- We read with horror about healthcare organizations getting hacked, spilling personal health details that no one wants to find dumped out onto the public internet. The origins of these attacks are all-too-frequently healthcare phishing attacks, stemming from emails that a staff member has unwisely opened.
While in theory, the obvious advice to give is that one should not click on strange links in email, that directive may not be as easy to follow as one might hope.
Phishing emails are becoming increasingly convincing, in part by targeting specific individuals via “spear phishing.”
It can be easy for experts to forget that a healthy sense of paranoia is not something most of us bring to the internet. When that email comes in requesting that we take some simple action, like opening an attachment or clicking on a link, many people default to compliance. Or, at least they do until they’ve been burned once or twice.
According to Verizon’s breach report, 30 percent of people fall for phishing emails. Anecdotally, I have heard anywhere from one quarter to almost half of recipients fall for scammers’ tricks. I’ve seen quite a few slick phishing emails in my time, so I was very curious how I would fare with real world examples. When taking a quiz from Today Money, I did indeed miss one. Even experts can get caught out when scammers have enough information to appear credible.
Who’s being targeted?
Something I hear a lot from people who are incredulous about the need for caution online, is that they have nothing of value to be stolen. It may not be that you or I have anything particularly spectacular on our own, but we exist online as part of a network.
It would be wonderful if everyone already got the Principle of Least Privilege, which says that users and systems should be limited to accessing only the information and resources that are necessary to complete their legitimate tasks. But we’re not quite at that point. Phishers don’t need to go “whaling” to get to machines that have the lucrative data. If they can get any employees in the organization to hand over their credentials, scammers are often able to use that to wriggle their way into other areas of the network.
It’s not the end of the world
All of this is not to say that we need to just throw up our hands and just leave the gates open for the rampaging hordes. There are plenty of ways to minimize the damage of phishing – both in preparing users, and protecting the data that scammers steal.
Remember when I said that users who have been burned by phishes are less apt to fall for them again? What if there was a way to do that without risking a breach? Phishing test kits exist, and you can use them to give your users a periodic “fire drill” so they know what to do in case of an actual incident. While it’s important for people to know what they should and shouldn’t do, they also need to feel free to tell someone if an accident occurs.
- Two-Factor Authentication
Falling for phishing is less of a big deal if a username and password do not act as a master key to your network. Two-factor authentication gives you a separate way of verifying that employees are who they claim to be, aside from their password. More and more services are now offering two-factor authentication, so your users may even be familiar with it already.
If your data are effectively scrambled when not in use, such as with encryption, there’s a decreased likelihood that thieves can get what they’re after. All of the most popular operating systems already give you the ability to encrypt files and folders, so you just need to enable it. It’s also advisable to encrypt sensitive data as it’s sent over the network, such as via the web or email.
- Principle of Least Privilege
As I mentioned earlier, one of the most effective ways of mitigating the effects of phishing is to implement the Principle of Least Privilege. For example, don’t give users admin rights to their machines if they don’t need it, and as a general rule you should allow users only to access machines within their own department.
While phishing may be pervasive and increasingly hard to detect, this doesn’t mean it’s time to throw in the towel. With a little preparation and education, it’s possible to mitigate the risk.
Lysa Myers began her career in Information Security at a malware research lab in the weeks before the Melissa virus outbreak in 1999. Over the years, Myers has worked within anti-malware research labs and in testing organizations to help improve computer security products. As a Security Researcher for ESET, and a frequent contributor to security magazines, she continues to advocate improvements to the security industry.