Jun 04 2020

Training Can Go a Long Way to Help Teleworkers Defeat Ransomware

Government workers see familiar threats, but managers can train them to defend networks from anywhere.

Seventy-three percent of government employees expressed concerns about future ransomware attacks against U.S. cities, according to an IBM Security survey released earlier this year. In the survey, 1 in 6 respondents said their agency was affected by a ransomware attack in 2019.

Soon after the survey’s publication, state and local government employees found themselves in a mass shift to unprecedented telework, and as state CIOs told the Midyear Conference of the National Association of State Chief Information Officers, the ransomware threat did not go away. Instead, bad actors changed the script to entice employees working remotely to click on malicious links in emails designed to read as if they were teleworking alerts or purchase orders.

Yet, there is much state and local agencies can do to combat ransomware even when employees work remotely.

Training Employees Can Thwart Phishing Attacks 

According to the IBM Security survey, only 38 percent of respondents report receiving general ransomware prevention training. So, clearly, even for telework employees, state and local agencies can augment their training programs to spread the word about the threat of ransomware and what to do about it. Agencies have a great opportunity to broadcast such training to everyone at the same time on a work-from-home schedule.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has resources available to state and local governments that seek to establishing training programs. “Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website,” CISA notes.

Many state and local governments have identified successful ransomware incursions that began through a phishing email, so training employees to spot and report phishing is paramount. When ransomware successfully invades government networks, it often does so after a sole employee clicks one link in a phishing email. It is important to train everyone who has access to a network on best security practices. 

MORE FROM STATETECH: Find out why ransomware awareness is up but training lags. 

Securing Networks Is Critical In and Out of the Office

As for best security practices, there is no one way to defeat ransomware. As Deloitte Insights observes, “Ultimately, reversing the current trend in ransomware attacks rests on doing the basics well: building and operating networks well, and responding well to inevitable attacks.”

Best practices for security carry similar characteristics whether government employees work in the office or work at home. Good cybersecurity practices may include, among other measures, implementing multifactor authentication, network segmentation and endpoint security tools, state and local CIOs tell us. But such measures may be beyond the reach of some localities.

“Many governments struggle to keep pace with the rapid pace of technology refresh cycles. Tight budgets limit the amount of modernization that can take place, and even if budget is available, the tech refresh process itself can strain government IT departments,” Deloitte Insights states.

Putting what money is available into training may make the most of what’s available.

READ MORE: Discover why New York state may ban ransomware payments. 

Spend Budgets Effectively on Security Training

In the IBM Security survey, 52 percent of state and local government IT and security officials say cybersecurity budgets have remained stagnant. This perfect storm of limited training and limited budget helps make government agencies attractive ransomware targets. Ransomware struck more than 70 state and local governments in 2019, according to Barracuda Networks.

It follows that tight budgets and few experts may leave little money for training. But as Deloitte Insights notes, “The most advanced cybersecurity tools in the world cannot make up for poorly trained workers.”

Cybersecurity managers perhaps can find opportunity in a crisis. If faced with a large percentage of agency employees teleworking, for example, they can incorporate resources from CISA into a presentation that makes sense for their network and broadcast it to employees in a required meeting. With that, agencies can produce a cybersecurity playbook as a training reference manual and discuss it often.

Measures such as software patches and backup systems go a long way to defeating ransomware. But a well-trained staff will prove to be a powerful defense for securing a network. Agencies that can put a little time and effort into rudimentary training can make a strong start.

Daronk Hordumrong/Getty Images