IT Directors—if you are finding yourself blaming users that are falling for phishing attacks, you know your security is NOT working.
Training users—specifically to recognizing phishing attempts is by far a best practice and important tool in your toolbox as an IT Director. It assuredly does improve your hospital’s cybersecurity posture—in the very least, getting some on your staff to be informed enough not to click on suspicious attachments or links.
But I’ve been hearing anecdotal tales recently from a variety of hospital IT staff from a variety of hospitals about investing in security training above other better automated security infrastructure. In doing a little research on different training options, they all have great marketing and are quite convincing that the job of protection should be shifted more and more to the end user.
While I don’t dispute that user training is a great way to instill cybersecurity into your hospital’s culture (I actually advocate for programs that reinforce and reward staff for recognizing problems and alerting others to those problems), there are a whole bunch of other security tools needed to ensure your users have as much protection as they can get. Training is only one piece of the puzzle.
Can they really spot the fake?
Training on identifying the key aspects of a phish are very effective. I’m sure everyone will agree with you pushing for better training. And alerting users is definitely another great layer of protection that complements actual training events. But everyone should recognize cybersecurity training as it is—it is a tool, not a solution or strategy.
When running a survey of IT departments recently, more than half—54 %— identified as being proficient in recognizing some of the most popular phishing scams. The problem with relying on phishing recognition as the major piece in your cybersecurity? These scams keep changing—and many of them are getting better.
Let me be honest with you—I see examples of phishing emails and spoofed sites all the time. And while many of them fail because they look more like the Nigerian Prince scams, I’m frequently struck by very subtle and high quality imitations that do a very good job at looking real. These deceptive emails are often the ones that get through to users.
It just takes one. Just one user needs to fall for their scam to really shut down your hospital’s network. One very spot on phishing email with an attachment or link masking a virus is the ripe and fertile ground for cybercriminals to completely shut down your hospital.
40 Percent. Not to mention how deceptive some phishing campaigns are, 40 percent of users will click on virtually anything. Even if you train them, it doesn’t seem like anything either gets through or motivates them to change ingrained behaviors. And even though many of them click the number of clicks in other aspects of their jobs, they don’t mind clicking on links or email attachments. Training likely won’t stop them from clicking on those links that you want them to avoid.
My security team tests users with phishing emails and even those times where we insert flagrant warning signs in the emails—like “we are phishing you” or misspell every other word in the email, they click.
But what can you do as an IT Director?
Blame the victims?
Blaming your users might work for some folks, but in our experience it creates even more tension against your IT team and could make life harder for you to fully support your hospital network. And don’t get me wrong, I recognize that often your Achilles heel or weak link lies in questionable activities done by users.
The problem with relying on protection starting with people is that users have a ton of other things on their plates and want to do anything to make their lives easier. They are the ones counting clicks. They are the ones that hate the strict and stringent processes within healthcare IT. Our challenge as healthcare IT workers probably should be around eliminating the victim, rather than blaming them.
Security is the weakest link
In my opinion, if someone is blaming their users for cyberattacks, deep down they also know that their security is not working. Thinking about how users work—especially their day to day behaviors—should help inform what types of security your hospital really needs to stay protected against ransomware.
Should security really start with your users? I agree that users need to be able to understand security from their roles and should have a context to apply security to make their behaviors safer. But relying on them to secure your network might be too much to expect from them.
If you have technology working for you—layered security that not only detects and blocks suspicious email, but also prevents users from engaging in suspect behaviors on your network—can help a great deal in keeping you secure.
Concerned about your cybersecurity but not sure how to keep your hospital secure?
Consider a FREE ransomware vulnerability assessment.