As we continue our Cybersecurity Awareness Month journey, an initiative led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCSA), we reflect on the theme of week two: spotting and fighting phishing attempts. Phishing can often lead to vulnerabilities that can result in ransomware or other types of malware, and it is highly encouraged that cybersecurity teams train staff members accordingly so they may recognize these attempts.
What Organizations Should Know About Fighting Phishing
The Human Element of a Cyberattack
Humans are often the weakest link in the cybersecurity chain, with curiosity or inattention taking the place of vigilance and caution in the face of an ever-increasing number of phishing (email), voicemail phishing (vishing), texts (smishing), and fraudulent websites (pharming) attacks. The dramatic increase in overall attacks so far this year compared to 2020 serve as a stark reminder that organizations must proactively monitor both their IT networks and their personnel.
Furthermore, this validates that many healthcare organizations still struggle with executing basic security fundamentals like and remediating gaps, which leaves them vulnerable. In terms of sheer numbers, phishing, vishing, smishing, and pharming account for 30% of all attacks and double the number of attacks reported in 2019.
Emerging Types of Threats
Vishing attacks were first reported in December 2019 and have proliferated in number, type and complexity since then. The latest threat combines phishing with pharming, calling workers and coercing them to log into a fraudulent website so criminals can capture usernames and passwords.
Other vishing threats include a massive mining campaign to gather login credentials for later attacks and exploiting legacy voicemail technology to ensnare remote healthcare workers.
Hackers are also leveraging workplace collaboration tools such as Slack, Discord and Microsoft Teams that exploded in popularity when the pandemic sent office workers home. Since collaboration platforms are a trusted part of an IT network, successful hacks thereof can bypass perimeter security protections to deliver malware or exploit legitimate application programing interfaces (APIs) to establish command-and control protocols used to export data from target networks.
Organizations should also be on the lookout for fake social media pages, as Johns Hopkins found out recently. A Facebook page purportedly from the health system was created in November 2020, with four of the 10 initial posts aimed at employee recruitment. Despite the recent page creation and questionable spelling, including misspelling the health system’s name, several people responded to the page, which was traced to a cryptocurrency exchange website in Nigeria.
Third Party Risk
Although technology upgrades, proactive maintenance and constant monitoring of IT infrastructure can help keep healthcare providers safe from cyberattacks, employee security and awareness training is just as crucial to continually reinforce company policies and make the organizations aware of the threat landscape. This type of training and awareness must extend past your own organization and into the third party organizations leveraged by the healthcare providers. Forty-three percent of breaches in the first half of 2021 reported that a Business Associate was present, as compared to 33% in the first half of 2020. No matter how well educated your employee base is on security and the associated threats, it is all for naught if you leverage a third party organization who does not adhere to security fundamentals which includes an effective security and awareness training program for its users.
Fight the Phish!
Reduce your chances of falling victim to phishing attacks now with Fortified Health Security. Our semi-annual Horizon Report showcases our commitment to improving security within the healthcare sector. To learn more, read the complete 2021 Mid-Year Horizon Report here.