Boards & CEOs Ransomware Series #6: What About Employee Training and Incident Response?
My recently published book, titled “Leadership in the Age of AI: A Handbook of Daily Cybersecurity Leadership Nuggets” is available for purchase (with a 30% discount):
Paperback (Amazon): https://www.amazon.com/Leadership-Age-AI-Cybersecurity-Transform/dp/B0DZ2PGP7Q
E-book (Gumroad): https://sivanathans.gumroad.com/l/cybersecurityleadership
Hello folks,
Let’s talk about the human side of ransomware defense.
Because, it doesn’t matter how many security tools you have in place—if just one employee clicks on the wrong link, the whole system can come crashing down.
And unfortunately, this happens more often than we’d like to admit.
Take the City of Riviera Beach in Florida as an example. In 2019, a city employee clicked on a malicious attachment in an email. That single action triggered a ransomware attack that shut down city operations—everything from emails to emergency services. The city council ended up approving a ransom payment of $600k just to get their systems back online. One click, more than half a million dollars gone.
So here's the real question every board and CEO should be asking: Are our employees trained to defend us—or are they unknowingly opening the door to an attack?
Your Employees: Weak Link or First Line of Defense?
Ransomware isn’t just about firewalls and endpoint protection. It’s about awareness, behavior, and speed of response. Your people are either your last line of defense—or the path of least resistance.
That’s why employee training should be seen as the cybersecurity equivalent of airbags in a car. You hope you never need it, but when things crash, it could save you from total disaster.
A well-trained workforce can detect phishing emails, respond appropriately to suspicious activity, and act quickly in the first moments of an incident. These “first five minutes” often determine whether you contain the threat—or let it spread like wildfire.
Training Needs to Be Ongoing and Realistic
The first step is making sure your employees are actually equipped to recognize common attack methods. Phishing emails, suspicious attachments, fake login pages—these are the tools ransomware actors use every day. And they’re good at making them look legitimate.
But awareness alone isn’t enough. Employees also need practice.
That’s where phishing simulations come in. It’s not about catching people off guard to embarrass them—it’s about creating a safe environment to learn and improve. These simulations help identify who needs extra coaching, track overall awareness levels, and highlight where your company might be vulnerable.
If the failure rate in simulations stays high, it’s a signal that your current training approach isn’t working—and that’s something the board should take seriously.
Reporting and Response: When in Doubt, Speak Up
Even with great training, people will still make mistakes. That’s life. What matters most is what happens next.
If an employee clicks something suspicious, do they know what to do? Do they report it? Is there a clear, fast escalation path to the IT or cybersecurity team? Or do they freeze, panic, and try to fix it themselves?
Too often, employees aren’t told what to do when they’ve triggered something sketchy. Some ignore it. Others delay reporting out of fear. A few might even try to solve it on their own—accidentally making things worse.
Your organization must have a defined, well-communicated process for reporting potential incidents. Whether it’s a hotline, an internal portal, or a simple email address—make it easy for employees to raise the alarm quickly.
When the Crash Happens: Are People Ready to Act?
Let’s be real—no matter how much you train, someone, someday, will make a mistake. The question then becomes: do you contain the damage quickly, or does the attack spiral out of control?
Do employees know how to isolate their machines if something goes wrong? Do they know not to turn off the system, or try to “Google” a fix? Are there automated protections in place that detect and quarantine affected endpoints?
The earlier your people act, the better your odds of containing the ransomware before it spreads.
Key Takeaway: Training Isn’t Optional, It’s Critical
Ransomware defense is a team sport—and your employees are on the frontlines.
As a board member or CEO, you must ensure that:
Employees are trained regularly and realistically.
Simulations are run and failure rates are tracked.
There’s a clear, no-blame culture of reporting incidents fast.
Everyone knows what to do if something goes wrong.
Because in the end, your strongest firewall might just be a well-trained, quick-thinking employee.
That’s all for this week!
Cheers,
SIvanathan