When it comes to cybersecurity attacks, the most common concern for many leaders is the level of sophistication involved — and the growing challenge in trying to stay one step ahead. In reality, however, the majority of hackers aren’t focused on the most complicated way to harvest credentials, but rather, the simplest way.
“They’ve learned that it’s much easier to log in than it is to hack a system,” said Dennis Leber, PhD, Interim CISO at UConn Health, during a recent panel discussion. Through carefully constructed emails with requests to update information or accept payments, bad actors can lure users into clicking on links and entering their username and password. “It might say, ‘You’re going to lose documents if you don’t update,’” he noted. “It’s purposeful, and it tricks people.”
It’s a scenario that healthcare leaders have come to know all too well. According to a report from the Identity Theft Resource Center, US healthcare organizations were hit with 344 breaches in 2022, and are targeted far more often than other industries. And more often than not, it’s through phishing scams.
“Everyone’s looking for credentials,” said Ryan Witt (Managing Director of Healthcare, Proofpoint), who also served on the panel, along with Chris Akeroyd (CIO, Children’s Health). “Once they gain access into the network, they can engage in all sorts of nefarious activities. Access is king.” Where the sophistication comes into play is in finding “individuals who have a higher propensity to click — not because they’re doing anything wrong, but because of the nature of their job.”
One of the most vulnerable areas, not surprisingly, is supply chain, where workers are often asked to download files to verify purchase orders and invoices. As a result, it’s become an easy mark for bad actors, who are constantly tweaking their language to make requests look legitimate. “It’s getting harder and harder to ascertain whether something looks suspicious,” Witt noted.
Teaching Tools
That’s where education and training come in, said Akeroyd, who believes it’s a key pillar in any cybersecurity strategy. “The biggest threat is our users. That’s where it all begins.” At Children’s Health, his team is constantly pushing out documents, communications, and training materials to spread awareness. “We do a substantial amount of it, and we try to keep it fresh by sending out programmatic phishing tests and continuing to increase the complexity.”
Inevitably, some of those tests will stymie users. But instead of taking punitive measures, leaders can turn them into effective teaching tools by publishing the offending emails on ‘Phishing Bowl’ websites where others can view them. By seeing what the emails look like, staff can get a better idea of what to look for, said Leber.
Another method is educating users on how to scrutinize emails that don’t adhere to typical standards. For example, language that’s either not allowed or must be included in all your email correspondence, Leber said. “You need to know what are your policies that dictate the formatting, sending, and receiving of emails. These are red flags. If the type of language you expect to find in emails isn’t there, that’s an indicator that it isn’t from who it’s supposed to be from.”
Making sure users know what to look for is a critical aspect of security preparedness and response training, he noted.
VAP Lists
While it is vital that all users are educated and kept aware, the fact is that some are more sought-after than others. “Not every employee is created equally in bad actors’ eyes. There are definitely people who are more desirable,” said Witt, including IS and IT system administrators who may have access to patient credentials. “You need to find out where attackers are attacking, and layer in your defenses accordingly.”
Some organizations, in fact, utilize VAP (Very Attacked Person) lists to identify individuals who are most often targeted and determine next steps, according to Akeroyd. “It’s our responsibility to make them one aware of it. And then on the cybersecurity side, we need to increase our digital monitoring and become more proactive if we see something that isn’t right.”
A “Team Sport”
The ‘we’, of course, goes beyond those in IT and IS, and must include leaders from across the organization, said Akeroyd. “This is a team sport. The risk isn’t owned by IS or IT.”
In fact, both he and Leber advocate involving not just compliance and privacy in discussions, but also human resources and marketing. “How does HR support this? How do you measure that? People listen to marketing more than cybersecurity,” said Leber. Therefore, leaning on marketing to “get the message out,” rather than relying on annual cybersecurity awareness, can be more effective.
Akeroyd concurred, adding, “Marketing is important. They help us package things in a way that our users are used to consuming them — same look, same feel, same channels.”
By integrating awareness training into the workflow, and doing it in formats to which users have been accustomed, leaders can remove the burden from frontline workers, which in turn can boost adoption, according to Leber. “We may want to send emails, but maybe everyone else uses Slack. And so, we ingest that into the normal flow that people are used to, rather than adding something else. You can have a lot of success when you start looking at it that way.”
Back to the Mission
When it comes to the board and executive team, however, a different tactic should be taken, according to Witt. And it starts by making a strong case for why education and training are so important. “To me, CISOs or IT executives who can communicate the risk by linking it to the health system’s mission, which is often oriented around patient care or safety, seem to be the most impactful in convincing the board to make the necessary changes, whether investing in technology or improving processes,” he said. “That language resonates with the board.”
And while that may not have been part of the CISO job description in the past, it needs to be going forward, particularly as cybersecurity threats become more pervasive. “CISOs are becoming a more critical strategic partner in how we pull the entire organization together in a common understanding of risk,” said Akeroyd.
Leber agreed, adding that a key facet of the CISO role is in being able to “direct the security program while communicating the risk and making sure the message is being filtered to those who need to hear it.”
To view the archive of this webinar — Creating a Culture of Cybersecurity to Thwart Sophisticated Phishing Campaigns (Sponsored by Proofpoint) — please click here.
Share Your Thoughts
You must be logged in to post a comment.