Healthcare IT News published an industry article on Wednesday, September 30th, titled Phishing threats cause sleepless nights for security pros. According to the article, Jennifer Horowitz, Senior Director of Research for HIMSS (Healthcare Information and Management Systems Society) came away from their recent survey of healthcare organizations with the realization that phishing attacks rank number one among cyber security concerns for those tasked with leading the charge to keep organizational and patient data safe.
To Joe Caruso, founder and CEO/CTO of Global Digital Forensics (GDF), a premier national provider of cyber security solutions headquartered in New York City, one of the most troubling things exposed by the survey is that less than a quarter of the organizations said their organizations had tried to improve their readiness with mock phishing exercises.
“Not doing everything humanly possible to get everyone in an organization in tune with the realities and consequences of falling prey to social engineering attacks, like phishing and spear phishing, is a recipe for disaster,” warns Caruso. “And since the most eye opening way to drill the security message home and raise awareness enterprise-wide is to have the staff experience it firsthand, never even bothering with a simulated training attack is pure lunacy, especially for healthcare organizations that are charged with securing data like PHI (Protected Health Information) and other PII (Personally Identifiable Information), which is among the most sought after by cyber criminals.”
Phishing: Preferred by cyber criminals across the globe
“It’s no accident that once most major data breaches are traced back to their origin, a phishing or spear phishing email turns out to be at the root of the breach. Hackers know organizations have been steadily beefing up their technology measures to thwart attackers, but no matter how strong or high the wall, how wide the moat, how advanced the detection system, if they can get just one individual in the organization to take the bait of a well-crafted phishing email, they can have the keys to the castle, and a trusted persona to boot, to just stroll right in through the front gate. Once inside, trying to distinguish an attacker from a trusted insider becomes a nightmare for IT security,” says Caruso, “a nightmare that obviously keeps most of them up at night more than any other threat.”
Combating the threat revolves around testing, awareness and response
“The social engineering aspect of cyber intrusions, which is where spear phishing would fall, is something we focus on heavily when we are called in to do cyber threat assessments and comprehensive penetration testing for clients, and we’ve done it numerous times for healthcare organizations. The scale and scope of the tradecraft we will employ is discussed and agreed upon in advance and then we go to work. Nothing we do will be destructive, but it will definitely be enlightening. We’ll do the same things real-world attackers would do. We’ll use publicly available information and anything else we can get our hands on, online, by telephone, or even in person, and craft a phishing campaign with the personal touches that help attackers make them so hard to spot these days. We’ll do everything from creating full blown dummy websites, to spoofing an individual or department within the organization itself. And so far, we’ve never failed to get a foot in the door,” says Caruso. “When we divulge our findings in our detailed report, it’s got a shock and awe factor that really sinks in deep. It has the powerful, double-barrel effect of exposing weak links in the organization’s cyber security posture, as well as serving as an excellent springboard to raise internal cyber-threat awareness significantly. From there we’ll tailor a remediation plan with the client. If the client chooses, we can even hold awareness seminars to get the entire organization on the same page, from what to look for and how to spot these types of threats, to what to do if a malicious threat is found. And of course we can also satisfy any cyber emergency incident response needs a client may have with our team of experienced cyber responders, strategically positioned across the country and on emergency call 24/7, just in case anyone does take the phishing bait and hands the keys to the castle over to the real bad guys.”
*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cyber security and emergency incident response, with years of experience assisting clients in the healthcare, banking, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit our cyber security page.