The article and video interview are in Finnish but, to summarize:
- One cybersecurity expert provided guidance on how to safeguard against ransomware attacks via the 3-2-1 method of backups
- Ransomware is most commonly delivered via an attack email
- Joni Joensuu, Hoxhunt social engineer, explained how security behavior change programs can empower employees to not only avoid getting phished, but proactively report the threat to the security team to protect the whole organization from the same threat
- In a landmark study on phishing resilience as a product of the type of training, orchestrated by Finland’s largest telecom company, Elisa, Hoxhunt users were found to be 20 times more resilient against phishing attacks than non-Hoxhunt users
Ransomware is widely considered the greatest security threat to businesses and organizations today. Once attackers infiltrate a system with ransomware, they lock down the data and hold the company hostage until demands are met, be they financial or otherwise. This problem instigated tighter regulatory controls at the highest government levels and collapsed the cybersecurity industry in 2021; insurance premiums doubled and tripled over 2022 despite shrinking payouts and coverage.
But here’s the thing: ransomware almost always starts with email. Be it a mass email campaign or a targeted spearphishing attack, one bad click by one employee can leave the whole network encrypted and locked down by ransomware.
As the Kauppalehti (roughly translated to Business News) story reports, employees are on the front line of the fight against ransomware and phishing attacks. And, as Joni says, they should be encouraged to do more than just do nothing when a phishing attack lands in their inbox. But rather, employees should learn how to save their colleagues and, by extension, their company by taking a good action. And that action is reporting an attack.
"If you practice (cyber) situations as authentically as possible, that will already reveal (security) gaps in your organization," Hoxhunt's Joni Joensuu reminds.
Excerpt from the original article: Foster a positive security culture
"Criminal organizations operate like (entities) that are running businesses, so we go where the fence is lowest (for a breach). Malware and scam messages can be bought from other criminals as a service online," said Joni Joensuu, Hoxhunt security expert.
According to Joensuu, a positive safety culture is important. Employees must be empowered so they dare to report anomalies (and suspicious emails) without (fear of) blame.
"People are always (only) forbidden to do something, (such as) to click on a link (in cybersecurity training). We want to emphasize what people can do. We want people to report threats to the organization's information security team at the lowest possible threshold."
Proof: The Elisa telecom phishing benchmark study
But does it work? Can security training actually lower the risk of a ransomware breach? The answer, according to a study overseen by Finland’s largest telecom company, Elisa, is a resounding “Yes!” But with one caveat: training must be done right. It must focus on security behavior change so that people report phishing threats as a reflex, as Joni alluded to in his comments.
Together with Elisa, Hoxhunt did a phishing benchmark study in which the same simulated phishing attack was sent to 3,000 users from 12 organizations, only one of which (FinGrid, Finland’s main power grid supplier) uses Hoxhunt's security behavior change training.
"We found that those who participated in the training clicked about 20 times less on the link in the phishing message than others."
Pause on that for a moment. These other 11 companies had some form of phishing awareness training. But those who used Hoxhunt were 20 times more resilient.
On the technical side: 3-2-1 backup
In the Kauppalehti article, cybersecurity expert Teemu Keski-Valkama said that backing up data is critical, but it must be done more thoroughly than just single automatic backups. The best way to mitigate damage from a ransomware attack is the 3-2-1 rule for backups:
- 3 versions of the data, on
- 2 different media, and
- 1 as far away from the original as possible