By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner
Verizon’s 2022 Data Breach Investigation Report states that a whopping 35% of ransom incidents are the result of phishing. This percentage is unchanged over the past five years, illustrating that businesses and not-for-profit organizations are struggling to sufficiently educate their employees.
In our experience, most nonprofits today have information security policies, and it is a best practice to provide security awareness training to employees at the time of hire.
What else can you organization do to stay vigilant in preventing email security threats, including ransomware?
How employee training can prevent ransomware
We know that most ransomware incidents start with attacks aimed at end users, and best-in-class security tools cannot stop all attacks. Consequently, end users are a critical line of defense for attacks that penetrate perimeter defenses. As a result, it is important for nonprofit organizations to train their employees and volunteers to identify cyber threats and respond appropriately.
Cybersecurity training for your nonprofit team
To promote a behavior of cyber diligence/skepticism, your nonprofit needs to continually educate your team and volunteers that have access to the organization’s computers on the importance of being vigilant when opening emails, clicking on links, and entering password information.
As an additional security measure, your nonprofit should not have a one-size fit all training for staff. Security awareness training should be tailored to the specific employee’s job responsibilities. Certain employees such as IT employees might need more in-depth and frequent training because of their broader access levels. Additionally, your organization should perform periodic phishing campaigns to test employees’ ability to identify potential threats. Employees that fall for the phishing campaign should get additional security awareness training.
Since email is a primary vector for cyberattacks, including ransomware, your nonprofit can help employees ward off threat actors by implementing certain email protection controls, to include:
Attachment filtering
Email systems can be configured to block or allow files based on file extension. We recommend enabling the common attachment type filter in your organization’s email system to automatically quarantine messages that contain the specified attachment types. By adding this filter, your organization reduces its reliance on employee judgement in opening questionable email attachments.
In addition to the common attachment type filter, we recommend:
- Blocking all file types that are not required for business purposes,
- Blocking macro-enabled office documents including .docm, xlsm, and pptm, as these can be used to execute arbitrary code and download ransomware from the internet, and
- Blocking all zip files. Password protected (encrypted) zip archives cannot be effectively scanned and are released to the recipient without warning. Encrypted zip files are often used to hide malware, including ransomware, from scanners.
Sandboxing
Sandboxing is a type of security service that automatically and safely opens email attachments away from your organization’s network and computers. The service observes the behavior of the attachment in a safe environment to determine if it opens normally or exhibits behavior indicative of malware. If it does not open normally, the sandboxing service blocks the attachment. These services are critical because ransomware frequently evades traditional malware scanning techniques but is more easily identified when opened and its behavior observed. We recommend utilizing a sandboxing service to protect against unknown malware and viruses and provide zero-day protection to safeguard your emails.
Link Checking
Link checking services rewrite all links of inbound emails so that, when a user clicks a link, the user briefly passes through a security service where the destination URL is checked against a list of known malicious websites and scanned for malware. These services can prevent an employee who clicks on a malicious link from continuing to the malicious website thereby potentially preventing a ransomware download or falling for a phishing scam that could lead to ransomware or other cyber-attacks.
Geo-Blocking
Email-based geo-blocking prevents inbound emails originating from geographies the user organization elects to block. This can help further prevent malware from reaching a user’s inbox. We recommend utilizing the “Anti-Spam inbound policy” and setting up the “International Spam – regions” setting.
Email Signing and Authentication
Domain-based Message Authentication, Reporting & Conformance (DMARC) uses a Domain Name System (DNS) entry to provide additional assurances around the authenticity of a sender that go beyond the benefits of Sender Policy Framework (SPF). We recommend implementing DMARC in the email DNS records. It is free to implement and is typically a straightforward process.
When making changes to your email environment, nonprofits should recognize that:
- Most effective security layers will impact the end user
- End users often advocate for technology choices which, if implemented, materially decrease the security of a network
- New security requirements met with complaints and confrontation are likely to dis-incentivize IT security staff to continuously improve security
- Despite extensive testing, there can be temporary ‘breakage’ when deploying new security tools and settings
To mitigate the above, we recommend extensive communication before, during, and after new security procedures, tools, and settings are deployed so users are aware of potential interruption and have a means to communicate issues they encounter.
Nonprofits that combine robust employee education practices paired with strong email protection controls can go a long way to preventing an employee or volunteer from clicking the wrong link or opening the wrong document that results in a ransom event and causes major headaches for all involved.
To assist nonprofits with assessing their ransomware risk, Keiter Technologies has developed a Ransomware Risk Assessment program that provides insights into the key areas of an organization’s cybersecurity that directly relate to ransomware. Contact your not-for-profit Opportunity Advisor to learn how we can help your organization mitigate cybersecurity risks.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.