This content is part of the Essential Guide: An IT security strategy guide for CIOs

Ransomware detection: Can employees help?

As ransomware attacks continue to escalate, should organizations make employees an integral part of their ransomware detection and prevention strategy?

When it comes to cybersecurity, organizations can learn a thing or two from prairie dogs, according to Rohyt Belani, chief executive and co-founder of security firm PhishMe.

Prairie dogs have figured out that the attacker is stronger than them; they have therefore banded together and devised a mechanism to detect and communicate threats, Belani said.

"Prairie dogs are small, but they have realized that their strength is in numbers," he told the audience at the recent CDM Media CISO/CIO Summit in New York. "They have developed an advanced language … so, when they are out in the jungle and they are attacked, they can call out predators."

This "prairie dog-plan" can be equally effective in cybersecurity, especially when it comes to ransomware detection, he said.

While there is no silver bullet that prevents ransomware, it's time that organizations condition their employees to quickly spot and report phishing attacks to help contain such incidents, he said.

In 2016, $1 billion was lost to ransomware and the average ransomware ask was $679, up from $294 in 2015, Belani informed. The enterprise is also witnessing the rise of ransomware-as-a-service, he added. 

But at a time when the number and magnitude of cyberattacks are increasing drastically, the average revenue for publicly traded security companies went up by 22% last year, he said.

"What does that tell me? You guys buy a lot of stuff, but you get hacked worse and more often," he told the audience.

So, what are organizations doing wrong?

"We haven't roped humans into the equation," he told the audience. "They are the weakest link until we make them a strong asset." 

He urged organizations to stop complaining about humans' cybersecurity vulnerabilities and to make them part of their security posture when it comes to ransomware detection.

The case for automation

But according to Bryce Austin, CEO at TCE Strategy, humans will never be a strong asset against ransomware.

Bryce Austin, CEO at TCE StrategyBryce Austin

"Cybercriminals will continue to try new and creative means to fool users into performing a behavior that they shouldn't," Austin said in an email interview. "Automated systems to prevent users from being able to infect their systems with ransomware -- or to minimize the damage if/when they do -- are far more effective."

But as attackers get smarter, they are delivering ransomware that can bypass these next-gen security technologies, Belani explained. He cited the surge in use of Windows Script Files that deliver ransomware in systems that administrators actually use, which makes most endpoint security technologies think it is part of usual processes.

It is therefore crucial to condition employees to be vigilant and report suspicious activity, which can help with ransomware detection, Belani said. 

"The issue is sandboxing technologies, which have been considered a silver bullet to fight against attachment-based malware, are failing on multiple fronts," Belani said. "Attackers are building these attachments to circumvent them and we are not being able to get the right mix between usability and security."

Ransomware detection: Educating employees

A recent PhishMe study found 97% of phishing emails to be ransomware, Belani said. If organizations can train employees to not click on suspicious links or attachments sent via emails, and to say something if they see something suspicious, organizations can limit the ransomware problem very significantly, he added. This requires organizations to invest in immersive training for employees, Belani advised. 

But while immersive education is an effective tool to help reduce phishing success rates, the threat still won't be reduced to zero, Austin said.

"The strongest defenses against ransomware are least-privileged access to network shares, removing local admin rights from end users to their desktop/laptop computers, and a strong file backup system that goes to an air-gapped repository that ransomware cannot get to," Austin said.

While it's always good to have a backup strategy that's tested frequently, it's not a magic bullet by any means, Belani said. For example, some recent ransomware strains snoop private information and shovel it out to the attackers' systems before encrypting files to hold companies ransom, he said. "The attackers are then saying, 'If you want to restore it from a backup, I have got your private data and I am going to expose it, so pay up,' leaving companies no choice but to pay the ransom," he explained. 

Belani added that while training employees to assist with ransomware detection will certainly help with data protection, it is imperative to have an incident response plan in place.

"Prairie dogs know they can get attacked in spite of their awesome collective security detection system," Belani said. "You have to have a fallback plan saying, 'If all goes to hell, I do have an incident response plan in place.'" 

Next Steps

Read about the various tools for ransomware detection and prevention.

Find out how to recover from a ransomware attack.

Is IoT the next ransomware victim?

Dig Deeper on Risk management and compliance