Can Security Awareness Training Really Work Against Phishers?
When it comes to phishing attacks, healthcare organizations are a prime target. According to Mimecast’s Email Security Risk Assessment, 1 in 350 emails in the healthcare industry is an impersonation, with 1 in 3,741 carrying malware.
A big reason: The healthcare industry presents more opportunities for human error than other fields.
“Healthcare is one of the few remaining industries where a human element is deeply involved in the transmission of data,” says Michael Madon, senior vice president and general manager of security awareness and threat intelligence products at Mimecast.
Finance and retail companies also handle sensitive data, Madon says, but it isn’t touched as frequently by human hands. And beyond their own employees, healthcare organizations often work with outside vendors, creating even more routes for possible attack.
“If you think about a large healthcare system that has 100,000 employees, that’s 16,000 points of entry for an attacker,” says Dr. William J. Gordon, medical director of the Health Innovation Platform at Partners HealthCare and attending physician at Brigham and Women’s Hospital.
With so many vulnerable endpoints and end users — not to mention the growing number and sophistication of phishing attacks — healthcare organizations must turn to security awareness training for employees to bolster their defenses.
But the question remains: Can it work effectively?
Phishing Simulations Help Decrease Successful Attacks
Unannounced scenarios that mimic a real-life attack allow organizations to gauge how well staffers recognize the threat.
A recent study co-authored by Gordon and published in the Journal of the American Medical Association examined 2.9 million simulated phishing emails sent to employees at six hospitals over the course of seven years.
Among 95 simulated phishing campaigns analyzed in the study, the overall median click-through rate for those six healthcare systems was 16.7 percent. One hospital’s median click-through rate, at 30.7 percent, was the highest.
Organizations that ran a higher number of simulated phishing campaigns were less likely to fall victim to phishers, the study found. Top performers had staged phishing simulations more than 10 times.
The lowest median click-through rate for a hospital cited in the study was 7.4 percent — but even that rate is too high, says Gordon.
“Your success rate doesn’t really need to be that high in order to see some kind of effect.” he says. “An attacker only needs one person to give them their credentials to do damage.”
MORE FROM HEALTHTECH: Discover how senior care organizations can stay vigilant amid digital threats.
How to Improve Phishing Awareness Training
High click-through rates and more advanced phishing attacks could make many in the healthcare industry skeptical of the effectiveness of security awareness training.
Still, Madon believes the reason that some training doesn’t work is because organizations have approached a psychological problem with a technical solution.
“That isn’t really effective,” Madon says. “Yes, there is a technical component, but the answer is to fight a psychological attack with a psychological approach. To me, that’ll transform the way people think about security.”
To that end, training solutions should address why security is important for employees’ safety and job success rather than compliance.
“The main power is not in widgets and cool technology,” says Madon, “but in how someone thinks about security. That’s the way you change their behavior.”
Madon also believes that security awareness training also shouldn’t be boring or feel like an obligation that employees try to avoid. It’s one reason why Mimecast has hired comedians for their awareness training.
“This approach to security training addresses people where they are, and it’s being done in a humorous way that captures the imagination,” he says, “turning it from something they have to do to something they’re committed to doing.”