eHealth Technologies Blog: Rob Toscano, CISSP, Sr. Director of IT & Security Officer, eHealth Technologies
Reducing Risk Through User Training and Testing
Cybersecurity is one of our top priorities at eHealth Technologies, and malware and ransomware are some of the biggest threats. Not only are we responsible for the security of our own corporate assets, but we are also responsible for protecting the patient data that is integral to our work in retrieving and organizing medical records and images.
Gone are the days of a firewall being a network’s sole protection from Internet hackers. Stand up redundant firewalls, intrusion detection/prevention systems and LAN configurations with segmented networks gave organizations false confidence that their networks were secure. While these are still fundamental components of preserving network security, they are now only part of the equation. Just a few years ago, nearly all cyberattacks originated from the Internet. Today, most hackers are looking to push through edge defenses beyond the perimeter, with a shift in focus toward the end user.
As many organizations have experienced, our eHealth Technologies team members are being targeted through phishing and spear-phishing campaigns. In 2018 alone, an estimated 92 percent of successful malware and ransomware infections were caused by email phishing scams. Social media and networking sites are often a source of spear-phishing, since details of employment and coworkers are easily identifiable. In these scenarios, a person is targeted by receiving an email that looks like it came from another employee. The content of the email may ask for credentials or to review an attached file. Ensuring employees are well trained and have knowledge for identifying the traits of phish emails is invaluable.
Our Security team considers employee security training mission critical. This training can be accomplished in many inexpensive but invaluable ways.
- Online services are available that send customized test phishing emails, which can be designed to reflect holiday events, HR announcements and even target specific groups of employees. If team members open the test email, they receive tips and tricks to identify clues that could be found in a real phishing email. Third-party companies also provide more elaborate testing services, such as setting up similar domain names as the parent company and targeting employees through social engineering.
- Another inexpensive solution is email security awareness training campaigns. We send newsletters from our compliance team with examples of what to look for in phishing emails or in-person sessions. These emails can be set up to allow end users to click a button when a suspected phishing email is received. Doing so will delete and forward the email to a “catch all” mailbox, enabling internal security staff review without the end user replying or forwarding it.
While network security components for the Internet edge are an absolute must-have, end user security awareness training is equally important to mitigate risk of malware infection. Giving employees the knowledge and tools to identify risky emails will help to protect corporate and personal assets—at work and at home.
