The PCI SSC advises organisations to train staff to react and respond to ransomware attacks. This is in line with Requirement 12.6 of the Payment Card Industry Data Security Standard (PCI DSS), which states that organisations must “implement a formal security awareness programme to make all personnel aware of the cardholder data security policy and procedures.”
The PCI SSC guide recommends that organisations develop a plan “that educates your employees on the best ways to avoid these types of attacks and how to handle an attack if one does occur”.
Given the connection between ransomware and phishing – with a report from last year claiming that ransomware is delivered in 97% of phishing emails – the PCI SSC advises organisations to make sure their staff know what to do if they suspect they have received a phishing email.
“[Staff] should understand that it’s okay to delete [an] email if it looks suspicious,” the guide says. “Emails can look like they come from anyone in the company. If there are any questions, always contact that person to confirm [that it’s genuine] before clicking on a link or opening a file.”