The following is a guest article by William Crank, Chief Operating Officer at Fortified Health Security
Every day, cyber criminals send out more than six billion phishing emails – and all it takes is one click to make their day. More than half of all ransomware incidents begin with a seemingly innocuous phishing email.
It’s important to remember that human beings still pose the highest security risk in any organization. Employees can’t be patched or reconfigured, only educated.
In a recent study, healthcare had the highest click rate of any vertical in response to simulated phishing emails. Compared to other industries like finance and manufacturing, healthcare workers took the bait an astonishing 45 percent of the time. That’s because they’re working in a fast-paced, high-stress environment where patient care is paramount, not email hygiene.
That same study also included some encouraging news: the healthcare click rate dropped to just 5% after a year of internal education programs. But some anti-phishing initiatives work better than others. Here are some recommendations:
Conduct Training Monthly in Bite-Sized Chunks
Having employees sit through a three-hour presentation once a year doesn’t bring the click rate down significantly. Anti-phishing education needs to be brief yet regular. A 7- to 10-minute refresher once per month is quite sufficient.
Don’t Limit the Training to Phishing Alone
Healthcare workers need to be briefed on other threats like smishing and vishing. Your system can be infiltrated not just via email but through texts and video links.
Use a Carrot, Not a Stick
Praise for avoiding phishing emails is a much better motivator than a slap on the wrist for clicking. People who do life-saving work don’t want to get scolded for clicking on a phishing email.
Education Needs to be a Top-to-Bottom Initiative
Some anti-phishing efforts exclude senior leadership – and that’s a big mistake. It’s easier than ever for threat actors to target C-suite executives in “whaling” expeditions because these execs can be quickly identified via popular apps like LinkedIn. Executives are no less likely to click on an email than a nurse or doctor, so they need the training, too.
Share Your Results Organization-Wide
If some departments are outperforming others in avoiding phishing bait, it’s good to share that information throughout the organization. This fosters some healthy inter-departmental competition to get the click rates down. I once conducted a simulated phishing attack where one hospital department led the way with a 30% click rate. The department manager contacted me immediately to organize a town hall on how to lower the rate. He also told his staff, “I don’t ever want to be #1 on that list again.”
The purpose of anti-phishing education is not to shame or embarrass employees. It’s to emphasize the importance of taking simple steps to avoid infiltration that can bring an organization to its knees.
The Goal Is Zero, Not 5%
Even when education reduces phishing click rates from 45% to 5%, that’s still not a victory. Cyber criminals are sending nearly 74 million phishing emails per second. All it takes is for one healthcare worker to click one time to put your organization in grave danger.
Most hospital workers don’t have time for a 3-hour seminar on phishing safety. But if you limit the training to regular, easily digestible bites, you’ll see phishing click rates plummet.
About William Crank
William Crank is Chief Operating Officer at Fortified Health Security, headquartered in Brentwood, Tennessee.
No comments:
Post a Comment