by Kapua Iao
Article filed in

Why anti-phishing training isn’t enough

by Kapua Iao

social engineering phishing attack

Quite simply, when an organization needs proper cybersecurity, anti-phishing training isn’t enough on its own.

RELATED: What is an Email Phishing Attack?

This may come as a surprise to some organizations that depend on employee awareness training to stop data breaches. But rather than trust a single method, organizations should instead rely on a layered approach to cybersecurity, especially those that perform critical functions such as covered entities.

RELATED: HIPAA Stands For . . .

Let’s explore this issue by first examining anti-phishing training before recommending some cybersecurity best practices.

What is anti-phishing training?

Anti-phishing training is a part of a more general cybersecurity training that provides employees with cybersecurity knowledge so that they can be aware of possible cyber threats.  The idea is for organizations to train employees to mitigate risks themselves.

Email is the most utilized threat vector (or entry point) into any system.  Anti-phishing training teaches employees how to recognize and block attacks that occur through phishing emails.

RELATED: How to Determine Your Attack Surface in the Healthcare Sector

Phishing emails take advantage of tired or unaware staff using social engineering techniques. But unfortunately, human error is unavoidable.  It is a major cause of data breaches today. Recent research from Stanford University found that about 88% of data breaches are caused by employees making mistakes.

Especially during the COVID-19 pandemic, which has encouraged the growth of a new, remote workforce.

RELATED: Coronavirus Cyberattacks: How to Protect Yourself

Unfortunately, training is not standardized, consistent, or always followed up. And even if training were adequate, that does not mean organizations should rely on their employees as the front line of defense to catch every phishing email they receive.

A case study: Colonial Pipeline

The most recent (and most alarming) case of a phishing attack (which included ransomware) happened against Colonial Pipeline. According to the FBI, a group called DarkSide is responsible for the attack, which caused much chaos throughout the U.S.

The incident occurred on May 6 when DarkSide stole and encrypted data, locking the company’s system and demanding a ransom.

RELATED: To Pay or to Not Pay for Stolen Data

Colonial Pipeline proactively closed down its network and then paid nearly $5 million to unlock its system and restore operations.

This ransomware event demonstrates the vulnerability of our infrastructure and the ease with which such cyberattacks can occur, especially as such cyber threats become more sophisticated.

And while we lack the details as to how DarkSide entered the company’s systems, research indicates it was through brute force, a phishing email, or a VPN vulnerability (CVE-2021-20016). However, other known DarkSide ransomware attacks have occurred through employees clicking on malicious email links.

HIPAA, healthcare, and training

Just like Colonial Pipeline and similar organizations,  healthcare providers must defend themselves against cyberattacks.

This is because safeguarding patients and PHI is obligatory under HIPAA. And like all organizations, covered entities and business associates cannot rely on staff members to catch every malicious email they receive.

While the HIPAA Security Rule states that training is mandatory, it also establishes the need for complete security standards beyond awareness training.

RELATED: How to Ensure Your Employees Aren’t a Threat to HIPAA Compliance

A layered security approach should include training as well as:

  • Access controls (e.g., who has access and password policies)
  • Technical safeguards (e.g., encryption and antivirus software)
  • Separate backups
  • Patched and up-to-date devices
  • VPNs and/or firewalls

And most importantly, email security.

Paubox and the need for strong email security

Again, a layered approach to cybersecurity is the only way to truly safeguard an organization—ideally one that utilizes a zero-trust security framework for email.

The idea is that no email sender should automatically be trusted. Human error is avoided by taking the responsibility to catch threats away from employees by blocking malicious emails before they reach the inbox.

This is where Paubox can help. Paubox Email Suite Plus enables HIPAA compliant email by default while also blocking incoming phishing messages and other email threats.

It requires no change in user behavior. With our HITRUST CSF certified solution, all outbound emails are encrypted and sent directly from an existing email platform (such as Microsoft 365 or Google Workspace).

Moreover, our solution comes with our patented ExecProtect feature, built to block display name spoofing emails, a common tactic used in email phishing, from reaching the inbox in the first place.

Organizations are only as strong as their weakest link. So, help employees before they become responsible for a disaster like Colonial Pipeline. Protect your organization today, starting with strong email security.

Try Paubox Email Suite Plus for FREE today.