and isolating networks from each other — which will make recovery and resilience earlier if an attack should occur.

“The biggest gap I’ve seen in training for ransomware is more in recovering from the attack,” said Evans. “Things like good backups have been recommendations and required controls for IT and security organizations for decades. If anything, ransomware has shined a light on how we still need to cover the basics of security posture.”

Even Toussain agreed with this, despite his earlier comments: “One of the roles I occasionally find myself in is that of the incident responder,” he said. “I cannot begin to describe how often I’ve seen organizations experiencing a compromise make things worse. I once saw a hospital destroy their entire network trying to fix it. When a ransomware event occurs it’s stressful and it’s terrifying. We can train IT and management on how to handle what comes next, and we should.”

With that in mind, experts suggested to SC Media what lessons or takeaways should be included in any ransomware training or awareness program.

There’s a lot of ground to cover, noted Ruchie: “Ransomware response and preventative controls are complex and difficult to completely fix,” he said. “These include unsupported OS and applications, lack of patching, misconfiguration and network zoning, along with newer controls such as more robust multi-factor authentication, zero trust networks, micro-zoning, EDR, and APT detection that all cost resources — both monetary and opportunity costs.”

“To help prevent ransomware, phishing training should include more realistic simulated attacks in addition to annual ‘book’ training,” Ruchie continued. “Ransomware training should consist of dedicated defense assessments with documentation, logging, deep-dive workshops, as well as technical tabletop and executive tabletop exercises. This latter group includes not only IT or security staff but also business leaders, legal leaders, crisis communications and business continuity teams.”

Meanwhile, Evans recommended that ransomware prevention training cover not only how ransomware works, but also the various methods through which hackers deploy their attacks. 

“Phishing is the most common method that is used to spread ransomware, so a good ransomware training program should include ways to mitigate phishing attacks. It can also be spread through social engineering, removable media and malicious websites, so these topics should also be addressed in a comprehensive training program,” said Evans.

Moreover, organizations should consider customizing the cyber education content according to various employees’ roles and responsibilities.

“For example, executive training may focus on prevention topics like whale phishing attacks and crisis management for post-incident environments,” said Evans. “For people in departments outside of IT, their training will focus mostly on prevention, cybersecurity awareness and reporting suspicious behavior. For IT and technical teams, there’s obviously an entirely different set of topics and training they should be up to date on to help protect the organization. In addition, different roles in an organization have varying levels of privileged access, so it’s important to have a plan in place based on how widespread their access is and the impact an attack targeting that individual/role would have on the organization.”

Toussaint’s recommendations included defining your audience, communicating how the problem “relates to your organization;” creating separate training courses for prevention and response, as they are “very different disciplines; and including tabletop exercises as part of your educational program.

Then, before you proceed further with more targeted training, you “should have a good understanding of how ransomware affects [your] organization directly and the following questions should have answers: how the attacker gains initial access, what mechanisms the attacker leverages to move laterally and extend that access, where are [your] critical points of failure and how they can be accessed, [and] who’s responsibility is it… when things go awry.”

Just this past Monday, the FBI warned that ransomware groups might target companies undergoing mergers and acquisitions, using the potential disclosure of sensitive data tied to deals as leverage to push for a quick ransom payment.