Issue link: https://insights.oneneck.com/i/1476867
2 DEFENDING AGAINST CYBER EXTORTION Cyber extortion is listed as one of the top worries by cybersecurity professionals throughout the world, with good reason. Ransomware gangs have attacked tens of thousands of organizations from small to very large, brought down hospitals, pipelines, police stations and even entire ports. At the heart of cyber extortion is the basic idea that if you take something unique and precious from someone, they will pay to have it back. If you discover someone's secret, they will pay you to keep it secret. If they consume all your bandwidth so you cannot conduct business, you will pay them to stop. The microcosmic market of one seller and one desperate buyer, with almost zero risk for the criminal, drives extortion prices and immense profits. Because of its rise in sophistication and volume, organizations are asked by their cyber insurers, regulators and shareholders to step up their defenses against this threat. Similarly, to other cybersecurity goals, this is not achieved by deploying a shiny "anti-ransomware" tool, but rather through a defense in depth model with multiple layers of control. The top initial exploit causes that allow cyber extortionists to compromise devices and environments are (in order of popularity): Social Engineering/Phishing, Unpatched Software, Abuse of Microsoft Remote Desktop Protocol (RDP) and Authentication Attacks. Building a security culture, or in other words, strengthening your human defense layer and making them aware of how to detect and prevent the initial compromises listed above, is a crucial element in your defense in depth model. This document outlines an awareness program with the objective of strengthening your organization's human layer of defense as a key control in the fight against cyber extortion attacks. BEHAVIOR DESIGN IN SECURITY AWARENESS Traditional awareness efforts are based on the belief (or hope) that information leads to action. And although it is an important first step, the limitation with awareness is that "awareness" itself does not automatically result in secure behavior. The goal therefore should be finding effective "behavioral interventions" to bridge the awareness, intention and behavior gap. Let's look at the problem through the lens of behavior design. BJ Fogg is a social scientist and adjunct professor at Stanford University and referred to as the father of behavior design. BJ Fogg's behavior design model neatly outlines that behavior happens when three things come together at the same time: Motivation, Ability and a Prompt