The battle against cybercrime continues to be a significant topic for organizations across all industries, however the threat to the health care industry is possibly the most serious. Financial losses can be devastating for an organization, however when the potential for loss of life is at stake, the whole game is changed. While healthcare professionals should not have to be cybersecurity experts, because of the times we live in, we are all going to have to have some knowledge in this area to protect ourselves both personally and to protect our organizations.
Cybercriminals send an estimated 6.4 billion fake emails are around the world every day and even the best e-mail filters are going to miss some of the phishing emails that target your organization. Unfortunately, these same phishing emails are by far, some of the most effective ways that cybercriminals get into organizations.
Due to the amount of personal information gathered and the time sensitive nature of treatments, the health care industry is one of the most targeted. To make things worse, a recent study showed that when it comes into interacting with simulated phishing messages, the healthcare industry has the highest average initial click rate. In this global study that reviewed the activity related to over 54.1 million simulated phishing emails sent to organizations across 19 industries, it was revealed that untrained personnel in the healthcare sector clicked on 45.4% of the initial simulated phishing messages that were sent.
While these raw numbers alone are scary, it’s important to understand that a majority of ransomware attacks begin with a phishing email. The technical hacking or vulnerability exploitation usually only occurs after the initial network access is accomplished through phishing. This often includes sending malicious attachments, tricking people into giving up their passwords, or a combination of these attack vectors. The damage doesn’t stop with stolen data or encrypted files, regulatory fines and reputational damage are also significant concerns after an attack.
While the initial click rate within the healthcare sector is concerning, it is not surprising as healthcare professionals are often working quickly and under a significant workload. The good news is that the threat can be mitigated quickly and with a minimal amount of effort on the employees’ part and of the organization. The same study shows that within 90 days of beginning to educate employees in the healthcare industry, the click rate has already dropped to around 19%, and at the end of a year, was down to 5.1% on average. This 88.8% reduction in clicks is a significant demonstration of how well employees respond to education when done properly.
These numbers are important, however, to see these sorts of results, we must throw away the old idea of training someone once per year and expecting it to be effective until the next cycle. Instead, providing short training, perhaps 5 minutes per month or 15 minutes per quarter can keep people from falling into a lull and forgetting to be vigilant. Short trainings can be very effective, especially if it is entertaining and explains how the education is relevant to them in their personal lives. A quick reminder that scammers are going after them at home as well as in the office can help hold their attention and improve retention of the content, even in the shortest of training sessions.
Another part of the education that is very important but often forgotten is the continued use of simulated phishing emails. These simulated phishing emails should not be designed to trick users, but rather to reinforce the education they received in the training and provide some hands-on practice. Skills must not only be learned academically, but also through practical exercises and repetition. Like the education, these simulated phishing emails should be sent at a regular cadence, preferably at least once per month for the best results. While failures will occur, these should be handled privately, with a focus on positive reinforcement when people spot and report phishing attacks, either real or simulated.
Training on phishing is critical, however other topics should be included in the education as well. Credential hygiene is one of the more critical skills, but often the most overlooked by people. The importance of strong, and most importantly, unique passwords should be taught and tools such as password vaults, a great tool to help generate secure and unique passwords should be considered. Unfortunately, the reuse of passwords is a very effective vulnerability for bad actors to exploit and has resulted in countless data breaches and network intrusions over the years. While not a fix for reusing passwords, they should still be unique, the deployment of multi-factor authentication (MFA) should also be considered an any accounts that support it.
As we consider the high initial click rates on phishing emails in the healthcare industry, coupled with the threat of ransomware and financial losses, it should be very clear that email phishing and the overall human risk factor cannot be ignored. Modern security awareness training is efficient, entertaining and very effective in changing human behavior in a positive manner with a low financial investment and many automated tasks that make the management of training and simulated phishing campaigns very easy.
If you are not already addressing the human risk factor in your organization, it is something you cannot ignore any longer.
About the Author
Erich Kron is a Security Awareness Advocate at KnowBe4. He is a veteran information security professional with over 25 years’ experience in the medical, aerospace manufacturing and defense fields, author, and regular contributor to cybersecurity industry publications. He is the former security manager for the US Army’s 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and many other certifications.
Erich can be reached at [email protected] and at www.knowbe4.com.
Source link
