In this awareness and training module, we focus primarily on ransomware, specifically - a 'clear and present danger' causing disruption and grief around the globe. However, we also mention other forms of malware, of course, since (unfortunately!) they haven't gone away.
Coupled with network security, antivirus controls, backups, incident management and business continuity management, security awareness and training has a vital role in avoiding incidents in the first place, as well as efficiently and effetively handling any that do occur. In fact, provided the workforce as a whole is sufficiently clued-up and vigilant, the limitations of those other controls are of little consequence.
If you are still doubtful, consider the alternative: do you honestly believe all your cybersecurity controls and security technologies will protect you from the actions of an ignorant or careless workforce? And if your management and specialists are equally clueless, good luck getting the support and funding necessary to invest in and maintain your tech toys!
Security awareness and security technologies are complementary not alternative approaches. We need them both. They support and enable each other.
The awareness module is intended to:
- Introduce and explain ransomware in the context of malware in general;
- Expand on the associated information risks including the threats, vulnerabilities and impacts, pointing out the increasing probability and severity of ransomware incidents;
- Promote the security controls (both automated and manual) that can prevent, identify, respond to and recover from ransomware attacks;
- Educate staff, managers and professionals about ransomware in terms that resonate with them;
- Stimulate all workers to think - and most of all act - more securely, thus reducing the risks.
Think about your learning objectives on this topic. Is ransomware an issue of concern to your organisation, or are you strangely immune from the kinds of ransomware incident appearing frequently in the news (in which case perhaps you might like to explain your wonderful controls to workers in order to justify them and be sure everyone understands why they are so important!)?
PS Drafting and debating a corporate policy regarding the particular conditions under which management might (reluctantly!) pay a ransom, is itself an insightful awareness opportunity.
Teach the workforce about ransomware so they avoid or at least mitigate attacks and recover effectively and efficiently from incidents, without the massive costs and business disruption.