Skip to main content

How social engineering contributes to successful ransomware attacks

(Image credit: Image source: Shutterstock/Nicescene)

Ransomware has long been a menace and has even led to some referring to it as the digital plague of our time. During the past 18 months, this certainly has been the case with ransomware attacks rising by 93 percent. There has been a constant barrage of cyberattacks which has raised concerns, particularly for organizations that must understand and get to grips with the tactics used by threat actors that want to gain access to the networks.  

Over the past year, we have witnessed ransomware attacks that have disrupted major enterprises from a variety of sectors including an American oil and pipeline provider and a national health service provider in Europe – both were brought to a standstill with operations ceased. And this is just the tip of the iceberg. 

Cybercriminals have no remorse for their victims so long as they get their ransoms paid. As of 2020, it was found that $18 billion has been paid globally in ransom and total costs were in the hundreds of billions of dollars. This figure is expected to rise to $20 billion in 2021 and $256 billion in damages come 2031. It just goes to show how lucrative and effective ransomware can be.  

But what is causing these organizations to fall victim to ransomware? Looking into the top causes for ransomware, KnowBe4 revealed social engineering to be the most successful vehicle for hackers to dupe victims. Social engineering involves cyber threats like phishing via email, smishing via text message, vishing over the phone, or a combination of any of these tricks a hacker can use to get employees to click on a malicious link. We have even seen examples of employees being offered bribes to install ransomware.  

Now, there is no silver bullet in cybersecurity that will magically prevent all these threats instantly. You cannot just throw money at technology alone to try fix the problem. Organizational policies and procedures need to bake in security. The most important strategy that needs to be adopted is to develop and increase user awareness of ransomware threats which can help create an added layer of security for the organization.  

Do not rush; security takes time  

Small and medium-sized businesses may find it difficult to trust the process of building security awareness. It can feel like an obstacle that could be avoided by investing in just security technology. Yet, decision-makers have to realize that a positive security culture is an enabler for business operations. Without this element, you will be left vulnerable. It cannot be viewed as a “nice to have” feature or an afterthought just to tick a compliance box.  

Dedicating even a small amount of time in a week for security awareness training can make a difference. Having the workforce learn from a variety of resources and tools about security policies, best practices and tell-tale signs of ransomware, and other threats, will help. 

People are just as important as the tech

Empower your employees with the right knowledge to make a difference. Within the organization, they should be viewed as security enablers who can be an integral part of any security program. Do away with the stigma that they are the chinks in the security armor, as this only happens if they are not properly trained.

Security training can be inexpensive and does not need to eat into the security budget, as there are plenty of free or cheap resources to aid security teams in getting the message across. Better yet, these resources come in a variety of formats, from videos and quizzes to checklists and articles. There are even security policy templates that can be downloaded for free. All it takes is a quick search on the internet. Yes, these may be basic or rudimentary and may lack the glamourous features if you were to purchase a subscription with a vendor, but it can definitely help form a foundation of security awareness to build from. For SMBs, reducing risk is key and by limiting the number of malicious links clicked by employees is certainly a sure step in the right direction.

Free tools are available 

As mentioned, organizations of all sizes should utilize the free security training tools available to better prepare the workforce against ransomware and other cyber threats. For instance, try ransomware simulators to test the preparedness of the business in how it would deal in such a scenario. Look at password checkers that are widely available for free to see the security effectiveness of the passwords being used in the organization. There is a plethora of free security hygiene and best practice modules that cover all these areas and more. You can even get security vendors to provide free security consultations with free scans of the network and infrastructure to flag the biggest risks. Yes, a sales call may be required, but having this conversation can save you both on costs and resources while making you more secure.  

Ransomware is a huge issue and there are no signs of it slowing it down so long as it is effective, and since criminals are seeing a return on their investment, it will be here to stay. Thankfully, there are options –  some of which are free – to help organizations reduce the risk of being impacted. Make security a business priority and give the workforce the knowledge and ammunition to defend against these social engineering threats.  

For organizations needing guidance, here are some steps to help you along your security awareness journey. 

Establish a security policy  

Formulate, and make easily available, a written security policy. Each employee needs to read the document and sign it as an acknowledgment that they understand the policy and will apply it. 

Implement security awareness training 

Give all employees a (mandatory) security awareness course, with a clearly stated deadline. It is highly recommended to explain to them in some detail why this is necessary. 

Add security awareness training to employee onboarding 

Make this a mandatory part of the onboarding process for each new employee. 

Continuous security testing of employees 

Keep all employees on their toes with security top of mind by continued testing. Sending a simulated phishing attack once a week is extremely effective to keep them alert. 

Take action for successful or failed phishing attempts 

Never publicly identify an employee who fails a simulated attack. Let their supervisor or HR take this up privately. Give a quarterly prize for the three employees with the lowest ‘fail-rate’. 

Incorporate fun education in security awareness training 

If you use posters, stickers and or screensavers, change the pictures or messages monthly. After a few weeks, people simply do not ‘see’ them anymore. It is more effective to send them regular ‘security hints and tips’ via email.

Javvad Malik, lead security awareness advocate, KnowBe4

Javvad Malik
Javvad Malik is one of the industry’s most prolific video bloggers with a fresh and light-hearted perspective on security. Commentator on IT security skills and the growing cyber security skills gap, as well as general security trends.