Understanding the threat, and how staff awareness training can address it
Damian Garcia has worked in the IT sector in the UK and internationally, including for IBM and Microsoft. In his more than 30 years in the industry, he’s helped both private- and public-sector organisations reduce the risks to their on-site and Cloud-based IT environments. He also has an MSc in cyber security risk management.
Now, Damian is our head of GRC consultancy, providing clients with pragmatic consultancy advice and support around information security, risk management and ISMSs (information security management systems). He also delivers ISO 27001 training courses.
Damian recently updated our Ransomware Staff Awareness E-learning Course – a 30-minute, non-technical course that’s suitable for all staff. Ahead of its release, we interviewed him to find out more.
Why is this elearning course so important? What was the inspiration behind it?
Over Q4 2023, our research found that 25% of all incidents involved ransomware. This is in line with what IBM’s Cost of a Data Breach Report 2023 found: 24% of malicious attacks involved ransomware.
Considering the plethora of negative effects ransomware attacks can have, including operational disruption, lost business, reputational damage, legal action, and many other additional monetary costs, this is worrying.
I understand why people – and businesses – tend to focus on the financial costs. However, the operational disruptions from ransomware attacks cannot be overstated: IBM found that it took an average of 273 days to identify and contain a ransomware attack, or 306 days if law enforcement wasn’t involved.
With figures like that, it’s no wonder that incidents disclosed by the threat actor – such as ransomware – cost more than your typical breach: $5.23 million on average, according to IBM, or 18% more than the average total cost of a breach.
These types of statistics are probably at least partly fuelled by some worrying ransomware trends we’ve been seeing lately, including gangs adopting more organised structures, favouring data exfiltration over mere encryption, and spending more time in victims’ systems to find their most sensitive data.
With ransomware presenting such a significant threat to organisations, we at IT Governance feel it’s important to raise staff awareness of the threat of ransomware and how to defend against it.
What are the key topics covered in this staff awareness course?
There really are two key areas:
- What ransomware is, and the threat it poses.
- How to protect yourself from ransomware.
However, these areas branch off into useful subtopics, including:
- The different types of ransomware attacks;
- The anatomy of an attack;
- How to identify ransomware attacks, such as phishing emails;
- How to respond to a ransomware attack; and
- Following organisation policies, such as for incident reporting.
The course also features numerous examples and case studies.
Could you take us through the key changes to the course?
Of course! We reviewed every aspect of the course, from the design to its functionality and the learning content itself, and enhanced and updated it for changes in the landscape.
In terms of the content, we’ve:
- Updated the information to reflect the latest ransomware trends and protections;
- Added a detailed ‘anatomy of an attack’ section to help learners understand how ransomware attacks operate;
- Included a section on the more general aspects of defending against ransomware, covering principles such as following the organisation’s incident reporting processes and technical measures like access controls;
- Added a short but comprehensive section on identifying phishing emails, which includes some examples;
- Included a new case study, on the Colonial Pipeline incident;
- Added a new ransomware scenario activity, where learners must answer questions on what the victim did right or wrong; and
- Revised the final quiz with new questions that better align with the learning goals of the course.
As for the course itself, we’ve:
- Revised the course structure to better fit the desired learning outcomes;
- Included audio narration of the core modules;
- Made the design cleaner, with a graphic theme running throughout;
- Added an animated video that introduces the course and the threat that ransomware presents; and
- Added interactive flashcards and timelines.
What do you like most about the course? Are there any top take-aways?
One of my personal favourite features is the new Colonial Pipeline case study. It reflects many of the dangers of ransomware in a clear and effective way. It fits really well within the course structure and with the visual theme – the inky/oily clouds representing the infectious nature of ransomware.
Another favourite new feature is the introductory animated video, which is short and striking. It has some nice scene transitions, such as a murky wave of ink spreading across the screen. Coupled with the music, video content and narration, all these elements come together to make the ransomware threat and solutions really hit home.
The key take-away for learners is best encapsulated by the message in the conclusion: “Stay informed, stay safe”. This summarises the idea that every single member of staff can contribute to their organisation’s security by doing simple things like:
- Verifying that their access rights aren’t exceeding the necessary levels for their job responsibilities;
- Ensuring their devices are up to date and equipped with essential protections;
- Familiarising themselves with their organisation’s incident reporting processes, especially whom they should report them to; and
- Reviewing and understanding their organisation’s cyber security policies.
These are all key steps the course expands on in the final module.
Do you have any related projects on the horizon?
Yes, we just released our Artificial Intelligence Staff Awareness E-learning Course. This allows organisations to equip their staff with essential knowledge about the role of AI in compliance and data privacy in today’s fast-evolving digital world.
Ransomware Staff Awareness E-learning Course
The updated ransomware course will be released soon. However, if you can’t wait, the current version still helps educate your staff to be alert and secure. This 30-minute course, suitable for initial and repeat engagement, covers:
- The threats posed by ransomware attacks;
- The main forms of ransomware and how this attack type works; and
- Actions you can take to help protect against ransomware.