Phishing "Bait" Helps Practice Catch Cybercriminals

One email changed our company's approach to cybersecurity.

That email came from an alert vendor who contacted us after becoming suspicious about an item in her inbox that looked like it was sent by one of our top managers. The manager's name was correct - but her email address was not.

As we investigated, we discovered a cybercriminal had assumed our manager's online "identity" in an attempt to get the vendor to open an attachment in the email that could have led to a ransomware demand. Fortunately, the vendor did not open that email so her computer was not damaged, nor was our system.

The incident became a real wake-up call for us. We always suspected there were sharks circling beneath us, waiting to attack, but the water was too murky to see them. When we saw that hackers were actively trying to invade our network and realized just how easily they could do so, the water got a lot clearer.

According to the Ponemon Institute's 2017 study of healthcare data breaches, it costs $380 per record when cybercriminals steal patients' personal health information - which is more than 2.5 times the global average across industries. And Ponemon also reports that these data breaches exact a $6.2 billion toll on the U.S. healthcare industry.

To hackers, our medical practice - Arthritis & Rheumatism Associates, P.C. -appears to be a rich target for cyberattacks. We have over 150 employees who support 18 physicians in five offices in Washington D.C. and the Maryland suburbs. And all of us engage in digital communications in one form or another. To thwart hackers, we decided to focus on the human side of cybersecurity through employee training.

Setting the bait

As part of our strategy to shore up the human element of our cyber-defenses, we adopted several policies, such as requiring employees to avoid mentioning patients' names in emails or texts unless they are encrypted. We also shared weekly tips to keep them abreast of evolving cybersecurity threats.

After the email "phishing" incident with our vendor, we set up an internal, simulated phishing scam - an exercise that is particularly effective in raising employee awareness of the threats we face and their ability to prevent data breaches or ransomware attacks.  Similar to our recent phishing scam by hackers, this simulated scam would involve sending emails that appear to be legitimate, but are not. Prior to the simulated exercise, staff members received messages from our management team alerting them to be careful about opening any emails and attachments that might come from unknown sources or long dormant contacts, as well as those with unusual wording, misspellings or anything else that might seem "off."

A short time later, our IT services provider sent out a "bait" email to everyone in the organization unannounced. It appeared to be from IT support for a major software company and looked very "official." While the majority of staff members did not take the "bait," about 15 percent failed the test.

Rather than publicly admonishing employees who opened the bogus emails, we sent individual letters to simply inform them of their errors. At the same time, however, we required that they turn their mistakes into a learning opportunity by completing an online cybersecurity training program.

In the letter, we also reiterated key tips for screening emails, such as checking to make sure the sender's name and email address look correct and noticing whether the subject line or body of a message contains strange wording or lacks an explanation of a link or attachment. Most importantly, we reminded staffers that no one should open any email or click on links/attachments if there is any doubt about the authenticity of the message.

Shoring up policies

In addition to simulated phishing expeditions to reinforce lessons learned, we also boost awareness by continually reminding employees of existing cybersecurity policies. For instance, employees get reminders to limit personal internet use to their own personal devices and to use their own internet service provider rather than the company's Wi-Fi.  Simple misspellings of keywords in a search engine while doing online shopping can take them to malicious sites that can infect our company's network and potentially bring the entire system down.

Similarly, employees receive notices about protecting laptops and other mobile devices from theft and to protect the privacy of work emails when accessing them off-site. In addition, before any employee is terminated, access to both company computers and online accounts with our vendors is completely shut off.

The price of recovering from ransomware attacks or losing patient data to unscrupulous hackers is too costly to ignore. Whereas, the investment in training employees pays off every time they prevent cybercriminals from luring unsuspecting victims into their phishing nets.

Daniel Tucker is the CEO of the Arthritis & Rheumatism Associates, P.C.