Do the training, invest in security, be prepared for the worst
Ransomware and cyber extortion are getting smarter and more invasive. The only significant defence for business is to adopt a holistic and layered approach or ‘security in depth’, says Anna Collard, SVP of content strategy & evangelist at KnowBe4 Africa.
Collard's description of 'security in depth' refers to adding security layers at key touch points throughout the business, from the people level through to email, firewalls, protocols and processes.
The first step in this layered approach is to create a culture of security within the company, says Collard.
This this goes beyond a few posters and emails warning employees about the risks and encouraging them to have good passwords. “It is about ongoing awareness and training that embed vigilance into behaviours and approaches,” she says. “People need to understand that security is not something that is mandated by a person in IT who does not understand how much work they have to do or how frustrating it is to jump over multiple security hoops when they are on deadline."
It is easy for employees to grow lazy with their passwords and managing their two-factor authentication protocols or recognising phishing emails, adds Collard. “When you are tired or under pressure, you do not want to have to enter in a 24-letter password or repeatedly authenticate your identity, you want access to the system so you can get your job done. However, as much as security can be tedious and frustrating, a compromise is even more so. This is why training is important.”
When employees understand the knock-on impact of a breach, of cyber extortionists stealing or encrypting all their files, they are more likely to practice good security hygiene and pay attention to the protocols, KnowBe4 advises.
“If they are given the right levels of training and if this training is reinforced on a regular basis, then they will be more likely to detect phishing and social engineering attacks as well. If you consistently remind people of the role they play in keeping the company secure, then they will be more engaged with security and keeping up their end,” says Collard.
“Of course, training and awareness are only one side of the coin. It is also critical for the company to have robust security in place across endpoint detection, threat detection, incident response processes, patch management and cyber insurance.”
As much as security can be tedious and frustrating, a compromise is even more so. This is why training is important.Anna Collard, SVP Content Strategy & Evangelist at KnowBe4 Africa.
KnowBe4 warns that ransomware is getting smarter, more invasive, the criminals more intrepid in their approaches.
According to Statista, 51% of South African organisations fell victim to a ransomware attack in 2022, with the global average at 66%. A 2022 Data Protection Trends Report from Veeam shows that only 24% of companies internationally were not attacked by ransomware, with the most common entry points being malicious links, insecure websites and phishing emails. The Veeam report also found that 24% of companies that paid ransom never recover their data.
“Do the training, invest into the security, but, most importantly, be prepared for the worst,” says Collard. “It is the best strategy for any business wanting to protect its assets and its environment.”