During NCSAM Kardon signed up for the Terranova Phishing Tournament – much to everyone’s surprise. Great news is we didn’t have anyone click on any phishing test links. What did they learn in the tournament?
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Remember to subscribe on your favorite podcasting app, share us on Social Media, and rate us wherever you find the opportunity.
The HIPAA Boot Camp
Virtual Edition Feb 23-25, 2021
More info at TheHIPAABootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[05:55] A Home Security Tech Hacked Into Cameras To Watch People Undressing And Having Sex, Prosecutors Say.
Home Security Camera Hacked by ADT Installer
This is horrible and an example of insider threats to privacy. It also underlines things we say all the time. For example, you need to have processes (not just policies) that prevent or catch these types of activities quickly. Also, just because someone has been there for years and is a good employee doesn’t exempt them from the potential of wrongdoing. I bet this guy made sure the cameras worked amazingly well.
But, what does this have to do with HIPAA? Having employees snooping through patient records is really no different than what this guy did. There is a legal expectation of privacy that your patients have regarding their health records. You should have things in place to prevent or catch this activity. Just because the person has been a valuable employee for years doesn’t exempt them from doing something stupid.
Phishing Test Report
[18:33] Let’s dig into this Phishing Tournament Report and see what they learned. It was interesting to see the breakdown in their findings.
Gone Phishing Tournament Report 2020 | Terranova Security
By far the most important finding was if a user clicks at all on the email, the likelihood they give up their credentials skyrockets. The data was very clear on that point. So, the battle is: don’t click in the first place, of course. We may be improving on that one. However, the ones that haven’t gotten that message are also the ones most likely to turn over the goods to the criminals.
[23:04] So, the way the phishing tournament worked is it was global. They broke it down by region and included Africa, Asia & Pacific, Europe, North America, South/Latin America. And as you can see from the chart below, nobody did really well. And North America was the worst!
[24:43] So, the interesting thing was that Terranova Security broke the report down by region, by industry, and by size of company and then they would break it down further within those categories. The access who didn’t click, who clicked but didn’t submit any information, or they clicked and did submit information. Once someone clicks, you’re in trouble. And, as you can see below, the click rate got drastically worse in 2020 from 2019. The “Clicked Link” rate went up almost 9% from 2019 to 2020. There was a more than an 11% jump in 2020 with users who submitted sensitive information in the webpage form. But the most startling and concerning thing is that 67.5% of those who clicked submitted passwords or completed the web form. WOW! Not good! Not good at all!
Does Size matter?
The 2020 Gone Phishing Tournament unearthed a similar truth in response to the age-old question of whether bigger is better. In other words, does the size of an organization (and possibly the resources at its disposal) impact the human aspect of its data protection infrastructure?
If this Tournament’s results are any indication, the short answer is not really (figure 13), as the phishing simulation used had a similarly significant impact across all organization size ranges.
[30:36] Small businesses fared best. But when you’re the best of the worst, is that really the best? The chart shows that smaller organizations (1-99) are only a little better than the larger ones. And the 100-499 size organizations were the worst in all categories. Bottom line, if someone clicks, the vast majority of them are going to fall for it.
Security Awareness Training Programs
[33:51] So, if people are failing phishing tests, what are you doing to try to prevent it? A security awareness training program is a good start. When looking at what industries currently have a security awareness and phishing training programs, it seems the Transportation sector is doing the most at 80%. And then there’s Healthcare… coming in at the bottom, tying with Education at 14%. IT isn’t much better at 30%. Isn’t it ironic that Education is the worst in education.
[36:12] Let’s look at the breakdown on those who clicked by industry. Healthcare and Education come in better than average, but IT is just barely above the industry average of 19.8%. As David put it, IT is slightly better than average at failing. And then you have Transportation, who say they are doing the most education, but they came in second to the highest in clicking. So the question is what type of training are they doing? Are they just doing the same “required” annual security awareness training and not mixing it up or customizing the training in any way? Or maybe they are just doing some security training but not any phishing tests. Who knows.
[38:46] Speaking of training, the Tournament results broke down the training programs by size of the organization. The following chart reflects that the larger the organization the more the program featured both security awareness training and phishing simulations.Only 19% of SMB organizations incorporated both types of training compared to 72% of the organizations with 3000+ employees.
[40:11] So, back to the clickers. So of the ones who clicked and submitted passwords or other sensitive information, Transportation not only were they at the top of the most who clicked, but they were at the top of those to actually give away their password too. But, they are doing the most training? Hmmm…
Service providers and IT are still above average, at 69.5% and 69.1% respectively, according to the results. IT providers especially provide services to practices and other businesses. They have keys to the kingdom. They can access everything. But yet are failing at falling for phishing scams and giving up passwords. What if they failed and gave out a password for your organization? Do you see why we continually say you need to vet your supply chain for how serious they take privacy and security and how they train their staff? And IT folks, you’ve got to be super diligent about security and what you do. You should be better than everybody else with this stuff because of what you are entrusted with.
[46:00] So this is why we’ve jumped on the bandwagon of saying, you’ve got to change your thoughts security awareness training. Stop thinking about training as a once a year program. This is human risk management.
Make Phishing Simulation Training a Priority
Phishing simulations add an extra dimension to the average security awareness training program. Informative, interactive, real-world phishing simulations (as well as just-in-time training content) can educate users on the tactics employed by phishing attacks quickly and effectively.
By offering diverse, inclusive learning opportunities to its employee base, any organization can instantly strengthen its data protection processes in ways that purely technical cyber security tools, like antivirus software or other encryption apps, cannot match.
[53:59] While Terranova Security can’t speak to the unique realities of every participating organization, some logical inferences can be made:
- Smaller organizations may not have a dedicated IT department or the internal resources to dedicate the appropriate time and energy to planning and executing a full-fledged security awareness training program with phishing simulations.
- Larger organizations, while possibly better positioned when it comes to staff and other resources, may lack the communication needed across all business units to obtain universal training program buy-in.
- The rising popularity of remote workforces almost certainly means that employees will be interacting and sharing information with external contributors, vendors, and partners more frequently. This reality only makes effective phishing training more critical because of the increased variables that are not within its control.
Everything we’ve talked about today centers around human behavior. You not only have to have security awareness, but also privacy awareness and privilege awareness. You have the privilege of this level of access in order to do your job. You do not have this privilege to abuse it. In today’s world, when talking about privacy and security, it’s human risk management. That’s what we are dealing with now and we all need to start looking at it from that perspective.
Employees are your weakest cybersecurity link. Test your staff to identify phishing attacks and even report them to IT. Include in your security awareness training how to spot phishing emails and social engineering tactics hackers are using more and more these days. Like it or not, your staff is your last line in defense. So, the better educated they are, the better off your systems and networks will be.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
