FBI Director Christopher Wray testifies before the Senate in May 2018. Today’s columnist, Ashley Rose of Living Security, says the FBI warns that there are now some 100 strains of ransomware circulating – and the attacks get more expensive and destructive every day. Rose calls for enhanced education and training efforts to mitigate the attacks. (Photo by Chip Somodevilla/Getty Images)

New ransomware statistics are an alarming wake-up call for business and security professionals everywhere. The second quarter of 2021 saw the highest volumes of these attacks in history, according to a new report, with a 150% increase in ransomware globally. The FBI warns that there are now 100 different strains circulating. 

The attacks are getting larger and more expensive, even targeting major American supply chain companies such as Colonial Pipeline and JBS. The group reportedly responsible for the latter, REvil, targeted more than 1,500 organizations in one fell swoop before disappearing earlier this year. Large U.S. companies lose an average of $5.6 million to ransomware each year, and small companies are just as vulnerable. One ransomware attack can cripple a company’s systems, and it’s relatively easy for cybercriminals to do. The key to stopping them: A company’s employees. 

Security researchers can link the vast majority of ransomware attacks back to a lapse in very basic cyber hygiene habits. As proof, cybercriminals were able to infiltrate Colonial Pipeline’s network earlier this year – effectively shutting down half of the country’s fuel supply chain - by stealing one single employee’s password. What’s more, phishing has become by far the most common delivery method for ransomware. Cybercriminals send emails with malicious attachments in hopes that a victim will click on it, and it only takes one moment for a distracted employee to put an entire organization at risk. Anti-malware software and other layered protections, while important, will do little to protect an enterprise if their end users are allowing cybercriminals in the door. By educating and training employees on the risks and improving cyber hygiene, companies can take back control from ransomware gangs. Here are four initial steps to focus on:

  • Implement a solid phishing simulation program.

Regularly sending penetration tests to employees helps to keep them vigilant and also offers security leaders a more accurate measure of human vulnerability in their enterprise. If an organization can train employees to spot and report phishing emails, they have quite literally built a first line of defense against ransomware.

  • Back up penetration tests with security awareness training.

Educating employees to slow down and think before they click on a malicious link or attachment in a phishing email will directly block off one point of entry for ransomware gangs. Cybercriminals are also getting more savvy and many social engineering attempts now include elaborate emails personalized to individual victims and include quality graphics that mimic bank and business logos. Employees need to understand how to spot fake emails including checking for phony website URLs and verifying the sender’s email address.

  • Create strong passwords unique to each account.

Cybercriminals use passwords stolen during older breaches to access and takeover a user's other accounts. Let’s say that an employee was a victim in the recent T-mobile breach. If they use that same password to access their corporate laptop or their work email account and fail to change the code, it puts the company’s entire network at risk. Cybercriminals take advantage of credentials that were leaked months and even years prior to identify easy targets and find an entry point for attack. Require that employees protect themselves with 16-character passwords that are a combination of letters, numbers, and symbols. More importantly, educate them on the importance of using unique passwords for every account and the ways this protects both the company and them from attack.

  • Protect devices and data wherever an employee works.

In this era of hybrid work, companies should enable every device with multi-factor authentication, firewalls and email filters. Employees should also understand the importance of keeping their work and personal devices separate. Remote work creates an opportunity to blur the lines between home and the office, with many people using corporate devices for personal business and personal devices for work. This opens up the door for phishing, malware and a host of other attacks. Start rethinking how applications are accessed from insecure home networks, and develop sound policies for employee access, reinforcing that employees should keep devices separate.

Ransomware isn’t going anywhere. In fact, cybercriminals are only going to continue ramping up attacks. Their primary gateway has been company employees, so that means by properly educating and training employees on the potential dangers companies can effectively mitigate ransomware.

Ashley Rose, co-founder and CEO, Living Security