Page 8 - SFHN1118pagesFINAL.qxp_SFHN 0608 Friday 5.0

P. 8

DATA: Your Employees May Be More Vulnerable

to Phishing Than You Think

New Research from PhishNet by Kaufman Rossin® Shows the Email Bait Employees Take

Phishing attacks continue to be some of the most pop-
ular methods of cyber attack, representing at least 90%
of cyber attacks worldwide. Even organizations with
dedicated cyber defense budgets, such as hospitals and
healthcare organizations, find themselves challenged by
phishing attacks.
Most organizations have valuable information, includ-
ing account numbers, customer lists, trade secrets, intel-
lectual property, and personal information. Fortunately,
Kaufman Rossin’s research indicates there are ways to
reduce the vulnerability of your people and your organ-
ization to phishing attacks.
Kaufman Rossin gathered data from more than 115
phishing simulations performed for clients in the past BY ALEJANDRO MIJARES AND ROBERTO VALDEZ
two years, which included organizations throughout the
United States and Latin America.
PhishNet by Kaufman Rossin® is a security awareness and training service that most powerful defense
analyzes threats and risks to an organization and sends customized, fake phishing resources available. In
emails to its employees. Employees who click are instantly redirected to a brief train- fact, 41% of the clients of
ing, and Kaufman Rossin’s cybersecurity professionals analyze the results and recom- PhishNet by Kaufman
mend solutions to the organization’s management team. Rossin® saw a decrease
in click rates after the
How often are employees clicking on phishing emails? first performance of a
According to Verizon’s 2018 Data Breach Investigations Report (DBIR), on average phishing simulation
4% of people will click on a phish (i.e., link or attachment in an email) from a typical training and security
phishing campaign. The click rates for simulations performed through PhishNet by awareness exercise.
Kaufman Rossin® are notably higher than the DBIR average, consistent with expec-
tations, as the service involves increasing the difficulty of phishing email scenarios What types of
according to an organization’s inherent risks and management’s instructions. phishing emails do
Kaufman Rossin’s research looks at organizations in the financial services, health- employees click on?
care, professional services and technology sectors. Among these industries, profes- One significant challenge for implementing an effective cybersecurity training pro-
sional services has the highest average click rate at 21%. Financial services is second gram is that cross-disciplinary skills are needed: training and education personnel
at 14%, followed closely by healthcare at 13% and technology at 12%.= tend to have the skills needed for delivering the training, but IT personnel tend to
An effective training and security awareness program continues to be one of the understand the threats and weaknesses involved.
Kaufman Rossin’s data suggests that risks may be directly addressed by designing
procedures and training against the most effective phishing pretexts and scenarios:
human resources (HR) message, voicemail notification, regulatory service or business
and social media notification.
• HR message – The highest click rates are for emails related to human resources
Shared messages, such as messages that refer to vacation, pay, or benefits. Not surprisingly,
employees tend to get emotional – and sometimes act quickly – when their compen-
Medical sation or benefits are being discussed. To reduce this risk, train employees to recog-
nize these scenarios and design communication channels to be less susceptible (e.g.,
sharing some information through a company portal instead of email).
• Voicemail notification – Phishing attacks imitating voicemail notifications are
Suites also frequently clicked on. When asked why they clicked, participants expressed
curiosity about the message or anxiety about missing important information. Training
to recognize these types of scenarios presents an opportunity to educate employees
about the broader issue of social engineering (i.e., attackers using emotions to manip-
ulate behavior).
• Regulatory service or business – Regulatory agencies, associations and vendors
often send notifications to professionals, which could lead to a dangerous habit of
clicking on links in emails without hesitation. Train employees not to let their guard
down just because a communication appears to come from a trusted association or
authority.
• Social media – For employees whose role does not involve access to social media,
consider a policy that prohibits the use of devices and work email for social media
and other personal use. Also consider enabling web content filtering to enforce the
policy. Implementing these changes should make it easier for employees to spot an
email using the pretext of a social media notification.

Going forward
For the foreseeable future, phishing attacks continue to be one of the most popular
methods of cyber attacks across industries. Organizations in highly regulated indus-
tries and those with sensitive information should be especially concerned about the
risk of employees falling victim to phishing, and potentially exposing the organiza-
tion to significant financial losses and other risks.
A robust cybersecurity awareness and training program can make a significant dif-
ference in an organization’s ability to secure its people, resources, and reputation –
especially when it includes highly customized phishing testing and training designed
with an understanding of the most effective types of attacks and the organization’s
unique profile and challenges.

Alejandro Mijares and Roberto Valdez are risk advisory services managers specializing in
cybersecurity at Kaufman Rossin, one of the top 100 CPA and advisory firms in the U.S.
You can reach Alejandro at amijares@kaufmanrossin.com
and Roberto at rvaldez@kaufmanrossin.com.

8 November 2018 southfloridahospitalnews.com South Florida Hospital News

3 4 5 6 7 8 9 10 11 12 13