Malicious phishing emails have become “the weapon of choice for a wide range of cyber-attacks, … used by everyone from state-sponsored cyber espionage groups to mass-mailing ransomware gangs.” Awareness is critical! 
Phishing & Social Engineering
Phishing and other email-delivered attacks have grown rapidly over the last few years, in part because email “doesn’t rely on vulnerabilities, but instead uses simple deception to lure victims into opening attachments, following links, or disclosing their credentials.” Furthermore, “targeted spear-phishing campaigns, especially in the form of Business Email Compromise (BEC) scams, rather than the mass-mailing phishing campaigns of old, are now favored by attackers.”
As we’ve discussed before on the blog, healthcare providers are three times more likely to fall for a phishing email than the average.
The FBI estimates that over 7,400 businesses are targeted daily by spear-phishing and BEC emails, resulting in losses over $3 billion. Of the targeted organizations, most are small-to-medium businesses of under 500 employees. The costs of phishing attacks come primarily from malware infection, compromised accounts, and loss of data.
Although technical security controls are important to combat phishing and social engineering attempts, regular and ongoing end-user training remains the most important and effective protection against these attacks. Poor user security awareness and training is one of our most common top findings when we conduct a security risk analysis or risk assessment.
The Importance of Security Awareness Training
An organization’s personnel are both its greatest vulnerability and its most important line of defense against data breaches, malware, and other information security incidents. Regular training for staff is an important part of preventing PHI-handling errors and reducing computer vulnerabilities. All providers and staff should understand their responsibilities under the HIPAA Privacy, Security, and Breach Notification rules, including practical examples of inappropriate behaviors and possible corrective actions. They should also be familiar with safe computer practices: safe web browsing, responsible email use, recognizing phishing and social engineering, password security, and responding to malware attacks. We recommend HIPAA and computer security trainings be conducted annually at minimum, with quarterly refresher training and discussions.
Eagle Security Awareness Program
We are excited to offer a new service for our clients: Eagle’s Security Awareness Program. Through a partnership with industry-leader KnowBe4, we can implement a comprehensive security awareness program for clients which includes assessments of human vulnerabilities to phishing and social engineering plus delivery of extensive online security awareness training.
Through this program, our clients can manage the ongoing problem of social engineering and human vulnerabilities in their practices and organizations. Make effective employee training a key component of your risk management!