Workers in the transportation sector are among the most vulnerable to phishing emails and the ransomware attack on San Francisco's light rail system over the Thanksgiving weekend showed the impact cybercriminals can have on municipal transportation systems. In the attack that took down computers at the San Francisco Municipal Transportation Agency over the weekend no firewalls were breached — a worker invited the hackers in. It takes just one employee to click on a malicious link or email attachment to infect a computer, which if networked to other machines can quickly spread the virus. Ransomware is on track to be a $1 billion cybercriminal business in 2016, the FBI has said. It was found in 97 percent of phishing emails as of September 2016, according to a report from cybersecurity firm PhishMe.

In a simulated phishing email scenario with the subject line "file from scanner," transportation workers were more likely to open the email and click the link in the email, than workers in any other industry, according to PhishMe's 2016 Phishing Susceptibility and Resiliency report obtained by CNBC ahead of its release next week. In other scenarios that mimic the most common phishing emails used in ransomware attacks, workers in the transportation sector were among the top four most susceptible industry groups, PhishMe found. About 22 percent of transportation workers fell for the test scenario. Education workers had the highest susceptibility at 28 percent, and the average susceptibility across all industries was 17 percent.

The FBI recommends breaking the cybercriminal business model by not paying the ransom, something the San Francisco agency was able to do because its system was backed up. Many organizations, particularly underfunded government agencies and organizations delivering critical services, are not as well-prepared. In one high-profile example, a Hollywood hospitalpaid hackers $17,000 in Bitcoin to get its systems up and running. Nearly 40 percent of ransomware victims globally paid the ransom, according to a survey from Osterman Research published in August. That said, after a number of high-profile examples of hostage taking in the public sector, organizations are getting savvier about backing up files, said PhishMe CEO Rohyt Belani.

"A lot of hospitals were being hit by this because the attackers figured out these are crucial systems," said Belani. "Paying the ransom a pretty simple answer for hospital administrators."

Running frequent backups of all data is one of three steps he recommends. It is also crucial to keep computers up to date with the latest security software. This sounds easier than it is, particularly at large sprawling organizations, said Belani. The most important thing companies can do is train employees to be suspicious of email, and give them the tools to flag anything that seems strange. In most cases, with close scrutiny of the language, it is possible to tell if an email purporting to be from a colleague is in fact a spoofing email, said Belani.

