Cybercrime on a global scale is spiralling out of control. This year alone, cybercrime costs will reach £1 trillion, and this is larger than many of the world’s largest economies. Despite every industry being impacted, one above all seems to be in the cross hairs often: healthcare.
The healthcare industry has always had a reliance on technology to help deliver the best possible treatments and services. However, the digital transformation journey is leaving this industry vulnerable to cyberattacks.
We only have to be reminded of the significant attacks that have plagued the NHS, from WannaCry in 2017 to the more recent attack that successfully took offline various health systems and badly affected ambulance dispatch, prescriptions and the 111 helplines. During the pandemic, the NCSC even issued warnings to the healthcare and pharmaceutical industry on staying vigilant due to the increased threats against the sector.
One of the most common threats posed to the healthcare industry is phishing and such a threat can result in data being stolen or deleted, systems crashing and even medical devices harming patients.
Phishing is effective because it plays on our curious and inquisitive nature. For instance, when we get a letter, we open it quickly, often not knowing what it contains or who it’s from. This exact behaviour is what hackers hope to trigger when sending phishing emails and is why it is such a successful attack – it has already reached an all-time high in 2022.
Healthcare vs Phishing: the stats
As we delve deeper into healthcare and how it is coping with the phishing pandemic, research shows those working within the sector are among the most susceptible to being deceived by phishing threats. This was calculated by testing an organisation’s employee susceptibility to simulated phishing attacks over 3 phases which then provided a Phish-prone™ Percentage (PPP).
The stats showed large healthcare organisations (1000+ employees) had a Phish-prone™ Percentage score of 45%, a significantly higher percentage than the baseline average score of 32.4% across all industries and all sizes. This highlights healthcare employees currently have a lower base of security awareness and are more likely to click a phishing email link or open an infected attachment.
With this information, we can act and begin the process to make effective changes both immediately and in the long run with the end goal to ensure everyone’s behaviours, attitudes, and culture – relating to security – is being improved.
Creating a healthy environment for secure behaviours to flourish
To build an effective security culture within the company, the first thing you want to do is avoid investing large amounts in the latest cybersecurity tools on the market. This is considered a superficial response to a psychological problem within the workforce. Technology certainly has a place and there will always be a need for it but in this instance, we need a different approach to rectify this deep-rooted issue in order to change these habits.
As such, it is up to the security leaders at healthcare organisations to implement dedicated security awareness programmes that:
- Provide clear processes and mandates
- Meet the organisation’s security policies
- Aim to synchronise with and improve the overall security culture
- Create an environment that enables the workforce into being security-ready
- Have the unwavering backing of the board level and senior management
The last point is critical because you need every member of staff to sing from the same hymn sheet and if the general worker doesn’t see the heads of the company following security procedures, they will begin to think why they should.
Communication is powerful in this instance and by educating the workforce as to why they should care about protecting the company, and themselves against cyber threats, will go a long way in getting them on side.
Champion those who take security seriously
Showing examples of what ‘good security practises’ looks like is another important element to emphasise. You need role models who will ‘lead by example’ and drive security awareness across the company. They will participate in the same training requirements as their colleagues no matter their level of seniority so having these individuals be the torch bearers will lead to others following their safer cyber habits.
You’ll quickly notice natural changes in awareness and culture.
Moreover, you can spot the staff members that are more security aware, and these can be ‘security champions’ who can help reinforce the messages around improving the security culture.
The success of the security awareness and culture programme is also linked to the content used. Having mundane, boring and stagnant training material will instantly turn people away. In order to create a positive learning experience, incorporate learning materials that are tailored to your organisation, industry and come in a variety of mediums and languages which can be viewed through interactive modules, presentations, videos, tv-shows, games, newsletters and assessments.
Content is king and there are several methods to suit different learning styles and they will help your staff absorb your security ethos.
You want to avoid vendors that apply a one-size-fits-all approach to security awareness training. Additionally, you can’t expect your internal security or IT department to create these learning materials. Doing either will only lead to failure, wasted resources, a workforce lacking in true security knowledge and a weak security culture.
Human layer of defence
Those within healthcare ultimately want to deliver the best care for their patients. What they must understand is that this care is not only physically or mentally, but also digitally. Collectively, they have a duty and responsibility to protect that patient’s data and privacy and to do this adequately, knowing the steps to prevent social engineering threats like phishing being successful is vital.
You want your staff to make the right security decisions at the right moment. Therefore, continuously test the workforce with phishing simulations and training while also utilising behavioural reinforcement to build a strong human defence layer that remains vigilant. This can then be measured to see where the company is in its phishing proneness and give you a better understanding of strengths and weakness in the security culture. By following these steps, you will see an improvement in the security awareness of each employee, the security culture of the entire organisation and a significant reduction risk to the company.
By Javvad Malik, lead security awareness advocate at KnowBe4