Your cyber insurance policy may not always have your back in a ransomware attack, but we can. Get access to practical steps and actionable advice from our security experts to automate prevention and rapid containment in the event of a breach.
It’s in the name: malware is malicious software which, if able to run wild, can cause harm in many ways – from locking devices and stealing confidential data, to obtaining credentials that allow access to your organization’s systems and services. But there is a particular type of malware that is running wild indeed, all while pressuring victims into paying attackers to restore their devices, data, and businesses to order.
We’re talking, of course, about ransomware – the prime cyber security threat facing organizations today, according to the European Union Agency for Cybersecurity (ENISA), who reported a 150% rise in ransomware attacks between April 2020 and July 2021, and warns: “It hasn’t yet reached the peak of its impact.”
This guidebook aims to help public and private sector organizations deal with the effects of ransomware by providing actions to help automate the prevention of a ransomware security breach and automated capabilities to contain a breach if you’re already infected. We’ll also share expert tips from our team behind Evolve, the world’s first Security Automation Cloud, on how to identify, protect, detect, respond, and recover from ransomware attacks.
Understand the Ransomware Threat
Over the past decade, ransomware attacks have grown in ferocity and frequency across the globe, wreaking havoc on enterprises and costing them billions of dollars. But many consider the emergence of the WannaCry and NotPetya attacks in 2017 a turning point: ransomware attacks went from being considered a nuisance to becoming a security nightmare.
By coupling phishing attacks with ransomware payloads, traditional approaches originally targeted employees of organizations to bypass their security measures and rapidly encrypt the data of the infected machine. This would often lead to attached file servers being encrypted as the automated encryption of the ransomware would walk through every file accessible to the infected system. In common situations, this would lead to a ransom of between $100 to $4,000 since it would typically cause a relatively small impact to a business, depending upon the data that was encrypted. Despite this relatively small amount, ransomware campaigns would typically pull in around US$100M to US$150M per year.
Since COVID started infecting the world, threat actors have enhanced the sophistication of their campaigns creating modern ransomware attacks that take a different approach. Rather than infecting a single machine via phishing, threat actors started manually infiltrating organizations by simply logging into remote access systems using leaked credentials from third-party security breaches, or via remotely exploitable vulnerabilities in internet-facing systems and applications.
Once this foothold is gained within the target organization, the threat actor escalates their privileges and takes over all IT systems, sometimes within minutes. This access is then used to first steal hundreds of gigabytes of confidential data, before distributing ransomware to every system globally, encrypting all of your corporate data – ultimately shutting down your entire business in an instant.
If this hasn’t ruined your day enough, the threat actors then begin their extortion campaign, typically demanding between US$3M to US$10M per extortion, with some reportedly demanding close to US$100M.
Threatening to leak your data to the public or sell it to the highest bidder if you don’t pay the extortion amount in time, with some groups leaking stolen data to your clients, and even encouraging them to take legal action against you for negligence. These data leaks and extortions can span weeks or even months, which keeps the pressure on to pay up.
Ransomware campaigns are becoming more creative, with some utilizing automated propagation techniques for widespread exploitation, whereas others simply encrypt exposed databases on the internet, removing the need to breach systems whilst successfully bypassing corporate endpoint protection controls.
Identify Methods of Infection
No matter how the threat actors breach your organization, every ransomware attack has three key stages: delivery, execution, and propagation. The options of delivery methods are wide for attackers to choose from, and some of the most common ones rely on human error, lack of cybersecurity training, and gullibility, including: spam and phishing emails, weak or leaked passwords, open remote access services, and remotely exploitable systems and applications.
At the crucial first stage of delivery, the attacker breaches the environment and the ransomware payload is inserted into the target machines. In cybersecurity, a payload is used to describe what a virus, worm, or Trojan is designed to do on a victim’s machine – from encrypting data and stealing confidential information, to damaging computer systems, and providing the attacker with remote access to your organization.
In a survey conducted by Statista in November 2020, more than 1,000 managed service providers globally indicated that phishing emails accounted for 54% of ransomware infections that year. With this in mind, many enterprises use an email security solution to protect themselves against ransomware delivery, which filters inbound and outbound email traffic, automatically detecting and removing risky content. Although this is a necessary security control, you should always keep in mind that these email filters can often be bypassed using various techniques. One effective technique includes geo blocking the email security vendor from analyzing the phishing site hosting the ransomware. Because of this, a defense-in-depth approach is critical to automating the protection against ransomware.
Remote access systems are one of the most common targets for ransomware groups, where they use stolen credentials from third-party security breaches to simply login to your company. Wherever possible, multi-factor authentication (MFA) should be used on remote access systems. Unfortunately, MFA may not be supported on all systems, applications or accounts.
A more sophisticated approach to protecting corporate accounts entails frequent monitoring for leaked email addresses, usernames and passwords. That’s why we’ve designed EvolveID Automated Leaked Password Monitoring to automatically monitor for leaked authentication credentials every single day, giving organizations and employees a heads-up on the latest security breaches that may affect them. Evolve also integrates with your authentication solution to automatically expire passwords so that users are forced to change their password upon the next login.
Threat actors are quick to weaponize critical vulnerabilities, typically in less than a day, to remotely exploit your internet-accessible systems and applications. This means it is crucial that you stay on top of the latest vulnerabilities in your systems and also the latest exploits that have been released to ensure that you can respond quickly to prevent the threat actors from infiltrating your organization.
Common, Prevalent, and Historic Examples
Once successfully delivered, this gives way to the second and third stages of a ransomware attack: Execution and propagation. These stages will differ depending on the threat actor group and the variant of ransomware, but in all cases, the ransomware starts running on your workstations and servers to quickly encrypt data files across your organization.
It is commonly agreed that WannaCry remains one of the most devastating and costly ransomware out there. WannaCry accounted for more than 16% of crypto-ransomware encountered in 2020 (Kaspersky Labs), and it is the largest ransomware infection in history when it comes to damages caused in a single episode: at least $4 billion across 150 countries, back in 2017.
Given its popularity, let’s use the most famous WannaCry attack to demonstrate what the execution and propagation of ransomware can look like, and what impact this type of ransomware can have:
It was May 2017 when the WannaCry ransomware attack first became a global epidemic. It spread through computers operating Microsoft Windows, holding users’ files hostage and demanding a Bitcoin payment for their return.
When it first happened, many thought that the WannaCry ransomware attack had spread through a phishing campaign (where spam emails with infected links or attachments lured users to download the malware). But it is now commonly accepted that the responsible cyber criminals took advantage of a weakness in the Microsoft Windows operating system using a hack known as EternalBlue. This vulnerability had been made public by a group of hackers called Shadow Brokers and, in response, Microsoft released a security patch which protected users’ systems against the exploit almost two months before the ransomware attack began. Unfortunately, those who do not regularly update their operating systems were left exposed. The EternalBlue exploit allowed WannaCry to propagate and spread to Microsoft Windows users around the world, while a backdoor tool called DoublePulsar was then installed on the compromised computers to execute WannaCry.
It is estimated that the WannaCry attack hit around 230,000 computers globally. Among them were thousands of computers of the UK’s National Health Service hospitals and surgeries. Ambulances were reportedly rerouted, and approximately 19,000 appointments were canceled as a result of the attack, leaving people in need of urgent care. As it spread beyond Europe and into computer systems across 150 countries, it is estimated that this single cyber crime caused $4 billion in losses across the globe. In retrospect, we can say that were it not for poor cybersecurity practices around the need to update software and apply security patches, much of the damage caused by this attack could have been avoided. But much has changed since then.
Although ransomware has received much media attention after this episode, studies show that the statistics for the overall number of ransomware detections have been declining since 2018. Unfortunately, this does not mean that ransomware is disappearing. Rather, ransomware is undergoing a fundamental shift: widespread ransomware campaigns are being replaced with highly-targeted, destructive attacks, often aimed at large organizations. In other words: Attackers are aiming for fewer attacks with larger payouts, rather than collecting smaller amounts of money from a larger number of victims.
The Ransomware as a Service (RaaS) Model
Beyond WannaCry, other active families of ransomware attacks nowadays follow the Ransomware as a Service (RaaS) model, which refers to ransomware attacks carried out to order. The term can also refer to a platform for the provision of such services. You read that right: Ransomware has become a criminal business model – and now also the most profitable.
Typically, RaaS includes the leasing of ransomware or a blocker, botnet services for malware delivery, and a control panel. RaaS platforms are located in the darknet and owners usually look for clients in specialized private forums. Some services even offer flexible tariff plans, technical support, and training. Through a personal account, the attacker can control basic attack parameters and communicate with its victim.
Establishing contact with the victim is one of the key differentiators between ransomware and other forms of cyber attacks. Normally, the malware used in these attacks inconspicuously infiltrates the target system, and data theft remains undetected – particularly when the systems are insufficiently protected. But ransomware makes it a point to directly contact the user of the affected system when the offender has already taken control, so they can demand a ransom in exchange for the captured information.
Another key differentiator of ransomware attacks is that they can be automated: once the criminal starts the process of the attack, no further commands are needed to compromise the target system at scale and at speed. But what does this mean in practice? Let’s have a closer look at that next.
The Ransomware “Kill Chain”
The “cyber kill chain” refers to a sequence of stages required for an attacker to successfully infiltrate a network and exfiltrate data from it. Each stage demonstrates a specific goal along the attacker’s path, which is why monitoring and response plans can be designed around the cyber kill chain model: to effectively focus on how actual attacks happen.
The basic kill chain stages of a ransomware attack are:
- Distribution: The payload is distributed to a system, which can happen in many ways, including a weakness in an outdated operating system or software, leaked authentication credentials, and email scams through which attackers get users to click a link or download a malicious attachment.
- Infection: The malware is installed and starts its infection process, looking for files and data to compromise, often unbeknownst to the user.
- Staging: The malicious code starts communicating with the outside world, uploading the compromised data to a different domain or IP address.
- Scanning: The malware looks for content to encrypt both locally and at the network level, where it may look for network drives and synced cloud data to encrypt (which can sometimes be your backups!). At this stage, a security team might be able to notice unusual activities in the amount of network traffic, since the malware is sending data out at scale, with some ransomware variants attempting to infect new targets in the environment.
- Encryption: At this point, the malware starts encrypting files, which can take just seconds to complete.
- The payday: The infected machines inform users to pay a ransom with a message along the lines of: “The contents of this machine are encrypted, send us [enter currency and amount here] to get your files back”.
Due to the speed that these kill chain phases are executed, human actions simply aren’t fast enough to respond. It is critical that proactive prevention and Automated Incident Response technologies are used to effectively stop the attack from occurring or minimizing damage.
Prevention by Reducing Your Attack Surface
The most effective way to prevent ransomware from affecting your organization is, of course, to stop attacks before they can infect your systems. To do that, organizations must have the appropriate security architecture in place, which includes reducing your attack surface and proactively blocking threats.
An attack surface is the number of possible ways an attacker can break into your organization to extract and encrypt data – so reducing yours will reduce your exposure to cyber risks. The idea is simple: the fewer systems that you have exposed on the internet, the fewer targets an attacker has to break into your company to steal or encrypt your data.
The first step is to understand your internet-exposure, which includes gaining full visibility of your internet-accessible systems, services, applications and vulnerabilities. Quite often when we perform an automated asset discovery for a client, we reveal systems and applications that they didn’t even know they had. This commonly includes legacy systems that were still running, and in one case we even found a data center that the company didn’t know they had – seriously! Obviously the security of these systems isn’t going to be up to scratch.
Now factor in the regular discoveries of critical vulnerabilities in operating systems and software, as well as the regular release of corresponding exploits, combined with the increased threat activity on the Internet, you can see how the more services exposed on your network represents an increase of your attack surface and an increased risk to your business.
It may seem like a daunting task, but gaining visibility into the exposures in your network is easier than ever. To control your attack surface and take prioritized actions, you can now use on-demand and frequent Automated Penetration Testing to fingerprint your real-time inventory of connected devices and verify the corresponding exploitable vulnerabilities – before the threat actors do.
Discovery and Inventory
Next, aim to classify all activities in your network ranging from what should be allowed to unknown and suspicious events that deserve further investigation. Then you can take actions based on our classifications – from blocking unknown traffic to enabling only the applications that have a clear business purpose to continue operating at a given time. Automated configuration assessments (CIS) can catalogue your assets to ensure security policies are enforced.
Once traffic has been classified, applications and user-based policies should be enforced. With high visibility and the right policies in place, many of the methods attackers use to deliver malware to your network can be cut off: such as by limiting access to certain applications for certain groups of users with an appropriate Identity and Access Management policy and tool, for example.
Finally, to further reduce your attack surface, it is recommended to block file types with a higher probability of being malicious and to prevent users from connecting non-compliant endpoints to critical network resources.
Detect Your Cyber Threats
Once you’ve reduced your attack surface, it’s time to focus on preventing known risks across your IT infrastructure. Traditionally, vulnerabilities have been identified through a process known as vulnerability scanning, which can target the areas of your IT ecosystem that are exposed to the internet or not restricted to internal users and systems (External Vulnerability Scans), or an internal corporate network (Internal Vulnerability Scans). Alternatively, Environmental Scans are based on the environment that your technology operates in (such as cloud, IoT devices, websites, and more).
But some challenges can arise when conducting vulnerability scans. For starters, a scan only represents a moment in time – it is a ‘snapshot’ of your system, which in turn is continually changing. Furthermore, a scan may need human input or further integrations to deliver real value. Although the scanning process itself may be easily automated, a security expert may still need to review and validate the results, complete remediation, and follow-up to ensure that risks have been mitigated. This represents a significant human administrative burden, particularly for those without a security team.
Finally, a scan only identifies known vulnerabilities, so it is only as good as its database of known faults and signatures. Unfortunately, new vulnerabilities emerge all the time, so your tool needs to be continually updated.
Control Vulnerabilities and Harden Configuration
A more efficient and cost-effective way to identify and remediate vulnerabilities is by executing on-demand Automated Penetration Testing to identify key attack vectors and security flaws faster and continually, before attackers find them.
That’s why Evolve’s location-agnostic penetration testing capabilities allow multiple attack vectors to be tested in the cloud and across your organization’s security zones. This provides a greater depth and coverage compared to vulnerability scanning, including organization reconnaissance, man-in-the-middle-attacks, automated exploitation, privilege escalation, and lateral movement.
Evolve also makes sure to include new vulnerabilities and attacks into its database as soon as they are released to enable faster risk identification and security compliance throughout the year. What’s more: once vulnerabilities have been identified and assessed, Evolve can automatically fix them. Alternatively, the organization can find its own prefered remediation path, such as manually patching, closing risk ports, fixing misconfigurations, and changing default passwords, for example.
Control Human Vulnerabilities
But in the quest towards a comprehensive security strategy, not only machines need attention. Targeting humans rather than technical vulnerabilities remains a tried-and-true attack method, and the means for social engineering are many – from phishing to scam pages, from identity theft to fraud. What they all have in common is simple: cybercriminals are counting on users to take the bait. So it is paramount that organizations teach employees how to identify and respond to potential security risks with security awareness training.
Aim to foster a culture of learning within your organization, where cybersecurity is not a topic reserved for the IT team. Educating your workforce may be one of the most important things you do to mitigate risks, and there is an abundance of content out there that can help support your awareness initiatives, whatever they may look like – from simulating email threats to empower users to spot potential impersonation attacks, to analyzing user behavior so you can assess your security risks with detailed metrics and use that information to tailor your training approach to particular employees or teams, keeping security top of mind for them with engaging and relevant awareness material.
Improve Endpoint Security
But of course, we are all only human, so it is also wise to employ automated solutions to secure your endpoints (namely, end-user devices such as desktops, laptops, and mobile devices) to further secure and simplify your business security management.
Endpoint security software protects these points of entry from risky activity (be them malicious attacks or human errors), and help companies to maintain a greater control over the growing number and type of access points to their network.
Furthermore, consider partnering with a security specialist to streamline your access to expert advice if issues arise. Evolve Endpoint Detection and Response (EDR) combines the ease of continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. It also offers unlimited EDR agents to provide fast visibility into malicious activity mapped to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework. This framework represents adversary tactics used in advanced persistent threats against enterprise networks. While corporate email inboxes remain a valuable target for cyber criminals, ransomware operators are also finding new avenues into enterprise networks and your defensive tools must be able to keep them in check.
Protecting Yourself from a Ransomware Incident
An important step in planning your protection strategy is to assume that some malware will infiltrate your organization at some point – so you can plan the practical steps needed to limit the impact this would cause, and speed up your response.
With this in mind, a defense-in-depth approach is recommended, since it uses layers of defense with several mitigations at each layer to give you more opportunities to detect malware and stop it before it causes real harm to your organization.
One important thing to remember about ransomware is that it tends to be a lateral-movement attack. That is, the deployed malware breaks into a system and from there into another, moving laterally across the organization until it hits a critical system – or until it is stopped. The good news is that all of these events can be monitored and controlled with the right tools in place. Evolve’s security monitoring solution automates threat detection and response, alerting the organization that an attacker is in its environment.
Once an attacker deploys the ransomware, it will make DNS requests (a demand for information sent from a user’s computer to a Domain Name System), and the Evolve DNS Sinkhole automatically detects that too. Evolve then blocks these requests and identifies where this is happening within the network. After identifying the particular machines where ransomware has been deployed, Evolve analyses them within minutes to contain the ransomware in the most effective way within minutes.
Evolve remotely orchestrates scalable Digital Forensic and Incident Response (DFIR) environments in any location, whether it is on-premise or in the cloud. When a security breach occurs, evidence is automatically collected and analyzed for a deep technical investigation to quickly identify Indicators of Compromise (IOCs) on the target systems. In other words: as soon as suspicious activity is identified, Evolve Automated Incident Response launches procedures to ensure that the incident is contained, minimizing impacts to your organization and reducing the cost of security breaches.
Incident Response Policy
In the event of a security breach, having an incident response plan in place is paramount. It ensures that you’ll be prepared with the right personnel and procedures to effectively deal with a threat, and helps to structure an investigation to provide a targeted response to contain and remediate that threat.
Under the pressure of an incident, the last thing you need is panic and confusion around who can make the best decisions to bring the situation back under control. A cyber security incident can be a very daunting situation, and responding to it in an orchestrated manner boosts your likelihood of limiting the damage it can cause to your brand’s assets and reputation
To effectively deal with a cyber security incident, your company will need a team that specializes in incident response – usually known as the Computer Security Incident Response Team (CSIRT). Its mission is to enact the company’s incident response plan no matter what happens.
A CSIRT team is made up of multiple teams and individuals with various experiences, both technical and non-technical, who need to work well together to understand the scope of the incident, how it can be mitigated, how it can be remediated, and how it should be communicated inside and outside the organization. You might already have the right people in place for this – and if not, they will need to be upskilled or hired, since each role is key in turning an incident from a potential disaster into a victory
Define Roles and Responsibilities
When stakes get high and the pressure intensifies, CSIRT team members need to be clear on what their role and responsibilities are, so they can follow the approved incident response plan appropriately and know who to turn to in order to collaborate efficiently. These roles may include Digital Forensics experts, Malware Analysts, Incident Managers, and SOC Analysts, and they will all need to make key decisions under high pressure to conduct in-depth investigations, provide feedback to key stakeholders, and help senior management understand what the situation is – hopefully, reassuring them that things are under control when CEOs and board members look to the CSIRT for answers and guidance on how disaster can be averted.
Each team within the CSIRT may have its own specialized role to play when dealing with an incident. The Security Operations Centres (SOC), for example, are usually considered the first line of defense of a business, operating 24 hours a day, 7 days a week, to triage every security alert, gather evidence, and determine appropriate action when an incident is detected. Working in shifts, these analysts have a broad understanding of cyber threats, and have access to various security platforms and automated tools such as EDR solutions (Endpoint Detection and Response). These tools can alert analysts of potential malicious activities, so they can interpret the data and decide if an incident is deemed high priority or falls outside the SOC’s skill set and should be escalated to the Incident Management team.
The Incident Manager, in turn, pulls key stakeholders together to discuss the best plan of action. Provided with evidence, advice, and opinions, they are tasked with identifying what actions need to be taken and when amidst an emergency.
Other teams that may be part of your incident response plan include Computer Incident Response (CIRT), experts who provide technical advice and analysis, and Threat Intelligence scouts who assess the cyber threat landscape, scouring all corners of the web in search for evidence that can help to understand the malware family and where the stolen data is being sold, for example.
Create a Communication Plan
On top of the internal pressures to mitigate incidents, CSIRT teams work under tight deadlines from external agents, too. Data breach notification laws are becoming more common, with GDPR for instance requiring that companies report data security incidents within 72 hours of the discovery of the ransomware.
To communicate clearly, ownership of sending out communications, assigning tasks, and conducting appropriate actions should be established as part of any incident response plan. Consider who needs to be included in any incident communications, internally and externally, and how much detail is required for each audience. For example, tasks assigned to security teams should be precise and technical, whereas updates to the board should be more concise, clear, and free of technical jargon.
Test Your Incident Response Plan
With a plan in place, it is wise to test your playbooks and procedures on the people and teams who will be using them. Triaging an incident can help the SOC team to provide clear guidance and instructions on how to prioritize an incident and determine when it should be escalated. Meanwhile, using tabletop exercises to emulate higher-level and focused attacks, such as phishing, can help to solidify the appropriate response across all teams and shed light on what needs to be improved.
Review and Understand Policies
Once a threat is fully remediated, be it in a testing exercise or in real life, you should aim to stop it from happening again. A Post Incident Review (PIR) meeting should be arranged to bring together representatives from all teams involved in the incident. This is the place to discuss all that went well during the incident, and all that needs to be improved. Based on the outcome of this meeting, your incident response plan can be refined, and playbooks and procedures amended, to reflect any agreed changes and lessons learned.
Responding to a Ransomware Incident
It comes as no surprise that responding to ransomware is a complex matter. So here is a simple framework to help you build your specific company plan around:
You can only know if you’ve successfully removed a security threat once you know its size and scope. So begin with a ‘patient zero’ search of the initial compromised device to understand the root cause of the compromise and consider whether the threat could have spread laterally from there. Gather all IOCs that can be used to search across your assets for further evidence of compromise.
Once the scope of an incident has been successfully identified, the containment process can begin: it isolates compromised devices from the rest of the network to avoid the spread of an attack. Short-term containment may be used to isolate a device which is being targeted by attack traffic. But long-term containment may be needed when a deep-dive analysis is called for. As the name suggests, this can be time consuming and may generate further IOCs, in which case the previous phase may need to be revisited.
Once contained, the eradication of the threat can begin – a process which will look differently depending on what caused a device to be compromised in the first place. Eradication consists of finding the best possible remediation to the problem, which may include anything from patching devices and disarming malware, to disabling compromised accounts.
The recovery phase of an incident is focused on restoring normal service to the affected business. This may include the use of backups, if available, or rebuilding compromised devices to ensure a clean recovery. Disasters can come in many shapes, be them natural or human-induced, and companies must consider having a disaster recovery plan in place designed to restore the functionality of the business if they are ever in a situation where they simply cannot function. Disaster recovery plans should outline the steps required to bring a business back on its feet, one step at a time, following a difficult time.
When the dust settles, it is time to take stock and prepare for the next encounter. Tighten up your incident response plan taking into account your learnings. Constantly reviewing and refining your incident response processes ensures that your security posture is continually growing stronger – and, ultimately, that you are less likely to suffer incidents again.
While the world is entering a new era of ransomware, it’s likely that these kinds of attacks will increasingly aim at extorting confidential information by targeting fewer organizations and recovering larger sums of money, instead of large-scale campaigns that target your average, every day users. But that’s not to say that ransomware is only a threat if you’re a large company. Ransomware actors are opportunistic and will continue to deploy advanced techniques for infiltrating networks and encrypting data well into the future for all sizes of organizations.
One of the biggest takeaways from all this is that companies big and small need to do more than just back up their data. They need a comprehensive approach to their security, one that includes regular scanning, patching, software updates, and cyber security awareness training.
Some attackers gain a foothold in the system of a company only to laterally move throughout its network unnoticed until full control has been achieved, and conduct reconnaissance in order to strike at a moment that causes optimal damage to demand a ransom when the victim is at its most vulnerable. This means that ransomware attackers are sharpening their toolset and companies need to respond in kind. The good news? Doing so is certainly possible.
Remember to always keep software updated on all devices to prevent ransomware from exploiting vulnerabilities. Additionally, focus your defense strategy on detecting lateral movements and data exfiltration to the internet, paying special attention to the outgoing traffic in order to detect cyber criminals’ connections.
And beyond backing up your data regularly, use solutions such as Evolve to automate time-intensive security activities and identify and stop attackers before they compromise your organization and reach their goals. Finally, always educate your employees to protect your corporate environment by offering dedicated training courses and promoting an environment where cyber security questions and conversations are encouraged.