The top business publication in Finland, Kauppalehti, published an article and video on ransomware featuring Hoxhunt’s own social engineer and cybersecurity expert, Joni Joensuu. His commentary on fighting ransomware with a positive security culture comes alive with the citation of, to our knowledge, one of the most powerful comparative studies on phishing training methods ever performed.
The article and video interview are in Finnish but, to summarize:
Ransomware is widely considered the greatest security threat to businesses and organizations today. Once attackers infiltrate a system with ransomware, they lock down the data and hold the company hostage until demands are met, be they financial or otherwise. This problem instigated tighter regulatory controls at the highest government levels and collapsed the cybersecurity industry in 2021; insurance premiums doubled and tripled over 2022 despite shrinking payouts and coverage.
But here’s the thing: ransomware almost always starts with email. Be it a mass email campaign or a targeted spearphishing attack, one bad click by one employee can leave the whole network encrypted and locked down by ransomware.
As the Kauppalehti (roughly translated to Business News) story reports, employees are on the front line of the fight against ransomware and phishing attacks. And, as Joni says, they should be encouraged to do more than just do nothing when a phishing attack lands in their inbox. But rather, employees should learn how to save their colleagues and, by extension, their company by taking a good action. And that action is reporting an attack.
"If you practice (cyber) situations as authentically as possible, that will already reveal (security) gaps in your organization," Hoxhunt's Joni Joensuu reminds.
"Criminal organizations operate like (entities) that are running businesses, so we go where the fence is lowest (for a breach). Malware and scam messages can be bought from other criminals as a service online," said Joni Joensuu, Hoxhunt security expert.
According to Joensuu, a positive safety culture is important. Employees must be empowered so they dare to report anomalies (and suspicious emails) without (fear of) blame.
"People are always (only) forbidden to do something, (such as) to click on a link (in cybersecurity training). We want to emphasize what people can do. We want people to report threats to the organization's information security team at the lowest possible threshold."
But does it work? Can security training actually lower the risk of a ransomware breach? The answer, according to a study overseen by Finland’s largest telecom company, Elisa, is a resounding “Yes!” But with one caveat: training must be done right. It must focus on security behavior change so that people report phishing threats as a reflex, as Joni alluded to in his comments.
Together with Elisa, Hoxhunt did a phishing benchmark study in which the same simulated phishing attack was sent to 3,000 users from 12 organizations, only one of which (FinGrid, Finland’s main power grid supplier) uses Hoxhunt's security behavior change training.
"We found that those who participated in the training clicked about 20 times less on the link in the phishing message than others."
Pause on that for a moment. These other 11 companies had some form of phishing awareness training. But those who used Hoxhunt were 20 times more resilient.
In the Kauppalehti article, cybersecurity expert Teemu Keski-Valkama said that backing up data is critical, but it must be done more thoroughly than just single automatic backups. The best way to mitigate damage from a ransomware attack is the 3-2-1 rule for backups: