by Kapua Iao
Article filed in
Why anti-phishing training isn’t enough
by Kapua Iao
Quite simply, when an organization needs proper cybersecurity, anti-phishing training isn’t enough on its own.
RELATED: What is an Email Phishing Attack?
This may come as a surprise to some organizations that depend on employee awareness training to stop data breaches. But rather than trust a single method, organizations should instead rely on a layered approach to cybersecurity, especially those that perform critical functions such as covered entities.
RELATED: HIPAA Stands For . . .
Let’s explore this issue by first examining anti-phishing training before recommending some cybersecurity best practices.
What is anti-phishing training?
Anti-phishing training is a part of a more general cybersecurity training that provides employees with cybersecurity knowledge so that they can be aware of possible cyber threats. The idea is for organizations to train employees to mitigate risks themselves.
Phishing emails take advantage of tired or unaware staff using social engineering techniques. But unfortunately, human error is unavoidable. It is a major cause of data breaches today. Recent research from Stanford University found that about 88% of data breaches are caused by employees making mistakes.
Especially during the COVID-19 pandemic, which has encouraged the growth of a new, remote workforce.
Unfortunately, training is not standardized, consistent, or always followed up. And even if training were adequate, that does not mean organizations should rely on their employees as the front line of defense to catch every phishing email they receive.
A case study: Colonial Pipeline
The most recent (and most alarming) case of a phishing attack (which included ransomware) happened against Colonial Pipeline. According to the FBI, a group called DarkSide is responsible for the attack, which caused much chaos throughout the U.S.
The incident occurred on May 6 when DarkSide stole and encrypted data, locking the company’s system and demanding a ransom.
RELATED: To Pay or to Not Pay for Stolen Data
Colonial Pipeline proactively closed down its network and then paid nearly $5 million to unlock its system and restore operations.
This ransomware event demonstrates the vulnerability of our infrastructure and the ease with which such cyberattacks can occur, especially as such cyber threats become more sophisticated.
And while we lack the details as to how DarkSide entered the company’s systems, research indicates it was through brute force, a phishing email, or a VPN vulnerability (CVE-2021-20016). However, other known DarkSide ransomware attacks have occurred through employees clicking on malicious email links.
HIPAA, healthcare, and training
Just like Colonial Pipeline and similar organizations, healthcare providers must defend themselves against cyberattacks.
This is because safeguarding patients and PHI is obligatory under HIPAA. And like all organizations, covered entities and business associates cannot rely on staff members to catch every malicious email they receive.
A layered security approach should include training as well as:
- Access controls (e.g., who has access and password policies)
- Technical safeguards (e.g., encryption and antivirus software)
- Separate backups
- Patched and up-to-date devices
- VPNs and/or firewalls
And most importantly, email security.
Paubox and the need for strong email security
Again, a layered approach to cybersecurity is the only way to truly safeguard an organization—ideally one that utilizes a zero-trust security framework for email.
The idea is that no email sender should automatically be trusted. Human error is avoided by taking the responsibility to catch threats away from employees by blocking malicious emails before they reach the inbox.
It requires no change in user behavior. With our HITRUST CSF certified solution, all outbound emails are encrypted and sent directly from an existing email platform (such as Microsoft 365 or Google Workspace).
Organizations are only as strong as their weakest link. So, help employees before they become responsible for a disaster like Colonial Pipeline. Protect your organization today, starting with strong email security.