The Employee Risk Factor: Underestimated Danger of Ransomware Attacks

Ransomware attacks: Read here how IT systems can be protected against the employee risk factor?

Oct 21, 2021 - 5 min.

Are you familiar with the fantasy film “Pan’s Labyrinth”? In the film, a young girl must pass several tests. In one trial, a monster is seated at a table richly laden with delicacies. The girl is forbidden to touch the sumptuous food. In the end, however, her curiosity and appetite prevail: She takes a couple of grapes – and the monster awakens...


A careless click can cause catastrophic chain reactions

In real life, the story often plays out the same way for companies, agencies and institutions around the world: For example, an employee receives a mysterious email and thinks it is from their bank or a close acquaintance. They succumb to the temptation to click on the unidentified attachment... and thus infect the entire company network with the malware hiding inside.

The consequences can be devastating – such as when ransomware smuggled into the company network encrypts critical data. The next step for the cybercriminals is typically to blackmail management: The sensitive data will remain encrypted until a heavy ransom is paid. And even if payment is made, there is no guarantee this will happen.

When ransomware brings half the world to a halt

In 2019, the aluminium company Norsk Hydro was the victim of a cyberattack involving a ransom Trojan. This resulted in shutdowns at several locations. A cyberattack against the American IT services provider Kaseya, supposedly carried out by the hacker group REVil operating in Russia, made headlines in July 2021. The insidious thing about this attack: IT systems providers across the world use Kaseya software for IT management with their partners and customers. This enabled the criminals to use Kaseya to infect up to a further 1,500 companies worldwide. This case involved a so-called supply chain attack, since it affected widespread segments of the company’s supply chain. Victims included the Swedish supermarket chain Coop, whose checkout systems stopped working. Schools, kindergartens, hospitals and many other institutions also suffered from the attack. The extortionists demanded the sum of $70 million in Bitcoin to unlock the affected systems.

Attacks like this one primarily target large corporations and institutions. However, they naturally threaten all the smaller partners and suppliers across the entire supply chain as well. This means there’s no reason to sit back and relax.

A serious threat of cyber-attacks across all industries

In their study “Patient: Hospital” (Mai 2021), the cybersecurity experts at Kaspersky surveyed healthcare decision-makers in Germany, Austria and Switzerland concerning the cyber threat situation in the healthcare ecosystem. During the COVID-19 pandemic, 72% of the German companies in this sector were affected by at least one cyberattack. Furthermore, 58.7% of participants in Germany and 61.4% across German-speaking Europe assessed the malware threat level for their organisations as high. In Germany, attacks were primarily carried out by means of:

  • Spear phishing (43.5%):
    In contrast to phishing, spear phishing attacks target specific individuals – for example, when criminals use personal information to pose as persons known by the victim.
  • Spyware (31.5%):
    Software that sends user data back to its source without the user’s knowledge.
  • Malware (27.8%):
    Any kind of malicious software that is damaging to the user – such as viruses, adware or Trojans that spread using links, email attachments, SMSs or even USB sticks.
  • Ransomware (25%):
    Trojans are used for the encryption of sensitive data and the extortion of large sums of money.
  • DDoS attacks (22.2%):
    “Distributed denial of services” refers to a technique whereby servers can be overloaded – such as by means of targeted attacks – to the point that they can no longer be called by internet users.
  • DNS hijacking:
    A company’s network traffic is redirected to a server controlled by the cyberattacker. This kind of attack makes it possible to smuggle malware to the target unnoticed, such as through the email service of the affected company.

Employees underestimate the threat of cybercrime 

From firewalls to endpoint security and detection & response models to access control, modern organisations invest considerable funds in protecting their IT infrastructure against cyberattacks. And they have a lot to lose – be it the slipping of sensitive customer, patient or company data into the wrong hands or the associated financial and reputational losses. Despite all the technological countermeasures in the world, one risk factor remains that can open the doors wide open to cybercriminals: humans.

Measures such as two-factor authentication or multifactor authentication for logins to sensitive IT networks make life significantly more difficult for unauthorised intruders. Nevertheless, if an employee clicks on an infected email attachment or enters confidential login data on a fake website, malware or ransomware can still manage to paralyse entire IT systems.

Lack of awareness as a risk factor

In their “State-of-the-Phish Report 2021”, the cybersecurity specialists at proofpoint reveal that employee risk awareness still remains lagging across the globe: Only 61% of the employees surveyed understood the term “phishing”. Merely 31% were aware of what ransomware is capable of. According to Kaspersky, 45% of employees do not know how they should react when affected by a cyberattack themselves. Many did not know that the infected device should first be disconnected from the internet and the company network to prevent the malware from spreading further.

Improving threat awareness

The technical security measures against cyber criminality may be top-performance: All the same, the human being on their PC or smartphone will still keep falling into the traps set by online criminals. This makes it all the more important to improve sensitivity about interacting with IT systems in order to minimise the risk of an attack.

Six measures you can use to make your staff more “cybersecure”

Here we assume that your company keeps its firewalls, virus scanners, spam filters etc., up-to-date and only uses trustworthy licensed software. You also regularly back up all your important data. This means you are secure, technically speaking. But not quite secure enough. 


The first weak link in your system: are easy passwords and their careless use of them. These offer cybercriminals a gateway into your system, enabling roughly 30% of attacks. 


IT departments often operate “in their own world” that other employees only come into contact with when a PC or network access point isn’t working. Training can better integrate other areas into the world of IT and sharpen awareness of the problem of cyber threats.

Establish IT rules and regulations:

In addition to behavioural regulations for machine safety or workplace, health and fire protection, your organisation should also set up fundamental IT guidelines:

    • “What do I have to do when I think that a file or email attachment could contain malware” -> inform the designated IT representative
    • “What do I have to do when I think that my device might be infected by malware?” -> turn off the device, disconnect it from the network, turn of the Wi-Fi router, inform the designated representative
    • Sufficient password security, including two-factor or multifactor authentication wherever possible
    • Restricted granting of access rights
    • Definition of responsibilities for the installation of software and updates
    • Systematic data backup

Practical training

that improves awareness of the responsible use of emails & the web etc. Employees need to understand how malware works, how it is distributed and how devastating the effects of a cyberattack can be. People need to learn NOT to click on an email attachment in cases of doubt and first to seek expert guidance. This training can occur, for example, in the context of spontaneous practice sessions involving simulated cyberattacks.

Designated representative for IT questions:

When faced with doubts or irregular network activities, employees need to be able to turn to a qualified person who can recommend further action or initiate the necessary measures in case of a cyberattack.

Keep an eye on employee behaviour:

Keep tabs on your employees’ online competence and internet use to assess, for example, who might have trouble recognizing dubious email subjects or attachments or who occasionally likes to visit potentially dangerous websites. 


Cybercrime: How to Protect Your Business